IBM OpenPages GRC Platform Version 7.0.0: Administrator s Guide

IBM OpenPages GRC Platform Version 7.0.0: Administrator s Guide
IBM OpenPages GRC Platform
Version 7.0.0
Administrator's Guide
򔻐򗗠򙳰
Note
Before using this information and the product it supports, read the information in “Notices” on page 787.
Product Information
This document applies to IBM OpenPages GRC Platform Version 7.0.0 and may also apply to subsequent releases.
Licensed Materials - Property of IBM Corporation.
© Copyright IBM Corporation, 2003, 2013.
US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contract
with IBM Corp.
Contents
Document Release and Update Information . . . . . . . . . . . . . . . . . . . xvii
Chapter 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
What’s new in IBM OpenPages . . . .
What's changed in IBM OpenPages . . .
About the IBM OpenPages GRC Platform
IBM OpenPages GRC Platform Modules
How the IBM OpenPages GRC Platform
. . . .
. . . .
. . . .
. . . .
Can Help
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
3
5
6
6
7
Chapter 2. Administering Users, Groups, and Domains . . . . . . . . . . . . . . . 9
About Users and Groups . . . . . . . . .
Accessing Users, Groups and Domains . . .
Rules for User Names and Passwords . . .
About Administrators . . . . . . . . . .
The Super Administrator . . . . . . . .
Delegating Administrator Permissions . . .
Managing User Accounts . . . . . . . . .
Creating New Users . . . . . . . . .
Associating Existing Users with a Group . .
Disassociating Users from a Group . . . .
Modifying Existing User Accounts. . . . .
Disabling User Accounts . . . . . . . .
Enabling User Accounts . . . . . . . .
Managing Organizational Groups . . . . . .
Creating a New Organizational Group . . .
Disassociating a Group . . . . . . . .
Associating a Group . . . . . . . . .
Configuring Application Permissions . . . . .
Defining Application Permissions . . . . .
Understanding Group Application Permissions
Application Permissions . . . . . . . .
Other Permissions . . . . . . . . . .
Configure Password Behavior . . . . . . .
Configuring Password Policies . . . . . .
Configuring Password Encryption . . . . .
The UPEA Tool . . . . . . . . . . .
Using the UPEA Tool . . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 9
. 9
. 10
. 11
. 11
. 12
. 15
. 16
. 17
. 18
. 18
. 19
. 19
. 19
. 20
. 20
. 21
. 21
. 21
. 22
. 22
. 27
. 28
. 29
. 29
. 30
. 32
Chapter 3. Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Role-based security model . . . . . . .
Security context points . . . . . . .
Extending security context points . . . .
Security domains . . . . . . . . .
Moving business entities . . . . . . .
Copying business entities . . . . . . .
Role-based access control permissions . .
Role templates . . . . . . . . . .
Security rules . . . . . . . . . . . .
Scenarios for security rules . . . . . .
Defining security rules . . . . . . .
Enabling or disabling a security rule . . .
Validating a formula for a security rule . .
Deleting a security rule . . . . . . .
Custom security for projects . . . . . . .
About the folder hierarchy and inheritance .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
37
39
40
43
44
44
45
47
53
54
60
71
71
72
72
72
iii
Accessing the Access Control page . . . . .
Creating an Access Control List. . . . . . .
Editing an Access Control List . . . . . . .
Deleting an Access Control List. . . . . . .
LDAP user authentication . . . . . . . . .
Supported LDAP servers . . . . . . . . .
Configuring the LDAP Authentication Module .
Setting up mixed-mode authentication . . . .
Configuring a multi-forested LDAP authentication
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
73
73
74
74
74
75
75
78
79
Chapter 4. Using System Admin Mode . . . . . . . . . . . . . . . . . . . . . . 81
About System Administration Mode (SAM) .
Enabling and Disabling System Admin Mode .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 81
. 82
Chapter 5. Managing the Reporting Schema and Framework . . . . . . . . . . . . 83
Administering the Reporting Schema . . . . . . . . . . . . . .
Reporting Schema and Framework Permissions . . . . . . . . .
Accessing the Reporting Schema . . . . . . . . . . . . . .
Updating the Reporting Schema . . . . . . . . . . . . . .
Creating or Re-creating the Reporting Schema . . . . . . . . . .
Populating Past Reporting Periods. . . . . . . . . . . . . .
Enabling and Disabling the Reporting Schema. . . . . . . . . .
Viewing Reporting Schema Operation Details . . . . . . . . . .
Using the Reporting Framework . . . . . . . . . . . . . . .
Accessing the Reporting Framework . . . . . . . . . . . . .
Generating the Reporting Framework . . . . . . . . . . . . .
The IBM OpenPages Reporting Framework V6 . . . . . . . . .
Backward Compatibility with the Legacy Reporting Framework . . . .
About Choosing Update Options in the Reporting Framework . . . .
Regenerating the Reporting Framework . . . . . . . . . . . .
Updating the Reporting Framework . . . . . . . . . . . . .
Viewing Reporting Framework Details . . . . . . . . . . . .
Changing the Administrator Logon Account and Framework Generation .
Configuring Facts and Dimensions . . . . . . . . . . . . . .
Facts and Dimensions . . . . . . . . . . . . . . . . . .
Process Overview . . . . . . . . . . . . . . . . . . .
Enabling and Disabling Facts . . . . . . . . . . . . . . .
Enabling and Disabling Enumeration and Dependent Picklist Dimensions
Using Date Dimension Types . . . . . . . . . . . . . . .
Configuring Recursive Object Levels . . . . . . . . . . . . . .
About Recursive Object Levels . . . . . . . . . . . . . . .
Rules for Defining Sets of Recursive Object Levels . . . . . . . .
Working With Business Entity Recursive Object Levels . . . . . . .
Modifying Recursive Object Levels . . . . . . . . . . . . .
Configuring Object Type Dimensions . . . . . . . . . . . . .
Object Type Dimensions . . . . . . . . . . . . . . . . .
Selecting a Starting Object Type for a Dimension . . . . . . . .
Adding Object Type Dimensions . . . . . . . . . . . . . .
Modifying Object Type Dimensions . . . . . . . . . . . . .
Enabling and Disabling Object Type Dimensions . . . . . . . .
Deleting Object Type Dimensions. . . . . . . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 83
. 83
. 83
. 84
. 84
. 85
. 85
. 86
. 86
. 87
. 87
. 87
. 88
. 88
. 88
. 89
. 89
. 90
. 91
. 91
. 91
. 91
. 92
. 94
. 97
. 97
. 99
. 99
. 101
. 101
. 101
. 102
. 102
. 103
. 103
. 104
Chapter 6. Business Process Visualizations . . . . . . . . . . . . . . . . . . . 105
Types of visualizations . . . . . . . . . .
Visualizing a Business Entity organization chart .
Visualizing a business process flow . . . . .
Creating a process diagram . . . . . . . . .
Updating process diagrams . . . . . . . .
Process diagrams management . . . . . . .
Modifying a process diagram . . . . . . .
iv
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
106
108
108
110
112
113
113
Copying a process diagram to use as a template. . . . . . .
Changing the status of a process diagram . . . . . . . . .
Exporting a process diagram from an IBM OpenPages environment
Importing a process diagram to an IBM OpenPages environment .
Deleting a process diagram . . . . . . . . . . . . . .
Modifying field properties of a process diagram . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
115
116
116
117
118
119
Chapter 7. Managing Reports . . . . . . . . . . . . . . . . . . . . . . . . . 121
Accessing Reports From the Application User Interface
Supplied Reports . . . . . . . . . . . . .
IBM OpenPages V6 Folder Reports . . . . . .
Adding Reports . . . . . . . . . . . . .
Using the Application User Interface to Add Reports
Working With Reports . . . . . . . . . . .
Understanding Reports . . . . . . . . . .
Locating Report Files . . . . . . . . . . .
Accessing Report Pages and Page Templates . . .
Manually Creating a New Instance of a Report . .
Working with Interactive JSP Reports . . . . .
Restricting Access to Reports . . . . . . . . .
Setting Permissions on JSP and Reports . . . .
Securing Access to the CommandCenter Portal . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
121
121
121
125
126
128
128
129
129
129
134
135
135
136
Chapter 8. Configuring Fields and Field Groups . . . . . . . . . . . . . . . . . 141
Fields and Field Groups . . . . . . . . . . . .
Definition of Fields . . . . . . . . . . . .
Definition of a Field Group That is In Use . . . . .
Accessing the Field Groups Page . . . . . . . .
Process Overview . . . . . . . . . . . . .
Identifying New Fields . . . . . . . . . . .
Considerations When Naming New Fields . . . .
Running the Schema Analysis Report . . . . . .
Adding New Field Groups . . . . . . . . . . .
Adding Field Definitions to a Field Group. . . . . .
Data Types . . . . . . . . . . . . . . . .
Using Currency Data . . . . . . . . . . . . .
Accessing the Currencies Page. . . . . . . . .
Modifying Currency Exchange Rates . . . . . .
Adding and Editing Currency Fields in a Field Group.
Editing Currency Field Values in Individual Accounts .
Modifying Currency Exchange Rates . . . . . .
Modifying Field and Field Group Properties . . . . .
Modifying Field Group Properties . . . . . . .
Modifying Object Field Definitions . . . . . . .
Making Fields Either Required or Optional . . . .
Setting a Default Value for an Object Field . . . .
Creating Computed Fields . . . . . . . . . . .
Process Overview . . . . . . . . . . . . .
Modeling a New Computed Field in Cognos . . . .
Defining a Computed Field. . . . . . . . . .
Importing and Exporting Computed Field Definitions .
Using Computed Fields with Multiple Namespaces .
Nesting Computed Fields . . . . . . . . . .
Troubleshooting Computed Fields . . . . . . .
Modifying Enumerated String Values . . . . . . .
Adding New Enumerated String Values . . . . .
Changing the Order of Enumerated String Values . .
Hiding Enumerated String Values . . . . . . .
Unhiding Enumerated String Values. . . . . . .
Deleting Enumerated String Values . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
141
141
142
142
143
145
147
148
149
149
150
155
155
155
155
157
157
159
159
159
160
161
161
161
162
163
165
165
166
166
169
169
170
170
171
171
Contents
v
Configuring Reporting Fragment Fields . . . . . .
About Reporting Fragment Fields . . . . . . .
Limitations . . . . . . . . . . . . . . .
Planning Considerations for Reporting Fragment Fields
Overview of Configuring Reporting Fragment Fields .
Fields Requiring Parameter Information . . . . .
Defining a Reporting Fragment Field . . . . . .
Configuring Save As Draft Fields . . . . . . . . .
Create a new field group and field . . . . . . .
Configure settings . . . . . . . . . . . . .
Add the field to the object type and profile . . . .
Deleting Field Groups and Definitions . . . . . . .
Deleting Field Groups . . . . . . . . . . .
Deleting an Object Field Definition . . . . . . .
Working with Long String Fields . . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
172
172
172
173
173
173
174
178
179
179
180
180
180
181
181
Chapter 9. Managing Object Types . . . . . . . . . . . . . . . . . . . . . . . 183
About Object Types . . . . . . . . . . . .
About Platform Object Types . . . . . . . .
About Property Rendering JSP Files . . . . . .
Accessing Object Types . . . . . . . . . .
Configuring Object Type Properties . . . . . . .
Editing Object Type Properties . . . . . . .
Including Field Groups for an Object Type . . .
Disabling Associations Between Object Types. . .
Enabling Associations Between Object Types . . .
About Object Relationship Types . . . . . . .
Modifying Cardinality Settings . . . . . . .
Configuring File Type Information . . . . . .
Configuring Large Files for Upload . . . . . .
Setting Up Custom Forms . . . . . . . . . .
Process Overview . . . . . . . . . . . .
Adding an Object Type for a Custom Form . . .
Deleting a Custom Object Type . . . . . . .
Associating a Custom Form to an Object Type . .
Managing Filters for an Object Type . . . . . . .
Filter Considerations . . . . . . . . . . .
Adding Filters to Object Types . . . . . . .
Copying Filters . . . . . . . . . . . . .
Modifying Filters . . . . . . . . . . . .
Deleting Filters . . . . . . . . . . . . .
Configuring Dependent Field Behavior . . . . . .
Example . . . . . . . . . . . . . . .
Adding Dependent Fields . . . . . . . . .
Copying Controller Conditions . . . . . . .
Modifying Controllers for a Dependent Field . . .
Enabling and Disabling Field Dependency Behavior
Deleting Dependent Fields . . . . . . . . .
Configuring Dependent Picklists . . . . . . . .
Example . . . . . . . . . . . . . . .
Adding Dependent Picklists . . . . . . . .
Modifying Picklist Dependency Behavior . . . .
Enabling and Disabling Picklist Dependency . . .
Deleting a Dependent Picklist . . . . . . . .
Excluding Fields from a Subsystem . . . . . . .
Adding Fields for Exclusion . . . . . . . .
Changing the Subsystem for an Excluded Field . .
Deleting Excluded Fields . . . . . . . . .
vi
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
183
183
184
185
185
185
186
186
187
188
191
193
194
196
196
196
197
197
198
199
200
205
205
206
206
207
207
209
209
210
210
211
211
211
213
213
213
214
214
215
215
Chapter 10. Managing Profiles . . . . . . . . . . . . . . . . . . . . . . . . . 217
About Profiles . . . . . . . . . . . . . .
Accessing Profiles . . . . . . . . . . . . .
Creating and Managing Profiles . . . . . . . .
Creating a New Profile . . . . . . . . . .
Designating a Default or Fallback Profile . . . .
Editing a Profile . . . . . . . . . . . .
Deleting a Profile . . . . . . . . . . . .
Disabling or Enabling a Profile . . . . . . .
Setting Up Users or Groups with a Profile. . . . .
Associating Users and Groups to a Profile . . . .
Disassociating Users or Groups from a Profile . .
Configuring Object Types in Profiles. . . . . . .
Including Object Types in a Profile . . . . . .
Excluding Object Types From a Profile . . . . .
Configuring Fields for Object Types . . . . . . .
Including and Excluding Fields in an Object Type .
Setting the Global Display Order of Object Types .
Setting a Field in a Profile to Required or Optional .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
217
218
218
218
219
220
220
220
221
221
221
222
222
222
223
223
224
224
Chapter 11. Managing the Home Page and Views for Objects . . . . . . . . . . . . 227
Home Page . . . . . . . . . . . . . . . . . . . . .
The Layout of Tabs on a Home Page . . . . . . . . . . .
Guidelines for Selecting Reports to Run in Tabs . . . . . . . .
Configuring Tabs on the Home Page . . . . . . . . . . . .
Adding New Tabs for Reports or Dashboards . . . . . . . .
Setting the Display Order of Tabs . . . . . . . . . . . .
Hiding and Unhiding Tabs . . . . . . . . . . . . . . .
Deleting Tabs . . . . . . . . . . . . . . . . . . .
Configuring the My Work Tab . . . . . . . . . . . . . . .
Configuring Predefined Lists . . . . . . . . . . . . . .
Filtered lists on the My Work tab . . . . . . . . . . . . .
Configuring Reports . . . . . . . . . . . . . . . . .
Removing items from the My Work tab . . . . . . . . . .
Views for objects . . . . . . . . . . . . . . . . . . .
Navigational views . . . . . . . . . . . . . . . . .
Object views. . . . . . . . . . . . . . . . . . . .
Association Views . . . . . . . . . . . . . . . . . .
Managing Views for Objects . . . . . . . . . . . . . . .
Enabling a View . . . . . . . . . . . . . . . . . .
Disabling a View . . . . . . . . . . . . . . . . . .
Setting a Default View . . . . . . . . . . . . . . . .
Setting the Display Order of Fields in a View. . . . . . . . .
Configuring Views for Objects. . . . . . . . . . . . . . .
Configuring Fields in Navigational and Association Views . . . .
Including and Excluding Object Types on Overview Pages . . . .
Filtered List View and Grid View Pages . . . . . . . . . .
Creating a Grid View . . . . . . . . . . . . . . . . .
Creating Activity Views . . . . . . . . . . . . . . . .
Configuring Fields in Detail and Activity Views . . . . . . . .
Using Section Headings . . . . . . . . . . . . . . . .
Setting Object Fields as Read-Only or Editable . . . . . . . .
Spanning Table Columns . . . . . . . . . . . . . . .
Configuring the Display Type for Reporting Fragment Fields . . . .
Configuring Display Types for Simple String Fields . . . . . . .
Selecting a Display Type for Simple String Fields . . . . . . .
Configuring Rich Text Display Types for Simple Strings . . . . .
Configuring Text and URL Display Types for Simple Strings . . .
Configuring Text Area Display Types for Simple String Data Types .
Configuring User and Group Selector Display Types for Simple Strings
Configuring Display Types for Long String Fields . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Contents
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
227
228
229
229
229
230
230
231
231
232
232
235
238
238
239
241
243
244
244
245
246
247
248
248
250
251
252
254
261
263
264
265
265
266
267
267
268
269
269
274
vii
Selecting a Display Type for Long String Fields . . . . . . . .
Configuring the On Demand Display Types for Long String Fields .
Configuring Text Display Types for Medium Long String Fields . .
Configuring Rich Text Display Types for Medium Long String Fields.
Configuring Display Types for Enumerated Strings . . . . . . . .
Selecting a Display Type for Enumerated Strings . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
274
275
276
276
278
278
Chapter 12. Localizing Text . . . . . . . . . . . . . . . . . . . . . . . . . . 279
Localization Overview . . . . . . . . . . . . . . .
About Locale Codes . . . . . . . . . . . . . . .
Configuring Client Systems to Display Asian Characters . . .
Language and locale support . . . . . . . . . . . .
Localizing Object Text . . . . . . . . . . . . . . .
About Object Text . . . . . . . . . . . . . . . .
Accessing the Object Text Page . . . . . . . . . . .
Modifying Display Text for an Object Type . . . . . . .
Modifying Display Text for Object Fields . . . . . . . .
Modifying Display Text for Public Filters . . . . . . . .
Localizing Application Text. . . . . . . . . . . . . .
About Application Text . . . . . . . . . . . . . .
Accessing the Application Text Page. . . . . . . . . .
About Modifying Display Text in the Application User Interface
Modifying User Display Formats . . . . . . . . . . .
Modifying Navigational Link Formats . . . . . . . . .
Using the Custom Folder . . . . . . . . . . . . . .
About the Custom Folder . . . . . . . . . . . . .
Adding New Keys . . . . . . . . . . . . . . .
Modifying Custom Keys. . . . . . . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
279
279
279
280
281
281
282
282
283
283
284
284
285
286
286
288
290
290
290
291
Chapter 13. Resetting Objects . . . . . . . . . . . . . . . . . . . . . . . . . 293
Overview of Reporting Periods . . . . . . . . . . . .
About Active Reporting Periods and Operational Limitations .
About Finalized Reporting Periods . . . . . . . . . .
How Reporting Periods and the Reporting Schema Interact . .
How Reporting Periods and ACLs Interact . . . . . . .
How Reporting Periods and Change Histories Interact . . .
Using System Administration Mode with Reporting Periods and
Reporting Period Permissions and Settings . . . . . . .
Creating a New Reporting Period . . . . . . . . . . .
Creating a New Finalized Reporting Period . . . . . . .
Working with the Active Reporting Period . . . . . . . .
Reapplying the Active Reporting Period to a Business Entity .
Finalizing a Reporting Period . . . . . . . . . . . .
Deleting a Reporting Period . . . . . . . . . . . .
Overview of Object Resets . . . . . . . . . . . . . .
Using Object Reset on System Fields . . . . . . . . .
Using Object Reset on Currency Fields . . . . . . . . .
Preparing Your Data . . . . . . . . . . . . . . .
Creating a Ruleset . . . . . . . . . . . . . . . . .
Creating the Ruleset File . . . . . . . . . . . . .
Sample Ruleset . . . . . . . . . . . . . . . . .
The Ruleset Tag Library . . . . . . . . . . . . . .
Loading the Ruleset . . . . . . . . . . . . . . . .
Updating a Ruleset . . . . . . . . . . . . . . .
Performing the Object Reset . . . . . . . . . . . . .
Preparing for the Reset . . . . . . . . . . . . . .
Configuring the Ruleset Parameters . . . . . . . . . .
Using the Object Reset Page . . . . . . . . . . . .
Starting the Object Reset. . . . . . . . . . . . . .
Viewing the Reset Status . . . . . . . . . . . . .
viii
. . .
. . .
. . .
. . .
. . .
. . .
Schemas
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
293
293
293
294
294
294
294
294
295
295
296
296
297
297
298
298
298
299
299
300
300
301
306
307
307
307
307
308
308
308
Viewing the Reset Session Details
Viewing the Reset Session Log .
Exporting Rulesets to an XML File .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 309
. 310
. 310
Chapter 14. Configuring Settings . . . . . . . . . . . . . . . . . . . . . . . . 313
About the Settings Page . . . . . . . . . . . . . . .
Accessing the Settings Page . . . . . . . . . . . .
Applications Folder Settings . . . . . . . . . . . . .
Modifying the Overview View Cache Capacity . . . . . .
Configuring the Browser Cache . . . . . . . . . . .
Displaying the Accessibility Link . . . . . . . . . . .
Displaying or Hiding Field Guidance . . . . . . . . .
Displaying or Hiding System Generated Field Guidance . . .
Setting a Default Object View . . . . . . . . . . . .
Configuring File Check-out . . . . . . . . . . . . .
Configuring the Sort Order of Object List Views By Modification
Modifying the Deletion Interval for a Reporting Period . . .
Showing Hidden Settings . . . . . . . . . . . . .
Configuring Actor Table Page Size . . . . . . . . . .
Selector Display Type Settings . . . . . . . . . . . .
Configuring Menus . . . . . . . . . . . . . . .
Auto-Naming Settings . . . . . . . . . . . . . .
Signature and Lock Settings . . . . . . . . . . . .
Settings That Apply to Environment Migration . . . . . .
Reporting Fragment Settings . . . . . . . . . . . .
Notification Manager Mail Server Settings . . . . . . . .
Object Reset Settings . . . . . . . . . . . . . . .
Configuring Object View Settings. . . . . . . . . . .
Optimizing File Uploads . . . . . . . . . . . . .
Creating and Deleting Custom Settings . . . . . . . . . .
Enabling the Creation and Deletion of New Settings . . . .
Creating a New Setting . . . . . . . . . . . . . .
Deleting a Setting . . . . . . . . . . . . . . . .
Common Folder Settings . . . . . . . . . . . . . .
Excluding Characters From User Names . . . . . . . .
Setting the System Security Model . . . . . . . . . .
Disabling Access Control on Role Groups . . . . . . . .
Platform Folder Settings . . . . . . . . . . . . . . .
Setting Localization Options . . . . . . . . . . . .
Configuring Primary Associations . . . . . . . . . .
Configuring the legacy move behavior . . . . . . . . .
Reporting Framework V6 Generation Settings . . . . . .
Reporting Framework Configuration Settings. . . . . . .
Reporting Schema Settings . . . . . . . . . . . . .
Workflow Settings . . . . . . . . . . . . . . . .
Configuring Security Settings . . . . . . . . . . . .
User Preferences Folder Settings . . . . . . . . . . . .
Setting Alert Notification Behavior . . . . . . . . . .
Copy Settings . . . . . . . . . . . . . . . . . .
Setting Copy Operations . . . . . . . . . . . . .
Cross-Context Sharing . . . . . . . . . . . . . .
Self-Contained Object Type Settings . . . . . . . . . . .
About Self-Contained Object Types . . . . . . . . . .
Configuring Settings for Self Contained Object Types . . . .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
Date
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
313
313
313
314
314
314
315
315
316
316
317
317
318
318
318
321
324
327
335
336
337
338
340
344
344
344
345
345
346
346
346
347
347
347
348
349
350
357
359
361
364
366
366
367
367
368
370
370
371
Chapter 15. Using IBM OpenPages Utilities with IBM DB2 . . . . . . . . . . . . . 373
About IBM DB2 and the OpenPages Backup and Restore Utilities .
Configuring Email Notification for Backup Jobs . . . . . . .
About Email Notification . . . . . . . . . . . . .
Configuring Backup Job Notification . . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Contents
.
.
.
.
373
373
373
374
ix
Running Asynchronous Background Jobs and Administrative Functions . . . .
Enabling and Disabling Asynchronous Background Processes Checking . . .
Using the IBM OpenPages Backup Utility . . . . . . . . . . . . . .
Backing Up Custom OpenPages Files . . . . . . . . . . . . . .
Running the OPBackup Command . . . . . . . . . . . . . . .
Running a Live OpenPages Backup . . . . . . . . . . . . . . . .
About OPBackup Generated Files . . . . . . . . . . . . . . . .
About IBM OpenPages Backed-Up Content . . . . . . . . . . . .
About the OPBackup Log File . . . . . . . . . . . . . . . . .
Configuring OPBackup to Use GZIP. . . . . . . . . . . . . . .
Enabling and Disabling Storage Backup . . . . . . . . . . . . . .
Using the IBM OpenPages Restore Utility . . . . . . . . . . . . . .
Running the OPRestore Command . . . . . . . . . . . . . . .
About OPRestore Log Files . . . . . . . . . . . . . . . . . .
Using the Cognos Backup Utility . . . . . . . . . . . . . . . . .
Running the OPCCBackup Command . . . . . . . . . . . . . .
About OPCCBackup Generated Files . . . . . . . . . . . . . .
Using the Cognos Restore Utility . . . . . . . . . . . . . . . . .
Running the OPCCRestore Command . . . . . . . . . . . . . .
About OPCCRestore Log Files. . . . . . . . . . . . . . . . .
Backing up and Restoring IBM DB2 Databases for OpenPages . . . . . . .
Restoring Backed up Production Data in a New Environment . . . . . . .
Refreshing a Test Environment from Backup Files . . . . . . . . . . .
Prerequisites. . . . . . . . . . . . . . . . . . . . . . .
Back up Production Databases in OpenPages on the DB2 Server . . . . .
Back Up and Copy IBM OpenPages Application Production Files . . . . .
Back up Databases in OpenPages on the Test Server . . . . . . . . .
Back Up IBM OpenPages Application Files on Your Test Server . . . . .
Back Up Workflow Properties in the Test Environment . . . . . . . .
Drop the DB2 Database for the Application on the Test System . . . . . .
Copy and Restore the Application Production Database Backup File to the Test
Update the OpenPages Storage Location in the Database . . . . . . . .
Update Workflow Properties in the Test Environment . . . . . . . . .
Import Properties Specific to Cluster Members in Your Test Environment . .
Update Cognos Data in the Test Environment . . . . . . . . . . .
Modify SSO and LDAP Configuration in the Test Environment . . . . . .
Copy Custom Deliverables to the Test Environment . . . . . . . . .
Start OpenPages and Workflow Servers in the Test Environment . . . . .
Update URL Host Pointers for Cognos Reports . . . . . . . . . . .
Utilities for Filtering on Long String Field Content . . . . . . . . . . .
Install and Configure DB2 Text Search . . . . . . . . . . . . . .
Enable DB2 Text Search . . . . . . . . . . . . . . . . . . .
Create a Long String Index . . . . . . . . . . . . . . . . . .
Create a Schedule Job to Synchronize a Long String Index . . . . . . .
Drop a Long String Index . . . . . . . . . . . . . . . . . .
Entity Move/Rename Utility . . . . . . . . . . . . . . . . . .
Prerequisites. . . . . . . . . . . . . . . . . . . . . . .
Configuring the Entity Move/Rename utility . . . . . . . . . . . .
Prepare the input file for the Entity Move/Rename utility . . . . . . .
Running the Entity Move/Rename utility interactively . . . . . . . .
Running the Entity Move/Rename utility as a scheduled task . . . . . .
Impact of the Entity Move/Rename utility on the OpenPages application . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
Database
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
Server
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
375
377
378
378
379
379
380
380
381
381
381
382
382
383
383
384
384
385
386
386
387
388
390
391
391
391
391
391
392
392
393
393
395
396
397
399
399
401
401
401
402
404
405
407
409
410
410
410
411
413
413
414
Chapter 16. Using Utilities with Oracle Database . . . . . . . . . . . . . . . . . 415
About Oracle Database and the OpenPages Backup and Restore Utilities
Prerequisite: Oracle Admin Client . . . . . . . . . . . .
About Oracle Data Pump . . . . . . . . . . . . . . .
Configuring Email Notification for Backup Jobs . . . . . . . . .
About Email Notification . . . . . . . . . . . . . . .
Configuring Backup Job Notification . . . . . . . . . . .
Running Asynchronous Background Jobs and Administrative Functions .
x
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
415
415
415
416
416
416
418
Enabling and Disabling Asynchronous Background Processes Checking . . .
Encrypting Database Passwords in the Backup-Restore Utility Environment Files.
Using the IBM OpenPages Backup Utility . . . . . . . . . . . . . .
Modifying the Backup-Restore Environment File . . . . . . . . . .
Backing Up Custom OpenPages Files . . . . . . . . . . . . . .
Running the OPBackup Command . . . . . . . . . . . . . . .
Running a Live OpenPages Backup . . . . . . . . . . . . . . .
About OPBackup Generated Files . . . . . . . . . . . . . . .
Enabling and Disabling Storage Backup . . . . . . . . . . . . .
Using the IBM OpenPages Restore Utility . . . . . . . . . . . . . .
Running the OPRestore Command . . . . . . . . . . . . . . .
About OPRestore Log Files . . . . . . . . . . . . . . . . . .
Using the Cognos Backup Utility . . . . . . . . . . . . . . . . .
About Configuring Oracle Data Pump on First Time Use . . . . . . . .
About the OpenPages File Storage Directory . . . . . . . . . . . .
Configuring or Updating the Oracle Data Pump Directory . . . . . . .
Running the OPCCBackup Command . . . . . . . . . . . . . .
About OPCCBackup Generated Files . . . . . . . . . . . . . .
Using the Cognos Restore Utility . . . . . . . . . . . . . . . . .
Running the OPCCRestore Command . . . . . . . . . . . . . .
About OPCCRestore Log Files. . . . . . . . . . . . . . . . .
Using Oracle Online Database Backup (RMAN) for Point-In-Time Recovery . .
About Oracle Online Database Backups . . . . . . . . . . . . .
Running Oracle Online Database Backups (RMAN) . . . . . . . . .
Managing the Backup Area . . . . . . . . . . . . . . . . . .
Disabling Online Backup of the Database Instance . . . . . . . . . .
Performing Oracle Online Database Crash Recoveries . . . . . . . . .
Refreshing a Test Environment from Backup Files . . . . . . . . . . .
Back Up and Copy IBM OpenPages Application Production Data . . . . .
Back Up IBM OpenPages Application Test Data . . . . . . . . . . .
Back Up Workflow Properties in the Test Environment . . . . . . . .
Delete Data on the Test Database System . . . . . . . . . . . . .
Copy the Production Database Dump (.dmp) File to the Test Database Server .
Import the Production Data into the Test Environment . . . . . . . .
Update the OpenPages Storage Location in the Database . . . . . . . .
Update the Workflow Database in the Test Environment . . . . . . . .
Import Properties Specific to Cluster Members in Your Test Environment . .
Update Cognos Data in the Test Environment . . . . . . . . . . .
Modify SSO and LDAP Configuration in the Test Environment . . . . . .
Copy Custom Deliverables to the Test Environment . . . . . . . . .
Start OpenPages and Workflow Servers in the Test Environment . . . . .
Update URL Host Pointers for Cognos Reports . . . . . . . . . . .
Workflow Purge Utility . . . . . . . . . . . . . . . . . . . .
Running the Workflow Purge Utility . . . . . . . . . . . . . .
Impact of the Workflow Purge Utility . . . . . . . . . . . . . .
Utilities for Filtering on Long String Field Content . . . . . . . . . . .
Enable Oracle Text. . . . . . . . . . . . . . . . . . . . .
Create a Long String Index . . . . . . . . . . . . . . . . . .
Create a Schedule Job to Synchronize a Long String Index . . . . . . .
Drop a Long String Index . . . . . . . . . . . . . . . . . .
Modifying the List of Stop Words . . . . . . . . . . . . . . .
String Concatenation Utility . . . . . . . . . . . . . . . . . .
Running String Concatenation . . . . . . . . . . . . . . . . .
About the String Concatenation SQL File . . . . . . . . . . . . .
Entity Move/Rename Utility . . . . . . . . . . . . . . . . . .
Prerequisites. . . . . . . . . . . . . . . . . . . . . . .
Configuring the Entity Move/Rename utility . . . . . . . . . . . .
Prepare the input file for the Entity Move/Rename utility . . . . . . .
Running the Entity Move/Rename Utility interactively . . . . . . . .
Running the Entity Move/Rename utility as a scheduled task . . . . . .
Impact of the Entity Move/Rename utility on the OpenPages application . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Contents
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
419
420
421
422
423
423
424
426
427
428
428
429
429
429
430
430
431
432
433
433
434
434
435
435
441
443
443
443
444
444
444
445
445
446
448
450
451
452
456
456
457
457
458
458
460
460
461
462
463
464
465
466
466
468
472
472
473
474
475
476
476
xi
Chapter 17. System Maintenance . . . . . . . . . . . . . . . . . . . . . . . . 477
Changing Default Port Numbers . . . . . . . . . . . . . . . . . . . . . . . . . .
Check Port Number Availability . . . . . . . . . . . . . . . . . . . . . . . . .
Changing OpenPages Application Ports for an Oracle WebLogic Server Environment . . . . . . .
Changing OpenPages Application Ports for an IBM WebSphere Application Server Environment . . .
Change Port Numbers for the Workflow Server . . . . . . . . . . . . . . . . . . . .
Changing the OpenPages Framework Generation Port. . . . . . . . . . . . . . . . . .
Application server names . . . . . . . . . . . . . . . . . . . . . . . . . . .
Restart Services. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Update the Reporting Schema and Framework . . . . . . . . . . . . . . . . . . . .
Updating URL Host Pointers for Reports . . . . . . . . . . . . . . . . . . . . . . .
Auditing Configuration Changes . . . . . . . . . . . . . . . . . . . . . . . . . .
Accessing the Configuration Audit Report . . . . . . . . . . . . . . . . . . . . . .
The Configuration Audit Report . . . . . . . . . . . . . . . . . . . . . . . . .
Changing Passwords and IP Addresses . . . . . . . . . . . . . . . . . . . . . . . .
Changing Password References . . . . . . . . . . . . . . . . . . . . . . . . .
Oracle WebLogic - Changing the Password for the IBM OpenPages and Workflow Accounts . . . . .
IBM WebSphere - Changing the Password for the IBM OpenPages and Workflow Administrator Account
Oracle WebLogic - Changing the Workflow Server Multicast IP Address. . . . . . . . . . . .
Oracle Database - Updating the Oracle Enterprise Manager Database Control Tool . . . . . . . .
Changing the IP Address of an Application Server . . . . . . . . . . . . . . . . . . .
Changing Database References . . . . . . . . . . . . . . . . . . . . . . . . . .
Modify the Connection URL for the JDBC Data Source . . . . . . . . . . . . . . . . .
Modify Database References in the Application Configuration Files . . . . . . . . . . . . .
Modify Database Connection References for the Reporting Server . . . . . . . . . . . . . .
Working With Cluster Members . . . . . . . . . . . . . . . . . . . . . . . . . .
Adding Vertical Cluster Members to an Existing Installation in an Oracle WebLogic Environment . . .
Adding Vertical Cluster Members to an Existing Installation in an IBM WebSphere Environment . . .
Adding Members to a Horizontal Cluster . . . . . . . . . . . . . . . . . . . . . .
Configuring Global Administration Security in IBM WebSphere . . . . . . . . . . . . . . .
Enabling Global Administration Security . . . . . . . . . . . . . . . . . . . . . .
Changing the IBM WebSphere Administrator User Account Password . . . . . . . . . . . .
SSL for OpenPages GRC Platform environments. . . . . . . . . . . . . . . . . . . . .
Accessing the IBM OpenPages Application Using SSL . . . . . . . . . . . . . . . . . .
SSL configuration for WebLogic Application Server. . . . . . . . . . . . . . . . . . .
SSL configuration for WebSphere Application Servers . . . . . . . . . . . . . . . . . .
SSL configuration for Microsoft Internet Information Services . . . . . . . . . . . . . . .
SSL configuration for Apache Web Server . . . . . . . . . . . . . . . . . . . . . .
SSL Configuration of the OpenPages Properties Files . . . . . . . . . . . . . . . . . .
SSL configuration on AIX and Linux load balancer server . . . . . . . . . . . . . . . .
SSL configuration for an Apache load balancer server in Windows environments . . . . . . . . .
Modifying the LDAP configuration file for LDAP over SSL . . . . . . . . . . . . . . . .
Renewing SSL Certificates for IBM OpenPages . . . . . . . . . . . . . . . . . . . .
Renewing SSL Certificates for Cognos . . . . . . . . . . . . . . . . . . . . . . .
Renewing SSL Certificates in an IBM HTTP Server Environment . . . . . . . . . . . . . .
Configuring HTTP Compression in OpenPages . . . . . . . . . . . . . . . . . . . . .
Enabling or Disabling HTTP Compression on IBM OpenPages Application Servers . . . . . . . .
Enabling or Disabling HTTP Compression on the Cognos Server . . . . . . . . . . . . . .
Using Log Files. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring Application Thread-Dump Logs for Cluster Members . . . . . . . . . . . . .
Configuring Extended Access Logging . . . . . . . . . . . . . . . . . . . . . . .
IBM OpenPages Standard Application Server Log Files . . . . . . . . . . . . . . . . .
Oracle WebLogic Administrative Server and Cluster Member Log Files . . . . . . . . . . . .
IBM WebSphere DMGR Server, Node Agent, and Cluster Member Log Files . . . . . . . . . .
Workflow Log Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Changing the size and number of backups of the aurora log file . . . . . . . . . . . . . .
Troubleshooting Browser Issues . . . . . . . . . . . . . . . . . . . . . . . . . .
Microsoft Windows Internet Explorer Browser Issues . . . . . . . . . . . . . . . . . .
CSV View Report Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Browser Locale Settings and Messaging Issues . . . . . . . . . . . . . . . . . . . .
Browser Security Issues and Best Practices. . . . . . . . . . . . . . . . . . . . . .
xii
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
477
477
477
484
492
503
504
504
504
504
505
505
506
507
507
512
514
515
515
516
517
518
520
522
524
524
538
551
552
552
556
558
559
559
568
573
576
578
578
581
583
585
588
591
591
592
592
595
595
596
598
600
601
602
604
605
605
606
606
606
Optimizing Application Performance in the Internet Explorer Browser .
Setting the Cognos Application Firewall (CAF) for Browser Security . .
Setting a Session Inactivity Timeout Value . . . . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 609
. 609
. 610
Chapter 18. Starting and Stopping Servers. . . . . . . . . . . . . . . . . . . . 613
Starting and Stopping OpenPages Application Servers. . . . . . . . . . . . . . . . . . . .
About Services and Scripts Used by the OpenPages Application . . . . . . . . . . . . . . .
About Starting Application Servers . . . . . . . . . . . . . . . . . . . . . . . . .
Starting OpenPages in a Windows Environment . . . . . . . . . . . . . . . . . . . . .
Starting OpenPages in an AIX and Linux Environment . . . . . . . . . . . . . . . . . .
Stopping IBM OpenPages Application Servers . . . . . . . . . . . . . . . . . . . . .
Stopping OpenPages in a Windows Environment . . . . . . . . . . . . . . . . . . . .
Stopping OpenPages in an AIX and Linux Environment . . . . . . . . . . . . . . . . . .
Starting and Stopping the Database Server . . . . . . . . . . . . . . . . . . . . . . .
Starting and Stopping the Database Server in a Windows Environment . . . . . . . . . . . . .
Starting and Stopping the Database Server in an AIX and Linux Environment . . . . . . . . . . .
Starting and Stopping the Cognos Services . . . . . . . . . . . . . . . . . . . . . . .
Using the IBM Cognos Configuration Tool to Start and Stop the IBM Cognos Service . . . . . . . .
Using the Windows Operating System to Start and Stop the IBM Cognos Service. . . . . . . . . .
Using the AIX or Linux Operating System to Start and Stop IBM Cognos Service. . . . . . . . . .
Using the Windows Operating System to Start and Stop the OpenPages Framework Model Generator Service
Using the AIX or Linux Operating System to Start and Stop the OpenPages Framework Model Generator
Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
613
613
615
616
617
619
619
621
622
622
623
623
623
624
624
625
. 625
Chapter 19. Migrating IBM OpenPages Environments . . . . . . . . . . . . . . . 627
About Migrating IBM OpenPages Environments. . . . . . .
Settings That Apply to Environment Migration . . . . . . .
Supported Migration Items . . . . . . . . . . . . . .
About Exporting Dependencies . . . . . . . . . . .
About Import Validation . . . . . . . . . . . . .
Items Not Migrated . . . . . . . . . . . . . . .
Item Dependencies Not Migrated by Default . . . . . . .
Environment Migration Best Practices . . . . . . . . . .
The Environment Migration Process . . . . . . . . . . .
Exporting Configuration Items from the Source Environment . .
Importing Configuration Items to the Target Environment . . .
Configuring Environment Migration to Allow Special Characters
Validating the Migration File . . . . . . . . . . . .
Performing the Import for Environment Migration . . . . .
About Migration Reports . . . . . . . . . . . . . .
Log Summary Migration Report . . . . . . . . . . .
Log Details Migration Report . . . . . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
627
627
628
629
630
631
633
633
634
634
635
636
636
637
639
639
639
Chapter 20. Using the ObjectManager Tool. . . . . . . . . . . . . . . . . . . . 641
About the ObjectManager Tool . . . . . . .
Working With Loader Files . . . . . . . . .
Understanding Loader File Naming Conventions
Creating a Data Loader File . . . . . . .
Running ObjectManager Commands . . . . .
About the ObjectManager Command File . . .
ObjectManager Command Line Parameters . .
Interactive Command Line Loader File Syntax .
Batch Mode Loader File Syntax . . . . . .
Using ObjectManager to move objects . . . .
Using ObjectManager to rename objects . . .
Modifying the ObjectManager Properties File. . .
Settings in the ObjectManager.properties File . . .
Controlling Data Load Behavior . . . . . . .
Managing Currency Exchange Rates. . . . . .
About Updating Currency Exchange Rates . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Contents
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
641
641
641
642
643
643
643
644
645
646
648
649
650
655
656
656
xiii
Importing Exchange Rates . . . . . . . . . . . .
Exporting All Currency Exchange Rates . . . . . . .
Enabling and Disabling Currencies . . . . . . . . .
Importing and Exporting Currency Field Definitions . . . .
Importing Currency Field Definitions . . . . . . . .
Exporting Currency Field Definitions . . . . . . . .
Importing and Exporting Computed Field Definitions . . . .
Importing Computed Field Definitions . . . . . . . .
Exporting Computed Field Definitions . . . . . . . .
Migrating Configuration Changes Using the ObjectManager Tool
About Multi-deployment Environments . . . . . . .
About the Migration Process . . . . . . . . . . .
Modifying ObjectManager Settings . . . . . . . . .
Migrating Configuration Changes . . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
656
657
657
658
658
659
659
659
660
661
661
661
662
664
Chapter 21. Managing Workflows . . . . . . . . . . . . . . . . . . . . . . . . 669
Starting Jobs from Objects . . . . . . . . . . . .
Starting a Job from an IBM OpenPages Object . . . .
Monitoring Job Progress . . . . . . . . . . . .
Managing Jobs . . . . . . . . . . . . . . . .
Accessing the Jobs Page . . . . . . . . . . . .
About the Jobs Page . . . . . . . . . . . . .
Filtering Jobs . . . . . . . . . . . . . . .
Terminating Jobs . . . . . . . . . . . . . .
Managing Tasks . . . . . . . . . . . . . . .
Accessing the Tasks Page . . . . . . . . . . .
About the Tasks Page . . . . . . . . . . . .
Filtering Tasks . . . . . . . . . . . . . . .
Reassigning a Task . . . . . . . . . . . . .
Managing Job and Task Attachments . . . . . . . .
Managing IBM OpenPages Workflow Groups . . . . .
Deploying a Business Calendar on the Workflow Server . .
Configuring E-mail for Workflows . . . . . . . . .
Setting Up an E-Mail Server . . . . . . . . . .
Disabling Standard Task E-mails . . . . . . . . .
Using the Job Launch Manager . . . . . . . . . .
About the Job Launch Manager Command File . . . .
Job Launch Manager Syntax . . . . . . . . . .
Configuring the Job Launch Manager . . . . . . .
Remediating Jobs . . . . . . . . . . . . . . .
Overview of the Remediation Process . . . . . . .
Setting Up Remediation Notifications and Actions . . .
Remediating the Job in Error . . . . . . . . . .
Access the Job in Error in the Workflow Console . . . .
Identify and Resolve the Error. . . . . . . . . . .
Reactivate the Nodes in Error . . . . . . . . . . .
Alternate Methods for Accessing Jobs in Error in Workflow
Troubleshooting Workflows. . . . . . . . . . . .
Setting Up Job Remediation E-mails . . . . . . . .
About Interstage BPM Studio Error Logs . . . . . .
About IBM OpenPages Workflow Runtime Error Logs. .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
Console
. . .
. . .
. . .
. . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
669
669
669
670
670
670
670
671
672
672
672
672
673
674
674
675
675
676
677
677
678
678
679
684
684
684
687
687
688
688
689
689
689
690
691
Chapter 22. Using FastMap . . . . . . . . . . . . . . . . . . . . . . . . . . 693
FastMap Overview . . . . . . . . . . . .
About FastMap Templates . . . . . . . . .
About the Data Validation Process . . . . . .
About Localization . . . . . . . . . . .
Using FastMap to Import Data . . . . . . . .
Accessing FastMap to Import Data and View Status
Importing a FastMap Data Load Template . . . .
xiv
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
693
694
695
695
696
696
696
Resolving Validation Errors. . . . . . . . . . . . . . . .
Understanding Validation Errors . . . . . . . . . . . . .
Troubleshooting the Conflict with Recent Updates Warning Message .
Troubleshooting FastMap Validation Messages . . . . . . . .
Viewing Import Status . . . . . . . . . . . . . . . . .
Using the FastMap Import Status Report Window . . . . . . .
Understanding Import Status Messages. . . . . . . . . . .
Creating FastMap Import Templates . . . . . . . . . . . . .
About the Data Exported to a Workbook . . . . . . . . . .
An Overview of the FastMap Import Process . . . . . . . . .
Working With Data Load Worksheets . . . . . . . . . . . .
Defining Paths for Objects . . . . . . . . . . . . . . .
Using Special Column Headings . . . . . . . . . . . . .
Defining Property Fields for Objects . . . . . . . . . . . .
Guidelines for Entering Object Data into Templates. . . . . . .
About Adding Custom Columns and Worksheets . . . . . . .
Sample Worksheets . . . . . . . . . . . . . . . . .
Using the Definition Worksheet . . . . . . . . . . . . . .
About the Definition Worksheet . . . . . . . . . . . . .
Unhiding a Definition Worksheet . . . . . . . . . . . . .
Configuring FastMap . . . . . . . . . . . . . . . . . .
About FastMap Parameters . . . . . . . . . . . . . . .
About Export Templates . . . . . . . . . . . . . . . .
FastMap Parameters for Importing and/or Exporting Data . . . .
Configuring a Lookup Key for FastMap . . . . . . . . . .
Optimizing FastMap Performance . . . . . . . . . . . .
Configuring Security and Cleanup for FastMap Import Templates . .
AFCON-generated FastMap Template Best Practices . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
697
697
698
698
703
703
704
705
705
706
707
707
707
708
709
710
710
713
714
714
714
714
715
716
722
723
725
726
Appendix A. The Notification Manager. . . . . . . . . . . . . . . . . . . . . . 727
Overview of the Notification Manager . . .
Why would I use Notifications? . . . .
About Using the Notification Manager . . .
Exploring the Notification Reports . . .
Requirements for Setting Up a Notification
Tasks for Setting Up a Notification . . .
Results of Running a Notification Report .
Setting Up a Notification . . . . . . .
Task 1: Prepare Your Data . . . . . .
Task 2: Create the Notification . . . . .
Task 3: Trigger the Notification . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
727
727
727
727
728
728
728
728
728
729
739
Appendix B. Installing and Configuring HTTP Compression . . . . . . . . . . . . 743
Installing HTTP Compression . .
Configuring HTTP Compression .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 743
. 743
Appendix C. Legacy Reporting Framework Generation Settings. . . . . . . . . . . 747
About Namespaces in the Legacy Reporting Framework . . . . . . . . .
Defining a New Non-Default Namespace in the Legacy Reporting Framework .
About Legacy Reporting Framework Custom Namespace Names . . . . .
Adding a New Non-Default Namespace to the Legacy Reporting Framework .
Editing an Existing Legacy Reporting Framework Namespace . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
747
748
748
748
750
Appendix D. Non-Role Based Access Control . . . . . . . . . . . . . . . . . . 751
About Non-Role Based Access Controls .
Using ACLs with Top-Level Folders . . .
The Object Folder Structure . . . . .
Accessing the Access Control Page . . .
Using Inheritance with Access Control Lists
Breaking Inheritance . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Contents
.
.
.
.
.
.
751
751
751
752
752
753
xv
Creating a New ACL on a Folder. . . . . . .
Editing an Existing ACL. . . . . . . . . .
Deleting an Existing ACL . . . . . . . . .
Using Groups to Establish User Roles . . . . .
The "Core" IBM OpenPages Governance Platform
Example: Using Groups to Establish User Roles .
Using Groups to Limit User Activities . . . . .
The Executive Team . . . . . . . . . .
The Regional Teams . . . . . . . . . .
The Site Teams . . . . . . . . . . . .
Using Nested Groups to Limit User Scope. . . .
Task 1: Breaking Folder Inheritance . . . . .
Task 2: Nesting Your User Groups . . . . .
Task 3: Setting Folder Access Control Lists . .
Using Group ACLs to Traverse Business Entities .
. . .
. . .
. . .
. . .
5.1x (and
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
earlier)
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
Groups
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
754
754
755
755
755
756
756
757
757
758
758
758
759
760
761
Appendix E. Using the DataMart Reporting Schema . . . . . . . . . . . . . . . . 763
Overview. . . . . . . . . . . . . . . .
Configuring the Reporting Metadata . . . . . .
Configuration Tables . . . . . . . . . . .
Reporting Schema Scripts . . . . . . . . .
Customizing the Reporting Schema Configuration .
Supported Macro Keywords . . . . . . . .
Populating the Reporting Schema . . . . . .
Exporting Data to the Reporting Database Instance .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
763
763
763
764
765
765
766
769
Appendix F. Troubleshooting and support for IBM OpenPages GRC Platform . . . . . 771
Techniques for troubleshooting problems . . . . . . . . . . . . . .
Searching knowledge bases . . . . . . . . . . . . . . . . . . .
Getting fixes. . . . . . . . . . . . . . . . . . . . . . . .
Contacting IBM Support. . . . . . . . . . . . . . . . . . . .
Exchanging information with IBM . . . . . . . . . . . . . . . .
Sending information to IBM Support . . . . . . . . . . . . . .
Receiving information from IBM Support . . . . . . . . . . . . .
Subscribing to Support updates . . . . . . . . . . . . . . . . .
Known problems and solutions for visualizations . . . . . . . . . . .
Rendering a visualization generates "Stop running this script?" error message .
Cannot read labels on a Business Entity diagram . . . . . . . . . .
Diagrams cannot be rendered during Active Reporting Periods. . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
771
773
774
774
775
775
776
776
777
777
778
778
Appendix G. Best practices for configuring the IBM OpenPages GRC Platform . . . . 781
Use short field names and field group names. . . . . . . . .
Limit the number of objects in views . . . . . . . . . . .
Limit the number of associations in the Overview . . . . . . .
Limit activity views with field dependencies and dependent picklists
Be aware of shared field groups . . . . . . . . . . . . .
Eliminate unused object type relationships . . . . . . . . .
Display reporting fragments only on demand . . . . . . . .
Display Cognos reports on home page tabs . . . . . . . . .
Set a minimal starting group for display types . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
781
781
782
782
783
783
784
784
785
Notices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 787
Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 791
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 793
xvi
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
Document Release and Update Information
This topic lists information about this document and where updates to this
document can be found.
Document Release Information
Software Version: 7.0
Document Published: December 2013
Documentation Updates
Supplemental documentation is available on the web. Go to the IBM® OpenPages®
GRC Platform Information Center (http://pic.dhe.ibm.com/infocenter/op/
v7r0m0/index.jsp).
xvii
xviii
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
Chapter 1. Introduction
This document is intended for use with IBM OpenPages GRC Platform. The
information includes instructions for maintaining, configuring, and administering
the IBM OpenPages GRC Platform application.
Topics that are covered include user and group administration, database backup
and restoration, customizing the application’s look and feel, using the data loader
capabilities, and more.
Audience
This document is intended for use by OpenPages administrators. An administrator
must have a background in Systems Management.
Finding information
To find IBM OpenPages GRC Platform product documentation on the web,
including all translated documentation, access the IBM OpenPages GRC Platform
Information Center (http://pic.dhe.ibm.com/infocenter/op/v7r0m0/index.jsp).
Release Notes are published directly to the Information Center, and include links
to the latest technotes and APARs.
Accessibility features
Accessibility features help users who have a physical disability, such as restricted
mobility or limited vision, to use information technology products.
IBM HTML documentation has accessibility features. PDF documents are
supplemental and, as such, include no added accessibility features.
Database tool information
The IBM OpenPages GRC Platform supports both the IBM DB2® database and the
Oracle Database.
v To run IBM OpenPages SQL scripts, you must use CLPPlus with IBM DB2, and
SQL*Plus with Oracle Database.
v To run queries, you can use any SQL tool that is compatible with the database.
For example, you could use CLPPlus or Optim™ Development Studio to run
queries on the IBM DB2 database.
Documentation conventions
To illustrate screen displays, menu items, product displays, information that you
enter, the following typographic conventions are used:
Table 1. Typographic conventions used in this document
Convention
Meaning
KEYWORD
Keywords of SQL or some other programming languages and
environment variables are displayed in uppercase letters in a
serif font.
1
Table 1. Typographic conventions used in this document (continued)
Convention
Meaning
italics
Variables that represent an object or entity that you replace
with specific information.
Note: To avoid confusion, in some situations, angle brackets
enclose variables.
< text>
bold
Names of interface elements (such as icons, menu items, and
buttons) are displayed in bold.
monospace
Information that the product displays and information that you
enter is displayed in a monospace typeface.
>
This symbol indicates a menu item. For example,
"Administration > Profiles" means choose the Profiles item
from the Administration menu.
The installation directory is the location of product artifacts after a package,
product, or component is installed. The following table lists the conventions that
are used to refer to the installation location of installed components and products.
Table 2. Typographic conventions for installation directories
Directory
Meaning
OP_Home
The installation directory where OpenPages GRC Platform is
installed.
For example:
v on Microsoft Windows operating systems: c:\OpenPages
v on AIX® and Linux operating systems: /opt/OpenPages
Workflow_Home
The installation location of the Fujitsu Interstage BPM server.
For example:
v on Windows operating systems, C:\Fujitsu\InterstageBPM
v on AIX and Linux operating systems, /opt/Fujitsu/
InterstageBPM
ORACLE_Home
The installation location of the Oracle database server.
For example, if you purchased Oracle database software from
IBM and the database and application servers are on the same
machine:
v on Windows operating systems, C:\openpages_data\
repository\server112_se_x64\software
v on AIX and Linux operating systems, /opt/oracle/
openpages_data/server112_se_x64/software
DB2_Home
The installation location of the DB2 software.
For example:
v on Windows operating systems, C:/IBM/SQLLIB
Note: Directory names that contain spaces, such as Program
Files, are not supported.
v on AIX and Linux operating systems, /home/db2inst1/sqllib
2
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
Table 2. Typographic conventions for installation directories (continued)
Directory
Meaning
Cognos_Home
The installation location of Cognos® Business Intelligence.
For example:
v on Windows operating systems, C:\OpenPages\Cognos\
cognos\c10_64
v on AIX and Linux operating systems, /opt/OpenPages/
Cognos/cognos/c10_64
JAVA_Home
The installation location of your Java™ Runtime Environment
(JRE) or your Java Development Kit (JDK).
JDK example:
v on Oracle WebLogic Server, C:\Program Files\java\
jdk1.6.0_24
v on IBM WebSphere® Application Server:
– on Windows operating systems, C:\IBM\WebSphere\
AppServer\java
– on AIX and Linux operating systems,
/opt/IBM/WebSphere/AppServer/java
JRE example:
v on Oracle WebLogic Server, C:\OpenPages\jre
v on IBM WebSphere Application Server:
– on Windows operating systems, C:\IBM\WebSphere\
AppServer\java\jre
– on AIX and Linux operating systems,
/opt/IBM/WebSphere/AppServer/java/jre
CommandCenter_Home
The installation location of OpenPages CommandCenter.
CC_Home
For example:
v on Windows operating systems, C:\OpenPages\CommandCenter
v on AIX and Linux operating systems, /opt/OpenPages/
CommandCenter
What’s new in IBM OpenPages
Knowing what features are new, changed, deprecated, or removed helps you plan
your upgrade and deployment strategies and the training requirements for your
users. This topic lists the new features in IBM OpenPages GRC Platform version
7.0.0.
Visualizations
As a Risk analyst or Compliance manager, you can graphically render your
business process and communicate it to other users of risk analysis.
You can create interactive visualizations to communicate information about the
process flows and the Business Entity hierarchical structure.
The following are the new visualization object types:
v Process Diagram
v Data Input
Chapter 1. Introduction
3
v Data Output
For more information, see Chapter 6, “Business Process Visualizations,” on page
105.
Security rules
Use security rules to define a more granular control over the access to individual
objects in a folder. For example, two GRC domains share a common organizational
hierarchy. They share some common object instances, such as processes, but they
do not want to share other object instances, such as risks and controls. If you do
not create security rules on objects, folder-based security applies.
For more information, see Chapter 3, “Security,” on page 37.
Grid view
The grid view allows you to select how information about an object is displayed
by selecting an option from the View selector. Options include the ability to
display objects that match the selected filter or the folder view of an object. Select a
grid view to display information about more than one object. From the grid view,
you can add a new item and update one or more items.
You can use the Bulk Update feature to update multiple objects in the grid view
during one editing session. For example, you can update all objects assigned to
User A and assign them to User B.
Filtered List views and Folder views have been consolidated with the new grid
views.
For more information, see “Grid views” on page 241.
Info Card
The Info Card is displayed when you hover over an object. The card allows you to
quickly understand and review an object definition.
The Info Card is available from the grid view.
New multi-selector actor field types
New field types allow you to select multiple actors when selecting users, user
groups, or both users and user groups.
Orphan system field
The new Orphan system field allows you to see and filter on the objects with no
parents. You can also filter on objects that have parents but do not have a path to a
business entity.
IBM OpenPages SDK
A new OpenPages SDK allows users to programmatically access and manipulate
OpenPages platform data. This offering includes an OpenPages REST API and Java
API. working samples that demonstrate typical use cases, and reference
documentation to help you understand and use the APIs.
4
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
The following OpenPages API documents were added in this release and they are
available from your installation.
v IBM OpenPages GRC Platform API Javadoc
v IBM OpenPages GRC Platform REST API Reference Guide
v IBM OpenPages GRC Platform Trigger Developer Guide
What's changed in IBM OpenPages
Listed below are features that are changed in version 7.0.0 of IBM OpenPages GRC
Platform.
Changes to the user interface
From the home page, you can filter objects to display only those items that meet
your requirements, sort information based on a column, and perform most
functions from the home page.
Improved icons make it easier for you to identify the commands that you need. To
view the updated icons, users must clear their web browser's cache after
upgrading to version 7.0.0.
Changes to menus
The contents of the Administration, Reporting, and MyOpenPages menus have
been reorganized.
The Workflow Console is available on the Administration menu. The Workflow
Console was formerly called the IBPM Console.
Changes to the configuration of the menu bar do not take effect immediately. The
next time that you log in, you will see the changes that you have made to the
menus.
Page size setting for Filtered List views
The Page Size setting for Filtered List views is no longer required to be used and
is ignored. Instead IBM OpenPages will load rows as you scroll through the
Filtered List view.
Actor fields
Actor fields can now be Field Dependency controllers.
Object views
You can now change the order of Detail and Activity object views.
Filters
Quick Filter and Advanced Filter have been consolidated. When you press Enter,
the Quick Filter is applied.
Chapter 1. Introduction
5
Some actions take effect immediately
Some actions, such as View Selection and Reporting Period, take effect
immediately when you select them. You are no longer required to click Go or View.
Paginate Actor Tables and Use Actor Search Only settings are no
longer required
There are no longer two possible interfaces used for selecting user lists and group
lists in the administration user interface. Where the type-ahead search and
filterable listing of users or groups were available, you have the option of selecting
users or groups.
The Paginate Actor Tables and Use Actor Search Only settings under
/OpenPages/Applications/Common/Administration/Users and Groups are now
ignored and are treated as though their values are always true.
To control the number of rows listed per page, use the Page Size setting under
/OpenPages/Applications/Common/Administration/Users and Groups.
About the IBM OpenPages GRC Platform
The IBM OpenPages GRC Platform serves as the foundation for a company's
enterprise risk management (ERM) efforts by unifying enterprise-wide risk and
compliance initiatives into a single management system. With solutions for IBM
OpenPages Financial Controls Management, IBM OpenPages Operational Risk
Management, IBM OpenPages IT Governance, IBM OpenPages Policy and
Compliance Management, and IBM OpenPages Internal Audit, the IBM OpenPages
GRC Platform provides a modular and integrated approach to governance, risk
and compliance.
Each component provides a highly configurable capability that supports your
specific methodology, without having to write custom code, whether in loss events,
KRI or any other solution component. The result is that companies can embed risk
management into the business and improve outcomes over time.
IBM OpenPages GRC Platform Modules
The IBM OpenPages GRC Platform consists of multiple modules.
v IBM OpenPages Financial Controls Management (FCM) — provides automated
assessment, testing, and certification processes to standardize and manage
Sarbanes-Oxley (SOX) compliance enterprise-wide.
IBM OpenPages Operational Risk Management (ORM) — provides a fully
integrated operational risk solution, including risk control self-assessments
(RCSAs), key risk Indicators, (KRIs), loss event data management, and advanced
reporting and business intelligence with IBM Cognos finance integrated risk
management. Dashboard components are available to provide an enterprise-wide
view of risk across the business and manage Basel II AMA compliance in the
banking industry.
v IBM OpenPages IT Governance (ITG) — provides a risk-based, policy-driven
approach to managing risk and compliance initiative for the IT organization.
v
v
6
IBM OpenPages Policy and Compliance Management (PCM) — provides an
integrated solution for reducing the complexity of complying with numerous
industrial, ethics, privacy, and government regulatory mandates.
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
v
IBM OpenPages Internal Audit Management (IAM) — provides an integrated
audit management solution to manage the full life cycle of internal audits.
How the IBM OpenPages GRC Platform Can Help
The IBM OpenPages GRC Platform application provides many capabilities to
simplify and centralize compliance and risk management activities.
Shared Content Management and Common Repository
v Logically presents processes, risks and controls in many-to-many and shared
relationships at multiple levels that can be configured to your business processes
v Supports importing existing corporate data and maintains a complete audit trail
and version history
v Ensures consistent regulatory enforcement and monitoring across multiple
regulations.
Dynamic Decision Support with Cognos
v Delivers rich, interactive, real-time executive dashboards and reports
v CrossTrack enables drill-down from reports into supporting reports as well as
the underlying detail data
v Provide organizational assurance for regulatory compliance
Simple Configuration and Localization
v Detail user-specific tasks and actions on a personal home page
v Reduce training costs with intuitive navigation, easy-to-use web-based layout
and localized text in English (both UK and US), French, Italian, Spanish,
German, Japanese, Simplified Chinese, Traditional Chinese, and Brazilian
Portuguese.
v Lower administration costs with simple browser based configuration capabilities
managed by administrators for end-users
Flexible Automation
v Robust workflow establishes and automates best practice processes for:
– Management assessments
– Process design reviews
– Control testing
– Issue remediation
– Sign-offs and Certifications
v Streamlined compliance procedures and automated sub-certifications without
sacrificing risk.
Web Services based integration
v OpenAccess API Interoperate with leading third-party applications to enhance
policies and procedures with actual business data
v Reduced total cost of ownership and easy integration with existing corporate
compliance management systems
Chapter 1. Introduction
7
8
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
Chapter 2. Administering Users, Groups, and Domains
This chapter explains how to manage IBM OpenPages user accounts and groups
using the IBM OpenPages interface.
About Users and Groups
Within the IBM OpenPages application, users and groups are organized under the
top-level groups.
v
Security Domains - this top-level group acts as a container for the security
domain groups that are automatically created by the system when a business
entity or sub-entity is added. You can use security domains to distribute your
users and organizational groups so they can be administered by delegated
administrators. For an overview of security domains, see “Security domains” on
page 43.
v
Workflow, Reporting and Others - this top-level group acts as a container
for organizational groups that are used system wide. Administrators often create
organizational groups to organize users and other groups. You can define all
your users and group under the Workflow, Reporting and Others group and
then later associate them to different security domains. For upgrade customers,
this top-level group also hosts the groups that existed in prior IBM OpenPages
releases.
Note: The term ‘groups’ in this book includes both organizational and security
domain groups unless otherwise specified.
To create and administer users and groups for the IBM OpenPages application, you
must have access to an IBM OpenPages user account with administrative
privileges. For information about delegating and assigning administrator
permissions, see “About Administrators” on page 11.
When a user or group is disassociated from an organizational or security domain
group and that user or group is not a direct or indirect member of any other
group, then the system will make that user or group a member of a special group
called 'Standalone Users and Groups'. Only the Super Administrator will have
administrative access to this special group.
Accessing Users, Groups and Domains
Only an OpenPages Super Administrator or a delegated administrator with any
administrator permission can access the Users, Groups and Domains menu item.
To navigate to a group detail page, the logged in user must be a delegated
administrator of that group with at least Browse administrative permission. For
information about delegating administrator permissions, see “Delegating
Administrator Permissions” on page 12.
When you expand a security domain group, only child security domains are
displayed. Any organizational groups and users associated with that security
domain can be viewed only from the detail page of that security domain group.
9
Procedure
1. Log on to the IBM OpenPages application as a user with any administrator
permission set.
2. From the menu bar, select Administration and click Users, Groups and
Domains.
Note: To view any organizational groups and users associated with a security
domain, navigate to the detail page of that security domain group.
Results
From the Users, Groups and Domains page, you can view a list of all users and
groups, and access the detail page of an organizational group, security domain
group, or user.
Rules for User Names and Passwords
When you create user names, certain rules apply.
v The maximum length of a user name is 256 characters
Important: If you are using Microsoft Active Directory Users and Computers as
your LDAP authentication server, the user name is limited to a length of 20
characters. User names that exceed the 20 character limit are truncated to 20
characters. This length limitation does not occur in the LDAP server provided by
Sun. For more information about LDAP, see “Configuring the LDAP
Authentication Module” on page 75.
v The user name can contain alphanumeric characters and any of the special
characters listed in the following table.
Note: If you want to exclude any characters - including special characters from user names, you can specify these characters in the Illegal Characters
setting. For details, see “Excluding Characters From User Names” on page 346.
Table 3. Special Characters Allowed in User Names
10
Allowed Special
Character
Description
@
At sign
-
Dash
!
Exclamation point or bang
.
Period or dot
_
Underscore
/
Forward slash
:
Colon
*
Asterisk
\
Backslash
"
Double quotation marks
#
Pound sign
%
Percentile mark
?
Question mark
<
Less than
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
Table 3. Special Characters Allowed in User Names (continued)
Allowed Special
Character
Description
>
Greater than
When you create passwords, these rules apply:
v The maximum length of a password is 32 characters
v Passwords cannot contain spaces
About Administrators
The IBM OpenPages application provides a means to flexibly manage your
security.
By assigning specific security management permissions to an administrator's user
account, you can delegate various security management activities to that
administrator. For example, you could set up an administrator for a security
domain group (such as a regional or local office) who would only have the ability
to reset passwords for that group.
The Super Administrator
The Super Administrator (specified during the install or upgrade process) is a user
who has complete access to all objects, folders, Role Templates, and groups in the
system.
In a new (first-time) installation, the Super Administrator is the only user in the
system. In an upgrade installation, customers can enter a new user or select one of
the existing users (such as ‘SOXAdministrator’ or ‘OpenPagesAdministrator’) as a
Super Administrator during the upgrade process.
A Super Administrator can create users, groups, other system administrators, and
assign roles. The IBM OpenPages application provides a Super Administrator with
the ability to decentralize and delegate administration activities by assigning
various roles to users through the use of Role Templates (for details see “Role
templates” on page 47) and group administrator permissions (for details, see
“Delegating Administrator Permissions” on page 12).
A Super Administrator can also assign an administrator to a security domain or
organizational group, without making the administrator a member of that group.
Some examples of the types of administrators a Super Administrator could create
are:
v A Regional or Group Administrator - this would be a user with at least one
security management permission assigned to perform administrative activities
for a security domain or organizational group.
v A Delegated Administrator - this would be a group administrator with certain
security management permissions who could, in turn, assign new administrators
to the same group or to any of the child groups, granting them the same
security management permissions.
v Decentralized Administrators - each group (security domain or organizational)
could have an administrator who would have one or more administrators
responsible for creating and associating users to that group as well as for
Chapter 2. Administering Users, Groups, and Domains
11
enable/disable, lock/unlock, assign roles and reset password operations. A
decentralized administrator would be able to perform these operations on all
child groups associated to their group but not on other groups in the system.
Important:
v If you change the logon user name and/or password of the OpenPages Super
Administrator account after installation (using the application interface), you
must manually make corresponding changes to the Cognos Framework
Generator property file so the reporting framework will update properly. For
details, see “Changing the Administrator Logon Account and Framework
Generation” on page 90.
v If you are using Microsoft Active Directory Users and Computers as your LDAP
authentication server, the user name is limited to a length of 20 characters. User
names that exceed the 20 character limit are truncated to 20 characters. This
length limitation does not occur in the LDAP server provided by Sun.
Delegating Administrator Permissions
As an administrator, you can delegate various security management activities, such
as only managing users or only resetting passwords, to other administrators for
organizational and business entity security domain groups.
For more information about entity groups, see “Security context points” on page
39). If there are child groups under a parent group, the administrator can delegate
an administrator for each child group as well.
Administrators do not have to be members of groups for which they perform
administrative tasks. By default, only the Super Administrator has Read and Write
access to objects in the system. Delegating administration responsibilities to a user
on a security domain, does not automatically grant Read and Write access to
objects under the corresponding entity.
Important:
v You can only assign those permissions that you have to other administrators.
v If you disassociate an administrator from a security domain or organizational
group, all user management privileges (such as manage users, lock/unlock
users, reset passwords, enable/disable users, assign roles) are retained by that
administrator and are not revoked.
Example
Let’s say you want to designate Mary Smith as an administrator who can reset
passwords for any users in the Boston Sales Office. You would navigate to the
Boston Sales Office entity group detail page and assign the ‘Reset Password’
permission to Mary Smith’s user account.
If there are multiple child groups under the Boston Sales Office entity group, Mary
Smith could delegate an administrator for each child group. She would only be
able to assign the ‘Reset Password’ permission to another administrator.
Note:
v Once administrator permissions are assigned to a user, the name of that user is
no longer displayed in the user selector list. To modify permissions for an
administrator, see “Modifying Administrator Permissions” on page 15.
12
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
v Security domain groups are not displayed in the User/Group selector list.
Related tasks:
“Accessing the role templates page” on page 47
You can define application permissions using role templates.
Types of Administrator Permissions
The following table lists the various security management permissions that you
can delegate to a security domain or user group administrator.
Table 4. Administrator Permissions
Permission
Description
Manage
Allows the selected user to create, modify, and associate users and
groups. Because the Manage permission is a global permission, it is
not constrained by the hierarchy of the role. Users who are granted
this permission can manage any role in the system.
Lock
Allows the selected user to lock a user account, which prevents
logon to the IBM OpenPages application from that account. With
this permission, a Lock button can be selected at the top of the
User Information details page.
Unlock
Allows the selected user to unlock a previously locked user
account. With this permission, an Unlock button can be selected at
the
top of the User Information details page.
Reset Password
Allows the selected user to reset passwords for users. With this
permission, a Reset Password button can be selected at the top of
the User Information details page.
Assign Roles
Allows the selected user to assign one or more roles to users and
groups and to revoke a role from a user or group.
Browse
Allows the selected user to view users and groups within that
group. This permission is selected by default.
Example
Figure 1 on page 14 shows a diagram with a sample decentralized security
administration structure.
Chapter 2. Administering Users, Groups, and Domains
13
Figure 1. Sample Decentralized Security Administration
Administrative permissions have been delegated to users as follows:
1. Jim has all administrative permissions on Company ABC group as well as on
all child groups.
2. Ken can create users and associate them to North America and its child groups.
3. Mary can only reset passwords of users who belong to the USA group and its
child groups - Boston and New York.
4. Steve has all administrative permissions on all the users and child groups of
the Asia Pacific group. However, Steve does not have administrative privileges
on the North America and Europe group hierarchies.
5. Tim has all administrative permissions on all the users and child groups of the
Europe group. However Tim does not have administrative privileges on the
North America and Asia Pacific group hierarchies.
In terms of delegation, Mary could assign an administrator to the Boston or New
York group but can only grant the 'Reset Password' administrative permission.
However, Jim can assign and grant all administrative permissions to administrators
on Boston and New York.
Assigning Administrator Permissions
You can assign one or more group administrator permissions to selected users.
Procedure
1. Log on to the OpenPages application as a user with any administrator
permission set.
2. From the menu bar, select Administration and click Users, Groups and
Domains.
3. On the Users, Groups and Domains page, click the name of the group for
which you want to assign administrative permissions to selected users.
4. On the detail page of the selected group, navigate to the Administrators &
Permissions tab.
5. Click Assign.
6. Do one of the following:
14
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
v To select a user, click in the User box or click the user icon
configured).
(if
.
v To search for a user, click the magnifying glass icon
7. In the Specify Permissions box, select the administrative permissions you want
to assign to this user (see “Types of Administrator Permissions” on page 13 for
a list of permissions). To select all permissions, select the Permissions box in
the column heading.
8. When finished, click one of the following buttons:
v
v
Assign to return to the selected group’s detail page
Assign & Next to assign administrative permissions to another user.
Modifying Administrator Permissions
You can modify administrator permissions assigned to a user at any time.
Procedure
1. Access the Users, Groups and Domains page (see “Accessing Users, Groups
and Domains” on page 9).
2. On the Users, Groups and Domains page, click the name of the group for
which you want to modify administrative permissions.
3. On the detail page of the selected group, navigate to the Administrators &
Permissions tab.
4. From the list of administrative users, click the
whose permissions you want to edit.
(pencil icon) next to the user
5. In the Specify Permissions box, select or clear administrative permissions for
this user as wanted (see “Types of Administrator Permissions” on page 13 for a
list of permissions).
6. When finished, click Save.
Revoking Administrator Permissions
You can revoke administrator permissions assigned to one or more users.
Procedure
1. Access the Users, Groups and Domains page (see “Accessing Users, Groups
and Domains” on page 9).
2. On the Users, Groups and Domains page, select the check box next to the name
of each user for whom you want to revoke administrative permissions.
3. When finished, click Revoke.
Results
The name of the user is removed from the list of group administrators.
Managing User Accounts
This section describes how to configure non-administrative user accounts.
For information about accessing the Users, Groups and Domains menu item, see
“Accessing Users, Groups and Domains” on page 9.
Chapter 2. Administering Users, Groups, and Domains
15
Note: To configure security for user accounts, see “Configuring Security for User
Log On” on page 364. If you are using single sign-on, you can also redirect the
log-out link (see “Redirecting the IBM OpenPages Log Off Link” on page 364).
Creating New Users
When creating a new IBM OpenPages user, you must first select the group to
which the user will belong, and then enter information about the user and user
account.
If you have not created an appropriate group for the new user, you can add them
to the top-level Security Domains group or Workflow, Reporting and Others group.
In addition, you can create an "Everyone" or "All_Users" group under the top-level
Workflow, Reporting and Others group and add all the users to this group. At a
later time, you can then associate these users to the required security domains. In
this way, there is one group that lists all users. See “Creating a New Organizational
Group” on page 20 for details.
If a user will be responsible for adding, editing, or removing folder-based access
control (ACLs) using the Custom Security menu option on the Administration
menu, the user should be associated with a group that has the Access Control
Lists application permission.
Procedure
1. Access the Users, Groups and Domains page (see “Accessing Users, Groups
and Domains” on page 9).
2. Expand the list of groups until the group to which you want to add the new
user is displayed. Click the name of the group to display the group’s detail
page.
3. Navigate to the Users tab that lists all of the users who currently belong to the
group, and click Add New.
4. Enter the necessary information for the new user account.
Note: Once the record is saved, you cannot change the user name.
Attention: OpenPages user names are case sensitive. If you are using single
sign-on (SSO) or LDAP authentication, the user name you choose here must
match the user name you enter in the SSO or LDAP system.
Important: If you are using Microsoft Active Directory Users and Computers
as your LDAP authentication server, the user name is limited to a length of 20
characters. User names that exceed the 20 character limit are truncated to 20
characters. This length limitation does not occur in the LDAP server provided
by Sun.
5. Assign the user a profile:
a. Click the Profile arrow.
b. Select a value from the list.
6. Select the Password never expires password behavior. If you select a different
option, then an Admin user will have to change the user's password when it
expires. The following table explains the password behavior options.
16
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
Table 5. Password behavior options
If you select this option...
Then...
User must change password at next log in
The next time the user logs on to the
application, the user is prompted to change
the password. The new password must be a
valid password that satisfies any active
strong password policies.
User cannot change password
The Change Password button is disabled
and the user will be unable to change the
password. This option is mutually exclusive
with ‘User must change password at next
login.’
Password never expires
The user will not be prompted to change
their password after a period of time.
Password expires in ______ days
After the specified period of time has
elapsed, the user will be forced to change
their password. This setting is mutually
exclusive with the ‘Password never expires’
and ‘User cannot change password’ settings.
7. Click Create.
8. If the new user account was created:
a. Under an "Everyone" or "All_Users" group, go to “Associating Existing
Users with a Group” to give the user access to a business entity.
b. Under a security domain group that corresponds to a particular business
entity, go to “Assigning a role to a user or group” on page 51 to assign the
user access control permissions.
Associating Existing Users with a Group
If a new user only belongs to an "Everyone" or "All_Users" group, you need to
give the user access to the appropriate business entity or entities.
You do this by associating the user to the security domain group that corresponds
to the business entity for which they need access. For information about security
domains, see “Security domains” on page 43.
Note: Administrators can only associate users with groups to which they have the
Browse administrative permission. If you select a group to which you do not have
access, an error message is displayed.
Procedure
1. Access the Users, Groups and Domains page (see “Accessing Users, Groups
and Domains” on page 9).
2. Navigate to the group to which you want to associate an existing user.
Note: To expand a group hierarchy, click the + (plus) sign next to the group
you want. The Security Domains top-level group contains the security domain
groups for all business entities.
3. From the list of groups, click the name of the group you want.
4. On the detail page of the selected group:
a. Navigate to the Users tab.
b. Click the Associate button.
Chapter 2. Administering Users, Groups, and Domains
17
5. On the Associate Users with Group page:
a. Expand the list to display the users.
b. Select the check box next to each user account you want to associate.
c. When finished, click Associate.
6. To assign access control permissions to a user, go to “Assigning a role to a user
or group” on page 51
Disassociating Users from a Group
You can disassociate users from a group.
Disassociating users from a security domain group does not result in removal of
their role assignments on that entity. Use 'Revoke' to remove the role assignments
of a user on a given entity (see “Revoking a role from a user or group” on page
52).
If you disassociate an administrator from a security domain or organizational
group, all user management privileges (such as manage users, lock/unlock users,
reset passwords, enable/disable users, assign roles) are retained by that
administrator and are not revoked.
Procedure
1. Access the Users, Groups and Domains page (see “Accessing Users, Groups
and Domains” on page 9).
2. Expand the list of groups and click the name of the group that contains the
user you want to disassociate. If you have, for example, an "Everyone" or
"All_Users" group under the Workflow, Reporting and Others group, you can
navigate there to locate the user
3. On the Users tab of the selected group:
a. Select the check box next to each user you want to disassociate from the
group.
b. Click the Disassociate button.
c. At the prompt, click OK.
The name of the user is removed from the list.
Modifying Existing User Accounts
As necessary, you can edit a user account.
Procedure
1. Access the Users, Groups and Domains page (see “Accessing Users, Groups
and Domains” on page 9).
2. Expand the list until the organizational group or Security Domain that contains
the user account is displayed.
3. Click the name of the organizational group or security domain to open its
detail page and then click the user name to display that detail page. If you
have an "Everyone" or "All_Users" group under the Workflow, Reporting and
Others group, you can navigate there to locate the user.
4. Click the Edit... button at the top of the User Information section. The Edit User
Information page is displayed.
Note: You cannot change a user name.
18
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
5. Edit the necessary information, and click Save to return to the User detail page.
Disabling User Accounts
When a user account is disabled, the user of that account is prevented from
logging in, and the user is removed from selection on the user selector list.
User accounts cannot be deleted through the IBM OpenPages application user
interface.
Note: If you want to prevent a user from logging in, but still want the user to
appear in user selectors, you should Lock the user instead. See “About Locking
and Unlocking Objects” on page 330 for more information.
Procedure
1. Access the Users, Groups and Domains page (see “Accessing Users, Groups
and Domains” on page 9).
2. Expand the list until the organizational group or Security Domain that contains
the user account you want to disable is displayed.
3. Click the name of the organizational group or security domain to open its
detail page and then click the user name to display that detail page. If you
have, for example, an "Everyone" or "All_Users" group under the Workflow,
Reporting and Others group, you can navigate there to locate the user.
4. Click the Disable button at the top of the User Information section. The button
text changes to Enable and the value of the Status field changes to Inactive.
Enabling User Accounts
You can re-enable a disabled user account.
Procedure
1. Access the Users, Groups and Domains page (see “Accessing Users, Groups
and Domains” on page 9).
2. Expand the list until the organizational group or Security Domain that contains
the user account you want to enable is displayed.
3. Click the name of the organizational group or security domain to open its
detail page and then click the user name to display that detail page. If you
have, for example, an "Everyone" or "All_Users" group under the Workflow,
Reporting and Others group, you can navigate there to locate the user.
4. Click the Enable button at the top of the User Information section. The button
text changes to Disable and the value of the Status field changes to Active.
Managing Organizational Groups
This section describes how to configure organizational groups.
For information about accessing the Users, Groups and Domains menu item, see
“Accessing Users, Groups and Domains” on page 9.
Chapter 2. Administering Users, Groups, and Domains
19
Creating a New Organizational Group
To more easily find a specific user without browsing through multiple groups and
subgroups, it is recommended that you create an "Everyone" group (or other
suitable name) as a sub-group of the Workflow, Reporting and Others group.
This is useful since normally you create IBM OpenPages users in the context of a
group, and then add them to multiple groups directly. This means that in order to
find an existing user, you need to know a group to which the user belongs. To help
this process, follow the suggestions below.
As you create your list of IBM OpenPages users, add them directly to the
"Everyone" group as well as the functional groups they will belong to. In this
manner, to find a specific user quickly, you can open the "Everyone" group and
select the user directly.
If you want to deny a user access to the IBM OpenPages application by removing
him from all groups, you will need to remove him from the "Everyone" group as
well.
Note: If you have set up your security access controls for your groups and users, it
is important that the "Everyone" group is not granted access control to your IBM
OpenPages data. Otherwise, the access permissions of the "Everyone" group may
override your security settings. The "Everyone" group is merely a convenience to
help administrators quickly find a specific user and modify their information.
Users with the correct permissions can create groups using the User/Group
interface. Groups can contain other groups and users, and inherit application
permissions from the groups that they belong to.
Procedure
1. Access the Users, Groups and Domains page (see “Accessing Users, Groups
and Domains” on page 9).
2. Expand the list and click the name of the group to which the new group will
belong. If there is no higher-level group for the new group, select the root
Security Domains or Workflow, Reporting and Others group.
3. On the detail page of the selected group, navigate to the Groups tab and click
Add New.
4. Fill in the required information for the new group and click Create. The parent
group’s detail page is displayed with the new group listed in the Sub-Groups
section.
5. Click the name of the new group to view the detail page if you want to add
users to the group or modify the group permissions.
Disassociating a Group
You can disassociate a group from other groups.
When you disassociate a group and that group does not belong to any other IBM
OpenPages group, the group will be listed under the special group named
Standalone Users and Groups, which is under the top-level Workflow, Reporting
and Others group.
20
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
When adding an existing group to another group, the disassociated group will still
be available in the group selector list.
Procedure
1. Access the Users, Groups and Domains page (see “Accessing Users, Groups
and Domains” on page 9).
2. Expand the list and click the name of the group to which the
soon-to-be-disassociated group belongs. The detail page of the group is
displayed.
3. Navigate to the Groups tab and select the check box next to each group to be
disassociated.
4. When finished, click Disassociate. A confirmation box is displayed.
5. Click OK in the box to disassociate the selected groups.
Associating a Group
You can associate groups to each other.
Procedure
1. Access the Users, Groups and Domains page (see “Accessing Users, Groups
and Domains” on page 9).
2. Expand the list of groups and click the name of the group to which you want
to associate another group. The detail page of the selected group is displayed.
3. Navigate to the Groups tab and select the check box next to each group to be
associated
4. When finished, click Associate.
Configuring Application Permissions
Administrators can use a set of application permissions to limit the activities of the
various users and user groups that can access the IBM OpenPages application.
Attention: If the changes to application permissions result in changes to menus,
the menu changes do not appear until users log out and then log back in to the
application.
Defining Application Permissions
You can define application permissions within the IBM OpenPages application
interface in several ways.
v In Role Templates - this is the preferred method for granting users or groups
application permissions.
Note:
– Both application permissions and ACLs are included in the role definition
process. When a role is assigned to a user or a group on any business entity
or security context point, that user or group automatically acquires the
application permissions defined in that Role Template.
– When a user or group is assigned multiple roles, the user or group
accumulates the application permissions that are defined in the various roles.
Application permissions are granted by the role (not the security context
point) and apply in all situations where the user has the correct ACL access.
Chapter 2. Administering Users, Groups, and Domains
21
For example, users with Read permission to Business Entities and the Audit
Trail application permission will be able to view the Change History (audit
trail) for those Business Entities.
For more details, see “Role templates” on page 47.
v As part of an organizational group definition - this method is provided for
backward compatibility for upgrade customers and for administering
system-wide organizational groups. Organizational groups can be created under
the Workflow, Reporting and Others root folder on the Users, Groups and
Domains page. For more details, see “Managing Organizational Groups” on
page 19.
Understanding Group Application Permissions
By setting application permissions on a group (either through a Role Template or
on organizational groups), you can control, for example, whether or not users in
that group can lock objects, view audit trail information, create reporting periods,
and so forth.
To delegate group security management permissions to administrators, see
“Delegating Administrator Permissions” on page 12.
To assign application permissions for a role, see “Accessing the role templates
page” on page 47.
Procedure
1. Access the Users, Groups and Domains page (see “Accessing Users, Groups
and Domains” on page 9).
2. On the Users, Groups and Domains page, click the name of the group whose
application permissions you want to view or modify.
3. On the detail page of the selected group, navigate to the Permissions tab.
Tip: Most IBM OpenPages application permissions are grouped under the
‘SOX’ heading. Selecting the ‘SOX’ permission selects all the permissions under
that heading. This is only advisable for administrative level users.
For a description of the various permissions, see “Application Permissions” and
“Other Permissions” on page 27.
4. To modify application permissions for a group, click Edit, make the required
changes, and then click Save.
5. To assign user and group management permissions to selected users, see
“Delegating Administrator Permissions” on page 12.
Application Permissions
The application permissions reside under the SOX permissions heading and can be
applied to IBM OpenPages user groups.
Administration
When you create an administrative-level group, you must grant them
Administration permissions.
If a user or user group possesses any of these permissions, they will see the
Administration menu on the menu bar.
22
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
Access Control Lists:
Allows super administrators to view, edit, and remove the access control listings
for objects through the Custom Security menu item on the Administration menu.
See “Role-based access control permissions” on page 45 for more information on
Access Control Lists (ACLs).
Application Text:
Allows users and members of user groups to view and edit locale-specific
application label values through the Application Text menu item on the
Administration menu.
Users are generally granted the applicable permissions by being assigned to role
templates that include those permissions.
Currencies:
Allows users and members of user groups to administer currencies.
Users are generally granted the applicable permissions by being assigned to role
templates that include those permissions.
ExportConfiguration:
Allows users and members of user groups to access the environment migration
tool to export configuration items for import into another system. See Chapter 19,
“Migrating IBM OpenPages Environments,” on page 627.
Users are generally granted the applicable permissions by being assigned to role
templates that include those permissions.
Field Groups:
Allows users and members of user groups to view and manage the configuration
of field groups with their related field definitions through the Field Groups menu
item on the Administration menu.
Users are generally granted the applicable permissions by being assigned to role
templates that include those permissions.
ImportConfiguration:
Allows users and members of user groups to access the environment migration
tool to import configuration items exported from another system. See Chapter 19,
“Migrating IBM OpenPages Environments,” on page 627.
Users are generally granted the applicable permissions by being assigned to role
templates that include those permissions.
Object Profiles:
Allows users and members of user groups to view and manage the configuration
of the profile, which includes the object types, through the Profiles menu item on
the Administration menu.
Users are generally granted the applicable permissions by being assigned to role
templates that include those permissions.
Object Reset:
Chapter 2. Administering Users, Groups, and Domains
23
Allows users and members of user groups to reset objects for a new reporting
period. For information on governing reset behavior, see Chapter 13, “Resetting
Objects,” on page 293.
Users are generally granted the applicable permissions by being assigned to role
templates that include those permissions.
Object Text:
Allows users and members of user groups to view and edit locale-specific object
label values through the Object Text menu item on the Administration menu.
Users are generally granted the applicable permissions by being assigned to role
templates that include those permissions.
Object Types:
Allows users and members of user groups to view and manage the configuration
of object types with their related field groups and associated objects through the
Object Types menu item on the Administration menu.
Users are generally granted the applicable permissions by being assigned to role
templates that include those permissions.
Reporting Framework:
Allows users and members of user groups to generate and manage the reporting
framework through the Reporting Framework menu item on the Administration
menu.
Users are generally granted the applicable permissions by being assigned to role
templates that include those permissions.
Reporting Framework Configuration:
Allows users and members of user groups to administer and configure the
reporting framework through the Reporting Framework menu item on the
Administration menu.
Users are generally granted the applicable permissions by being assigned to role
templates that include those permissions.
Reporting Periods:
Allows users and members of user groups to finalize and reapply Reporting
Periods through the Reporting Periods menu item on the Administration menu.
Finalize
Allows users and members of user groups to finalize the active Reporting
Period.
Reapply
Allows users and members of user groups to reapply the active Reporting
Period.
Users are generally granted the applicable permissions by being assigned to role
templates that include those permissions.
Reporting Schema:
Allows users and members of user groups to manage the Reporting Schema
through the Reporting Schema menu item on the Administration menu.
24
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
Users are generally granted the applicable permissions by being assigned to role
templates that include those permissions.
Role Templates:
Allows users and members of user groups to view, add, and manage roles through
the Role Templates menu item on the Administration menu.
Users are generally granted the applicable permissions by being assigned to role
templates that include those permissions.
Security Rules:
Allows users and members of user groups to manage and maintain security rules
through the Security Rules menu item on the Administration menu.
Users are generally granted the applicable permissions by being assigned to role
templates that include those permissions.
Settings:
Allows users and members of user groups to view and manage settings through
the Settings menu item on the Administration menu.
Users are generally granted the applicable permissions by being assigned to role
templates that include those permissions.
Change History
This application permission allows users and members of user groups to review
the selected Reporting Period to view historical information about objects. With
this permission enabled, a Change History option can be selected at the top left of
the object’s detail page.
Users are generally granted the applicable permissions by being assigned to role
templates that include those permissions.
For more information, see “How Reporting Periods and Change Histories Interact”
on page 294.
Attention:
v When you copy objects, change histories are not copied with the object. The
copy of the object has no change history because it is a new object.
v When you add new fields to an object type, IBM OpenPages administrators may
see a blank to blank change in the change history because the fields were not
previously available.
Browse Files
This application permission allows users and members of user groups to view and
navigate the Browse menu item on the My OpenPages, Attachments menu.
Users are generally granted the applicable permissions by being assigned to role
templates that include those permissions.
IBM Command Center® Studios
This application permission allows users and members of user groups to launch all
supported Studio applications from links on the Reporting menu.
Chapter 2. Administering Users, Groups, and Domains
25
Users are generally granted the applicable permissions by being assigned to role
templates that include those permissions.
Analysis Studio:
This application permission launches IBM Cognos Analysis Studio through the
Analysis Studio menu item on the Reporting menu.
Use Cognos Analysis Studio to explore, analyze, and compare dimensional data,
find meaningful information in large data sources, and answer business questions.
Cognos Connection:
This application permission launches IBM Cognos Connection through the Cognos
Connection menu item on the Reporting menu.
Use the portal, Cognos Connection, to access your Cognos software and corporate
data. Depending on your access permissions, you can create, run, and distribute
reports and cubes, create and run agents, or schedule entries.
Cognos Workspace:
This application permission launches IBM Cognos Workspace from the Cognos
Workspace menu item on the Reporting menu.
Use Cognos Workspace to build interactive workspaces with Cognos content and
external data sources and to collaborate, solve problems, and make decisions.
Cognos Workspace Advanced:
This application permission launches IBM Cognos Workspace Advanced from the
Cognos Workspace Advanced menu item on the Reporting menu.
Use the Cognos Workspace Advanced interface to analyze data and author reports
based on IBM Cognos content, external data sources, and relational or dimensional
data sources.
Query Studio:
This application permission launches IBM Cognos Query Studio through the
Query Studio menu item on the Reporting menu.
Use Cognos Query Studio to create simple queries and reports.
Report Studio:
This application permission launches IBM Cognos Report Studio through the
Report Studio menu item on the Reporting menu.
Use Cognos Report Studio to author professional, sophisticated reports based on
any data source including relational or multidimensional data sources.
Folders
This application permission users and members of user groups to create new
folders in the object repository that do not correspond to business entities. This
allows users to create their own folder structure.
Users are generally granted the applicable permissions by being assigned to role
templates that include those permissions.
Issues
This application permission allows users and members of user groups to view the
list of Issues through the Issues menu item on the Remediation menu.
26
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
Users are generally granted the applicable permissions by being assigned to role
templates that include those permissions.
Note: This application permission is in effect only for upgrade customers who
have not yet migrated their access control to the role-based security model. For
new first-time installations, this permission is not honored.
Project Management
If your system is configured to enable Project Management, this application
permission allows users and members of user groups who are assigned role
templates that include the permission to use the Milestone and Milestone Action
Item Project Management capabilities available through the Project menu item on
the My OpenPages menu.
View Locks
Users with the View Locks permission can view the existing locks on objects. The
View Locks permission does not grant the right to lock or unlock an object - for
that you need either the Lock permission or the Unlock permission.
Other Permissions
The following application permissions are not contained under the SOX permission
heading, but still have an impact on IBM OpenPages application behavior.
Application permissions determine what functional areas and administrative
operations a given user or group is able to perform. Typically, end users do not
require these application permissions.
All Permissions
Grants users and members of user groups all permissions and access to every
functional and administrative area within IBM OpenPages (Web and server).
Users are generally granted the applicable permissions by being assigned to role
templates that include those permissions.
Administration
The Administration permissions grant users and members of user groups the
ability to archive and restore document versions and to enable and disable System
Administration Mode.
Users are generally granted the applicable permissions by being assigned to role
templates that include those permissions.
Archive Management:
Allows group members to archive and restore document versions.
System Administration Mode:
Allows group members to enable and disable System Administration Mode and
perform certain administrative functions. For details see, Chapter 4, “Using System
Admin Mode,” on page 81.
Collaboration
The Collaboration permissions grant administrative permissions to manage
workflow tasks and jobs.
Manage Job Types:
Allows group members to add and modify job types. Job types are templates that
can be used to create individual jobs.
Chapter 2. Administering Users, Groups, and Domains
27
Start Jobs:
Allows group members to start a job.
View All Jobs:
Allows group members to view a list of jobs and the detail page related to a
selected job.
Files
This application permission grants all administrative permissions under the Files
grouping that are related to managing files and folders.
Add Folders:
Allows group members to create and add new folders.
Cancel Checkout:
Allows group members to cancel the file check out process for associated files that
were checked out by others. When a file check out is canceled, the file is checked
back into the system without applying any changes and no new version of the file
is created.
Restriction: This permission only applies to file attachments (of the SOXDocument
object type). This feature only applies to IBM OpenPages; it does not apply to the
check in and check out feature in the /opx interface.
Lock:
Allows group members to lock objects, regardless of sign-off or ACL restrictions.
Reassign Primary Association:
Allows members of the user group to reassign primary parent associations and
view the Make this object Primary button on the Parent tab of an object. Where
object is the object type.
Remove All Tree Locks:
Allows members of the user group to unlock resources and/or resource sub-trees.
Unlock:
Allows group members to unlock objects.
Publishing
The Add Pages permission grants administrative permissions to make Cognos and
jsp reports available from the IBM OpenPages application user interface.
Add Pages:
Allows group members to add reports.
Configure Password Behavior
The IBM OpenPages product supports the use of strong passwords (passwords that
include letters, numbers, and symbols).
It also allows administrators to enforce mandatory password changes and other
password behavior.
Note: This section on configuring password behavior does not apply if you use
single sign-on (SSO), such as LDAP or Microsoft Active Directory, as your internal
IT policies will dictate password behavior within the IBM OpenPages application.
28
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
Configuring Password Policies
The IBM OpenPages platform allows administrators who can access the Settings
administrative section to modify the password policies in effect for the application.
Using the password policies, administrators can enable strong passwords and
control whether user passwords must be changed after a certain length of time.
Administrators can modify the following settings (located under OpenPages |
Platform | Security | Password) as described in Table 6:
Table 6. Password Settings
Setting
Description
Encryption
Administrator
The user name who is allowed to change the password encryption
algorithm and the encryption key.
Strong Policies These settings allow the administrator to configure the strong password
Character Groups policies for the application.
1-4
Each Character Group takes a comma-separated list of characters. By
default, these groups are empty.
If strong passwords are enabled, each password will be required to
contain at least one character from each group. If a group is empty, that
group is ignored.
Strong Policies Enabled
If the value is set to:
v
true - then users will be required to enter strong passwords when
specifying their user password.
v
false - then users will not be required to enter strong passwords
when specifying their user password. This value is set by default.
Default Expiry
Days
When a user is created or edited, the administrator can set a period of
time before the password expires. The default value for that setting is
determined by this value. The default value for this setting is 90 days.
Enabled
Sets whether the password policies are active or not. The default value
for this setting is ‘false’.
Maximum Length Sets the maximum length of the password. The default value for this
setting is ‘32’.
Minimum Length Sets the minimum length of the password. The default value for this
setting is ‘6’.
Notify Before
Days
Sets the number of days before a user’s password expires that the user
is shown a warning message at logon about their password expiring.
Configuring Password Encryption
The IBM OpenPages platform contains the ability to modify the encryption
algorithm used to encrypt IBM OpenPages user passwords.
The tool used to modify the encryption is called the Update Password Encryption
Algorithm tool, hereafter referred to as UPEA.
The UPEA tool can be used to:
v Change the triple DES (3DES) encryption key - this is the default encryption
algorithm.
Chapter 2. Administering Users, Groups, and Domains
29
v
Change the encryption algorithm in legacy (4.x or 5.1x versions of IBM
OpenPages ) systems from OP-CUSTOM to 3DES.
Note: For legacy systems running 4.x or 5.1x versions of IBM OpenPages ,
when you change the encryption algorithm from OP-CUSTOM to 3DES, all user
passwords reset to ‘0p3nP4g3s’ (first character is a zero). Users will need to
change their passwords the next time they log into the system.
The UPEA Tool
The UPEA tool is named as follows:
Windows: UpdatePasswordEncryptionAlgorithm.cmd
AIX: UpdatePasswordEncryptionAlgorithm.sh
The UPEA tool is located in the <OP_Home>|bin directory of your IBM OpenPages
GRC Platform installation.
For Microsoft Windows operating systems, the default installation location of the
directory in the IBM OpenPages GRC Platform application is C:\OpenPages.
For AIX and Linux operating systems, the default installation location of the
directory in the IBM OpenPages GRC Platform application is /opt/OpenPages.
Before using the UPEA tool, make sure you perform the following prerequisite
tasks:
v “Verifying the Current Encryption Algorithm”
v “Verify the Environment”
v “Configure the Security Provider in the java.security File” on page 31
v “Change Passwords in the aurora.properties Property File” on page 31
v “Update the Users Table to Change Passwords” on page 32
Verifying the Current Encryption Algorithm
If you have a legacy system, we recommend that you verify the name of the
current encryption algorithm before running the UPEA tool to change the
algorithm to 3DES as follows.
Procedure
1. Log on to a machine with SQL*Plus and access to the database server.
2. Execute the following SQL statement:
select algorithmname from encryptionmodules where inactive=0;
3. When finished, log out of SQL*Plus.
Results
If the SQL statement returns the name:
v OP-CUSTOM, then run the UPEA tool to change the encryption algorithm to 3DES.
v
3DES, then you already have the triple DES encryption algorithm and can use, if
wanted, the UPEA tool to change the 3DES encryption key.
Verify the Environment
The following tasks must be completed before running the UPEA tool.
30
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
v There must be a properly installed and functioning IBM OpenPages system on
the machine.
v All users must log off the system.
v A full backup of the IBM OpenPages database must be completed (see
Chapter 16, “Using Utilities with Oracle Database,” on page 415).
v Stop all IBM OpenPages servers, including any secondary servers, except for the
OpenPagesAdminServer service (Windows) or IBM OpenPages Dmgr server (AIX
and Linux). This ensures that no users are logged onto the system during the
password encryption update.
Note: For details on starting and stopping servers for Windows, AIX and Linux
environments, see “Starting and Stopping OpenPages Application Servers” on
page 613.
Configure the Security Provider in the java.security File
Procedure
Verify that the BouncyCastleProvider security provider has been added to the
java.security file as follows:
1. Open a command or shell window on the application server.
2. Navigate to:
<Java_Home>|jre|lib|security
Where:
<Java_Home> is the installation location of the Java Runtime Environment.
Oracle WebLogic
C:\OpenPages\jre\lib\security
IBM WebSphere
Windows: C:\IBM\WebSphere\AppServer\java\jre\lib\security
AIX: IBM/WebSphere/AppServer/java/jre/lib/security
3. Make a backup copy of the java.security file before modifying it.
4. Open the java.security file in a text editor of your choice.
5. Locate the following property in the file:
security.provider.<#>=
Where: The number sign, <#> is a number (for example, 9).
6. If the BouncyCastleProvider security provider is not present, modify the value
after the equal sign so it matches this:
security.provider.<#>=org.bouncycastle.jce.provider.BouncyCastleProvider
7. When finished, save and close the file.
Change Passwords in the aurora.properties Property File
About this task
You change the password in the aurora.properies file. By default, this file is in the
<OP_Home> directory. The location of the <OP_Home> file varies depending on your
operating system.
For Microsoft Windows operating systems, the default installation location of the
directory in the IBM OpenPages GRC Platform application is C:\OpenPages.
Chapter 2. Administering Users, Groups, and Domains
31
For AIX and Linux operating systems, the default installation location of the
directory in the IBM OpenPages GRC Platform application is /opt/OpenPages.
Procedure
1. Open a command or shell window on the application server.
2. Navigate to the <OP_Home>|aurora|conf directory.
3. Locate the aurora.properties file in the conf directory and do the following:
a. Make a backup copy of the file before modifying it.
b. Open the file in a text editor of your choice.
c. Search the file for properties that include the string ‘password=’.
d. Change all password values following the equal sign to plain text.
e. When finished, save and close the file.
Note: Passwords become encrypted when servers are restarted.
Update the Users Table to Change Passwords
Updating user tables to change passwords with the UPEA tool only applies to
upgraded databases.
Procedure
1. From a machine with SQL*Plus and access to the database server, log on as the
‘openpages’ database user.
2. Run the following SQL statements to update the Users table so passwords can
be changed:
Sqlplus openpages/[email protected]<host_name>
update users set flag_can_change_password=1 where actorid !=8
Where:
<host_name> is the name of the database server.
actorid=8 is OPSystem.
Using the UPEA Tool
This topic details the syntax of the UPEA tool.
UPEA Syntax
UpdatePasswordEncryptionAlgorithm
-Mode [CA|CK]
-AlgorithmName [3DES|OP-CUSTOM]
-ProviderName BC
-ProviderClass org.bouncycastle.jce.provider.BouncyCastleProvider
-Username OPAdministrator
-Password <OPAdministrator password>
[-Port <portnumber>]
[-KeySize <length>]
[-?]
Table 7 on page 33 describes the UPEA parameters.
32
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
Table 7. UPEA Parameters
Parameter
Description
-Mode
Required. Use to specify the mode in which the tool should run.
Possible modes are:
v
v
-AlgorithmName
CA (for Change Algorithm) — used to switch the encryption
algorithm from OP-CUSTOM to 3DES.
CK (for Change Key) — used to change the 3DES encryption key.
Required. Use to specify the type of encryption algorithm that will be
used.
Valid values are:
v
v
3DES
OP-CUSTOM (only used with legacy systems running 4.x or 5.1x
versions of IBM OpenPages )
-Host
Required. Use to specify the host name of the application machine.
-ProviderName
Required. Use when changing algorithms to the 3DES encryption
algorithm only.
Has only one valid value: BC.
-ProviderClass
Required. Use only in conjugation with -ProviderName to specify the
class for the new encryption algorithm. Has only one valid value:
org.bouncycastle.jce.provider.BouncyCastleProvider
-Username
Required. Use to specify the user name to use when modifying the user
passwords. Must be the same as the user specified in the
OpenPages|Platform|Security|Password|Encryption|
Encryption Administrator setting.
-Password
Required. Use to specify the password to the Encryption Administrator
account.
-Port
Optional. Use to specify the bootstrap port number.
-KeySize
Optional. Use to specify the length of the 3DES encryption key. The
smallest recommended length is 192.
If an invalid value is given, or no value is provided, the default value
of 112 is used, which is the smallest valid size.
-?
Optional. Displays the on-screen help for the UPEA tool.
Changing Password Encryption Algorithms From OP-CUSTOM to
3DES
If you have a legacy system running a version of IBM OpenPages prior to 5.5 and
are using the OP-CUSTOM encryption algorithm, you can use the following
procedure to run the UPEA tool and change the password encryption algorithm
from OP-CUSTOM to 3DES.
Procedure
1. Open a command or shell window on the IBM OpenPages server.
Navigate to the <OP_Home>|bin directory.
For Microsoft Windows operating systems, the default installation location of
the directory in the IBM OpenPages GRC Platform application is C:\OpenPages.
For AIX and Linux operating systems, the default installation location of the
directory in the IBM OpenPages GRC Platform application is /opt/OpenPages.
Chapter 2. Administering Users, Groups, and Domains
33
From the command or shell window, run the following command on a single
line:
Windows
UpdatePasswordEncryptionAlgorithm.cmd -Mode CK -Host <host name>
-Port <http port> -AlgorithmName 3DES
-KeySize 112 -Username <OpenPagesAdministrator>
-Password <password>
AIX and Linux
sh UpdatePasswordEncryptionAlgorithm.sh -Mode CK -Host <host name>
-Port <http port> -AlgorithmName 3DES
-KeySize 112 -Username <OpenPagesAdministrator>
-Password <password>
Where: <password> is the password for the OpenPagesAdministrator account.
Note: If you have changed the default port for IBM OpenPages to a port other
than 7001, add the -Port parameter to the end of the command with the new
port number.
2. The tool will display a message describing the changes it will make and ask for
confirmation. Type Y at the prompt and press the Enter key to proceed.
3. Once the UPEA tool has finished, a success message will be displayed.
4. Restart all IBM OpenPages services.
5. You (or the site administrator) must notify all users that their passwords have
been reset to ‘0p3nP4g3s’, and that they must change their passwords the next
time they log into the system.
Changing the 3DES Encryption Key
At certain times, you may want to change the encryption key used by the 3DES
encryption algorithm. To change the encryption key using the UPEA tool, perform
the following steps.
Procedure
1. Log on to the IBM OpenPages server as a user with administrative privileges.
2. Open a command or shell window and change directories to the <OP_Home>|bin
directory.
For Microsoft Windows operating systems, the default installation location of
the directory in the IBM OpenPages GRC Platform application is C:\OpenPages.
For AIX and Linux operating systems, the default installation location of the
directory in the IBM OpenPages GRC Platform application is /opt/OpenPages.
3. From the command or shell window, run the following command on a single
line:
Windows
UpdatePasswordEncryptionAlgorithm -Mode CK -AlgorithmName 3DES
-Username OpenPagesAdministrator -Password <password>
AIX
sh UpdatePasswordEncryptionAlgorithm.sh -Mode CK -AlgorithmName 3DES
-Username OpenPagesAdministrator -Password <password>
Where: <password> is the password for the OpenPagesAdministrator account.
Note: If you have changed the default port for IBM OpenPages to a port other
than 7001, add the -Port parameter to the end of the command with the new
port number.
34
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
4. The tool will display a message describing the changes it will make. To confirm
the changes, type Y at the prompt and press the Enter key to proceed.
Once the UPEA tool has finished, a success message will be displayed.
5. Restart IBM OpenPages services to effect the change.
Chapter 2. Administering Users, Groups, and Domains
35
36
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
Chapter 3. Security
Most of your security requirements can be handled in IBM OpenPages with
folder-based security, either role-based security or custom security. If you need to
refine folder-based security, use security rules.
Role-based security
Use role-based security to define application permissions for each role and
to set access control (Read, Write, Delete, Associate) for each object that is
included in that role. All users in each role inherit the same security access
controls.
Custom security
Use custom security to set access control (Read, Write, Delete, Associate)
on folders for Project Milestones and Project Action Items. All objects in the
folder inherit the same security access controls.
Security rules
Use security rules to define a more granular control over the access to
individual objects in a folder. For example, two GRC domains share a
common organizational hierarchy. They share some common object
instances, such as processes, but they do not want to share other object
instances, such as risks and controls. If you do not create security rules on
objects, folder-based security applies.
Security rules have these access controls: Create, Read, Update, Delete, and
Associate. The Write access control in folder-based security is split into
Create and Update for security rules, which gives you more control over
what users can and cannot do.
Role-based security model
A role-based security model provides a way for administrators to control user and
group access to objects that are under a defined security point within the object
hierarchy according to the role the user or group is expected to perform within the
organization.
Typical security points are business entities, processes, or sub-processes (can also
be set at lower security point levels if wanted).
Figure 2 on page 38 shows how various users and groups can have different
permissions set for accessing business entities (a defined security point in the
object hierarchy) and objects that are under a specific hierarchy.
37
Figure 2. Security Concepts in a Hierarchy
Based on the type of security context points defined in your security model, such
as Business Entity, Process, Control Objective or Risk Assessment, you can use a
Role Template to define a set of permissions for a set of object types.
For each Role Template that you define, you can set the following:
v Access control (Read, Write, Delete, Associate) for each object type included in
that role. For details, see “Role-based access control permissions” on page 45.
v Application permissions for the role. For information about the various
application permissions, see “Configuring Application Permissions” on page 21.
Important: These application permissions do not include administrative group
and user security management permissions, such as resetting passwords,
assigning roles, adding users, and so forth. To learn more about assigning group
and user security management permissions to administrators, see “Delegating
Administrator Permissions” on page 12.
By assigning a role (an instance of a Role Template) to a user or group at specific
security context point in the object hierarchy, you can control access to objects.
Roles represent the usual or expected function that a user or group plays within an
organization. Some examples of roles are: Finance Reviewer, Tester, External
Auditor, System Administrator, Control Owner, Risk Assessor.
When you assign a role to a group or user, the security settings of that Role
Template are acquired by that group or user and permissions are automatically
granted, per the role template definition, to all objects below or under the specified
security point.
For example, if a role were assigned to a user for a business unit (security context
point), access control for specific object types under that security point would be
set in the object hierarchy. Object types that were excluded from the role would be
38
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
hidden from view, object types that were included would be visible and could be
accessed by users and groups assigned to that role.
So that you can have a clear and accurate understanding of which users and
groups have access to what and with which permissions, and what access control
modifications were made in the system, you can run a variety of reports to view
this data. For details on the types of configuration audit and security reports
available to you, see the section “Audit Reports Folder” on page 122.
Security context points
The structure of the object hierarchy that is defined in your system also acts as the
security context point to which access control can be assigned.
Roles (defined by Role Templates) are granted to specific security points in the
object hierarchy, and permissions for a particular role are automatically granted to
all objects that are created in the same location beneath that security point. If a role
is assigned to a group on a top-level Business Entity, then all users of that group
would have access to that business entity and would be able to access all objects
under that entity as per the permissions in the role.
By default, the installation process automatically sets Business Entity
(SOXBusEntity) as the security context point within the object hierarchy at which
roles can be assigned.
Example
Let’s say you have a regional office called ‘North America’ and a sub-regional
office called ‘United States’. When you create the business entity, the folder
structure /BusinessEntity/North America/United States would automatically be
created.
Let’s say you also created a Role Template called ‘Entity Owners’ that has access
defined for the following object types:
v Business Entity
v Process
v Sub-process
v Control Objective
v Risk
v Control
When you assign the ‘Entity Owners’ Role Template to the ‘United States’ business
entity, the following structure is automatically generated under the root folder of
each object type:
/Processes/North America/United States
/Sub-processes/North America/United States
/ControlObjectives/North America/United States
/Risks/North America/United States
/Controls/North America/United States
Note: that the folder structure /BusinessEntity/North America/United States
does not have to be generated since it already exists (was automatically created
when the business entity was initially created).
Chapter 3. Security
39
Figure 3 shows how access permissions (R=Read, W=Write, D=Delete,
A=Associate) can be granted to specific objects in the hierarchy under the ‘United
States’ business entity security context point.
Figure 3. Business Entity Security Context Points
For details on assigning security management permissions to security domain
group administrators, see “Delegating Administrator Permissions” on page 12.
Extending security context points
To achieve a finer level of control, it is possible to extend the security context point
to other objects in the hierarchy (such as Business Entity-Process or Business
Entity-Risk Assessment).
To achieve more control, change the Model setting. For more information, see
“Setting the System Security Model” on page 346).
Note: The ‘Model’ setting is a system-wide setting. Switching the security model
after data is loaded (or migrated) into the system is not recommended and requires
assistance from IBM OpenPages Services.
To determine the optimal security context points for your organization, you need
to evaluate your requirements for securing resources at lower security context
points in your hierarchy. Extending the security context points to achieve a finer
level of control does not prevent you from defining security at higher security
context points.
40
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
Example
Let’s say you extended the security context points to include Business
Entity-Process. In this scenario, administrators could assign, for example, a
"Process Role Template" to one or more users or groups on one or more Processes.
Permissions (Read, Write, Delete, Associate) in the "Process Role Template" could
then be assigned to that Process security context point. The permissions in that
template are applied to every object created beneath that point in the object
hierarchy and to any object that is created in the future below that point.
Although users and groups who are assigned the "Process Role Template" would
be able to navigate to and access Processes and child objects beneath a Process
hierarchy, the details of the parent Business Entity would be hidden from them.
Note: Users who have roles that are assigned to a context security point below the
Business Entity level, only have navigation access to the parent Business Entity. If
users require the ability to view or modify the details of a parent Business Entity,
then you must use an Entity-based Role Template to grant explicit Read and/or
Write permission to users at an Entity security point.
The IBM OpenPages application interface does not allow breaking folder ACL
inheritance on any folder on which role-based access control is assigned.
Administrators are strongly advised not to break folder inheritance using
ObjectManager or any other application interfaces on any object type folders as
this will cause role-based security to fail.
Figure 4 on page 42 shows how access permissions can be granted when the
security context points are extended to include Process objects as security points to
achieve a higher level of control.
Chapter 3. Security
41
Figure 4. Business Entity and Process Extended Context Points
Reporting framework and multiple security context points
In a security model that contains multiple security context points, objects that form
a "triangle" relationship have implications for the reporting framework.
Triangle relationships are formed among objects when an object type is configured
to have a parent of more than one type (typically, the second parent is a recursive
object type).
For example, if Risk object types are configured to be a child of Process and a child
of SubProcess object types, then a triangle relationship will exist among these
different object types. Figure 5 on page 43 shows an example of a triangle
relationship between a child Risk and parent Process and Sub-Process object types.
42
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
Figure 5. Triangle Relationship Between Different Object Types
In the reporting framework, fields from parent objects within a triangle
relationship (for example, Process and Sub-Process) are stored in the same Query
Subject along with the ID of the shared child object (such as, Risk ID). When both
Process and Sub-Process fields are part of the same Query Subject, a user would
require Read permission on both Process and Sub-Process object types to view
these fields in a report.
When a triangle relationship exists among objects, we recommend as best practice
that you avoid the use of the Sub-Process (or similar) object type as a security
point in your system unless you are willing to always grant Read access to the
parent object type (such as Process).
Note: For information about configuring triangle object relationships in the
reporting framework, see “Configuring Triangle Object Relationships” on page 355.
Sample Scenario
Let’s say a user has Read access for Sub-Process object types, so they can view
details for Sub-Process objects in the application user interface.
If the same user does not have Read or Write access to the parent Process and
Business Entity, that user will still have an implicit Navigate permission to the
Process and Business Entity object types. The implicit Navigate permission allows
users to navigate through the object hierarchy from, for example, an Overview
page to object types that are lower in the hierarchy (such as Sub-Process) for which
they have explicit permission (in this case, Read access).
If a triangle relationship exists among these object types, the same user would not
have permission to view the Sub-Process detail in a report unless the user was also
granted explicit Read access on the Process object type (as SUBPROCESSES and
PROCESSES reside in the same Query Subject).
Security domains
In the IBM OpenPages security model, special user groups, called “security domain
groups”, are automatically created when a Business Entity or Sub-entity object is
created.
Security domain groups act as containers for users and organizational groups
associated with that business entity.
Chapter 3. Security
43
Each security domain group is identified by a people hierarchy icon
under a
top-level (root) Security Domains folder on the Users, Groups and Domains page,
and the name of the group corresponds to the name of the business entity to
which it belongs.
Users in a security domain group are generally assigned roles to work on the
objects under that entity. You can also delegate specific security management
activities to administrators in a security domain group for managing users and
groups within that business entity.
Note: When you expand a security domain group, only child security domains
are displayed. Any organizational groups and users associated with that security
domain can be viewed only from the detail page of that security domain group.
Example
Let’s say you want to delegate the security activity of resetting passwords to an
administrator for members of a particular Sales Office security domain group.
You would navigate to the detail page of the Sales Office security domain group
and assign the “Reset Password” permission to an administrator. That
administrator would then be able to only reset passwords for users in that Sales
Office security domain group. You could repeat this process of delegating “Reset
Password” permission to an administrator for each security domain group within
your organizational hierarchy.
Moving business entities
On occasion, you may need to reorganize your business entity structure by moving
a Business Entity with its corresponding object hierarchy from one location to
another.
When you move a business entity structure, all role assignments that were made
on that business entity remain intact.
This means that users and groups who were granted various roles at a specific
Business Entity security context point before the move operation, will continue to
have the same roles and access after the move operation.
Note: If you are planning on moving a large object hierarchy, consider using the
Entity Move/Rename utility. The IBM® OpenPages® Entity Move/Rename utility
allows batch processing of multiple Business Entities for overnight or weekend
execution without running the risk of operations timing out. You can run the
utility interactively or as a scheduled job. See the Entity Move/Rename Utility
ReadMe for details.
Copying business entities
If you use the copy operation to expedite the setup of child business entities by
duplicating an instance of an existing business entity, a security domain group for
that new child business entity is automatically created by the system and is
associated to the security domain group of the parent business entity.
Initially, the new security domain group that corresponds to the new child
business entity is empty (no users or groups). However, users and groups who
have assigned roles with access control defined for the parent business entity will
have the same access on the new child business entity.
44
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
An administrator of the security domain group for the parent business entity can
add and/or associate users and groups to the security domain group of the new
child business entity. An administrator of the parent business entity can delegate
administration activities by selecting an administrator. For details, see “Delegating
Administrator Permissions” on page 12.
To refine user access to the new child business entity, you can use the application
interface to define Role Templates and grant roles to users and groups. For details,
see “Role templates” on page 47.
Role-based access control permissions
When you create a Role Template, you can specify the type of security access
control that you want to have on an object type’s folder structure for groups and
users who are assigned to that role.
Note:
v The file (SOXDocument) and link (SOXExternalDocument) object types have the
same root storage folder path. As a result, you can configure only one set of
ACLs for both these object types in a role.
v Role-based security does not apply to Project Milestones and Project Action
Items. For details on setting security access for these object types, see “Custom
security for projects” on page 72.
v Any new object types that are added to the system are excluded from all
existing Role Templates.
Access control permissions for role-based security
For each object type that you want to include in a Role Template, you can set
access control (ACL) permissions on the object’s folder structure.
v Read - when you select an object type for inclusion in a role, the value of the
Read permission is automatically set to ‘Granted’ on the object’s folder structure.
This means that any groups or users assigned to this role can navigate to, and
view the details of objects (parent and child) contained in the folder and the
folder itself, but cannot modify any object data unless other permissions are
explicitly set.
v Write - the groups or users assigned to this role can modify the details of objects
within the selected folder, but cannot delete objects. Write access to a folder is
required for creating new objects within the folder.
v Delete - the group or user assigned to this role can delete objects within the
folder structure.
v Associate - the group or user assigned to this role can create associations
between objects.
For each ACL permission, you can set an explicit value. These values or settings
are propagated downward and inherited by any child object storage folders under
that parent object’s folder structure.
For each ACL permission, you can set one of the following values:
Note: For usage examples, see “Scenarios: Using access control settings” on page
46.
v Unspecified - by default, no access is explicitly granted to the user or group for
the corresponding object through this role. The ‘Unspecified’ setting does not
override any access that is granted on this object through other roles or access
Chapter 3. Security
45
inherited through a role on higher level security context points. This value
should be used instead of ‘Denied’ since it is less restrictive.
v Granted - this explicit setting gives a user or group full access to the specified
action (Write/Delete/Associate). The user can modify, or delete the file or folder,
depending on the permission.
v Denied - this explicit setting does not allow a user or group to perform the
specified action (Write/Delete/Associate). The ‘Denied’ setting overrides any
access that is granted on this object through other roles or access inherited
through a role on higher level security context points.
Scenarios: Using access control settings
The following use case scenarios provide examples of how the system may
respond with various settings.
Scenario 1: Using explicit settings
If a user or group is assigned multiple roles and the explicit ACL settings within
these roles conflict, the most restrictive explicit setting will be used.
For example, we create a ‘Test Performer’ and a ‘Test Reviewer’ role for the Test
object type. Each role has the Write ACL permission explicitly set to the following:
v ‘Test Performer’ has Write = Granted
v ‘Test Reviewer’ has Write = Denied
If we assign both roles (‘Test Performer’ and ‘Test Reviewer’) to a user called
‘Tester1’, ‘Tester1’ will not be able to create new Test objects even though the ‘Test
Performer’ role has Write = Granted. This is because the Write = Denied
permission of the ‘Test Reviewer’ role is more restrictive than the Write = Granted
permission, and the most restrictive setting is automatically applied.
Scenario 2: Using explicit and unspecified settings
If a user or group is assigned multiple roles and one role has an explicit ACL
settings but the other role has ‘Unspecified’ for the same permission, the explicit
setting will be used.
For example, we create an ‘Initial Test’ and a ‘Final Test’ role for the Test object
type. The roles have the Write ACL permission set to the following:
v ‘Initial Test’ has Write = Granted
v ‘Final Test’ has Write = Unspecified
If we assign both roles (‘Initial Test’ and ‘Final Test’) to a user called ‘Tester1’,
‘Tester1’ will be able to create new Test objects even though the ‘Final Test’ role has
Write = Unspecified. This is because the Write = Granted permission is explicit and
the explicit setting is automatically applied.
Scenario 3: Using unspecified settings
If a user or group is assigned a single role and the ACL settings within this role:
v Use the default value ‘Unspecified’, and
v No other access control has been explicitly set for the user or group
then access is DENIED.
46
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
For example, we create an ‘Initial Test’ role for the Test object type. The role has
the Write ACL permission set to the following:
‘Initial Test’ has Write = Unspecified
If we assign the role (‘Initial Test’) to a user called ‘Tester1’ and ‘Tester1’ has not
been granted access through any group-inheritance, ‘Tester1’ will not be able to
create new Test objects.
Role templates
Role Templates are global to the application and are available for role assignment
by any administrator of a security domain who has the Assign Roles administrator
permission.
Because the Assign Roles permission is a global permission, it is not constrained
by the hierarchy of the role. Users who are granted this permission can manage
any role in the system.
When you perform an action on a Role Template (such as creating, editing,
assigning, enabling or disabling), the Role Template is automatically locked by the
system to prevent other users from simultaneously accessing the template. Once
you save your changes (or cancel the operation), the Role Template becomes
unlocked.
Role Templates are the preferred method for granting users or groups application
permissions.
Note:
v Both application permissions and ACLs are included in the role definition
process. When a role is assigned to a user or a group on any business entity or
security context point, that user or group automatically acquires the application
permissions defined in that Role Template.
v When a user or group is assigned multiple roles, the user or group accumulates
the application permissions that are defined in the various roles. Application
permissions are granted by the role (not the security context point) and apply in
all situations where the user has the correct ACL access. For example, users with
Read permission to Business Entities and the Audit Trail application permission
will be able to view the Change History (audit trail) for those Business Entities.
Accessing the role templates page
You can define application permissions using role templates.
Only an IBM OpenPages Super Administrator or a delegated administrator with
the Role Templates permission can access the Role Templates menu item.
Procedure
1. Log on to the IBM OpenPages application user interface as a user with the
Role Templates application permission set.
2. From the menu bar, click Administration > Role Templates.
Chapter 3. Security
47
Results
From the Role Templates page, you can add, view, and modify role templates.
Related concepts:
“Delegating Administrator Permissions” on page 12
As an administrator, you can delegate various security management activities, such
as only managing users or only resetting passwords, to other administrators for
organizational and business entity security domain groups.
Adding a role template
You can add a role template to define application permissions.
The Role Template wizard will guide you thorough creating a new role, selecting
object types for inclusion or exclusion, and setting security on the selected object
types.
Role Template names are not localizable.
Note: Users who have roles that are assigned to a context security point below the
Business Entity level, only have navigation access to the parent Business Entity. If
users require the ability to view or modify the details of a parent Business Entity,
then you must use an Entity-based Role Template to grant explicit Read and/or
Write permission to users at an Entity security point.
Procedure
1. Ensure that System Administration Mode is disabled.
2. Click Administration > Role Templates.
3. On the Role Templates tab, click Add to open the Add Role Template wizard.
4. On the Specify Role Details page:
a. In the Name box, type a name for the role. For example, Tester01.
b. In the Description box, optionally type a brief description of this role.
c. Click the Role Type arrow, and select the type of security context point you
want from the list.
Note: If only one security context point type (such as Business Entity) is
defined for your system, this will be the only value in the list. Security
context point types are derived from the security model in effect for your
installation.
d. Click Next.
5. On the Specify Access Controls page:
a. Select the check box next to each object type for which you want to
configure folder permissions. For example, if you wanted to configure
permissions for Risk and Test objects, you would select SOXRisk and
SOXTest.
Note: To select all object types, select the check box in the Name column.
b. In the row for each selected object type, select a setting value for each
permission (Write, Delete, and Associate). By default, Read is always set to
‘Granted’, and all other permissions are set to ‘Unspecified’.
For setting details, see “Role-based access control permissions” on page 45.
c. When finished, click Next.
48
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
6. On the Specify Permissions page:
a. Select the application permissions you want to assign to this Role Template.
For a description of the various application permissions, see “Configuring
Application Permissions” on page 21.
b. When finished, click Finish. The new role is listed on the Role Templates
page.
7. To assign the role to a user or group, see “Assigning a role to a user or group”
on page 51.
Related tasks:
“Enabling and Disabling System Admin Mode” on page 82
You can enable and disable the system admin mode.
Modifying a role template
When you modify a Role Template after assigning it to users and/or groups, any
changes you make to access control (ACLs) and application permissions are
automatically propagated to those users and groups.
You can use this propagation feature to grant additional access control or revoke
access control on certain object types to existing users and/or groups, by
modifying the role template.
Typically, a Super Administrator or a top-level security domain administrator (with
Assign Roles administration permission and Role Templates application
permission) are able to modify, disable or delete a Role Template. This is because a
lower-level security domain administrator, though having Role Templates
application permission, will not have Assign Roles administration permission on
higher-level entities and hence will not be able to successfully edit, disable, or
delete a template.
Note: If you become distracted while editing a Role Template and the session
times out before you are able to complete the task, an Unlock button is displayed
on the detail page of the Role Template. To unlock the Role Template and resume
your editing activity, click the Unlock button.
Procedure
1. Click Administration > Role Templates.
2. From the list on the Role Templates tab, click the name of the role you want to
modify.
3. On the detail page of the selected role, click Edit.
4. Make the required changes.
5. When finished, click Save.
Enabling and disabling a role template
You can make a role inactive and keep it for future use by disabling the role. You
can also enable a role that was previously disabled.
Procedure
1. Click Administration > Role Templates.
2. From the list on the Role Templates tab, click the name of the role you want to
enable or disable. The detail page of the selected role is displayed.
3. On the Role Information tab, click Disable or Enable.
Chapter 3. Security
49
Results
When you disable a role, the following occurs:
v Depending on the Disable Role Group application setting, any users and
groups, who were previously assigned that role, will either retain or lose their
access control and application permissions. By default, the setting allows users
and groups to retain access after a role is disabled.
v The disabled role template is removed from the role assignment selection list
and cannot be used for further role assignments.
v The status of the role on the Role Templates list page changes from ‘Active’ to
‘Inactive’.
When you enable a role, the following occurs:
v Any users or groups who are assigned that role will be able to perform activities
on objects associated with that role.
v The enabled role template is included in the role assignment selection list and
can be used for further role assignments.
v The status of the role on the Role Templates list page changes from ‘Inactive’ to
‘Active’.
Related tasks:
“Disabling Access Control on Role Groups” on page 347
When a Role Template is disabled, you can use the Disable Role Group setting to
globally control the security access of users and groups who were previously
assigned that role.
Deleting a role template
To automatically revoke all role assignments, you can delete a role template.
An administrator (or Super Administrator) with Role Templates application
permission and the Assign Roles administrator permission has the ability to assign
and/or revoke roles on any entity in the system. In effect, only a Super
Administrator or a top-level entity administrator will be able to delete role
templates, since this action automatically revokes all role assignments made using
the selected Role Template on any business unit in the application.
When you delete a role, the following occurs:
v Any users or groups who were assigned that role will no longer be able to
perform the activities on objects associated with that role.
v The role is permanently removed from the list of roles on the Role Templates
tab and cannot be restored.
If you want to remove a role without deleting it, you can disassociate the role
instead by revoking the role from the user or group.
Procedure
1. Click Administration > Role Templates.
2. You can delete a role from either the Role Templates list page or from the
detail page of the role.
v From the Role Templates page:
a. From the list on the Role Templates tab, select the check box next to each
role you want to delete.
50
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
b. Click Delete.
v From the detail page of the selected role:
a. Click the name of the role you want to delete from the list on the Role
Templates tab to open its detail page.
b. On the Role Information tab, click Delete.
3. At the confirmation prompt, click OK.
Assigning and revoking roles
An administrator of a parent domain group can assign or revoke roles only from
its child groups and users.
For example, an administrator who has the Assign Roles administrator permission
on a top-level a domain group could assign any Role Template to users and groups
on that business entity or its child sub-entities.
If an administrator assigns a Role Template to a user or group on a security
domain, the same access control that is granted on the corresponding business
entity will be propagated to its child entities.
When an administrator assigns a role to a user or group on a lower-level domain
that gives the user Read access to a lower-level business entity, the application
provides the necessary access to navigate to that lower-level entity even though the
user may not have Read access to all of its parent entities.
Example:
Let’s say we have a business entity with the following hierarchical structure.
The business entity has the following entities:
Company ABC > North America > Boston
The business entity has the following processes:
Company ABC > North America > Boston > P1
Company ABC > North America > Boston > P2
If the administrator of the Boston office assigns a "Process Owner" role to user
"Mary" granting Read access only to Processes associated with the Boston entity,
then user "Mary" can navigate to processes associated with the Boston entity only,
even though "Mary" cannot view the details of the entities Company ABC, North
America and Boston.
Assigning a role to a user or group:
After Role Templates are created, you can assign one or more roles to groups and
users on a security context point within a business entity security domain.
If your organization has many security context points, you can filter on the name
of a security context point to reduce the scope of the items listed.
Procedure
1. Click Administration > Users, Groups and Domains.
Chapter 3. Security
51
2. Under the Security Domains group, click the name of the security domain
group to which you want to add a role assignment for a user.
3. On the detail page of the selected security domain group:
a. Navigate to the Role Assignments tab.
b. Click Assign to display the Assign Roles wizard.
4. On the Select Users/Groups page:
a. Click Add.
b. In the selection box, select the check box next to each group or user you
want.
Tip: To expand the group/user hierarchy, click the plus (+) sign.
c. When finished, click Next.
5. On the Select Role Type and Roles page:
a. Click the Role Type arrow and select a security point from the list, and then
click Go. If only one security point (such as Business Entity) is defined for
your system, this will be the only value in the list.
b. In the Roles box, select one or more roles from the list.
c. When finished, click Next.
6. On the Select Business Units page:
a. In the Name box, optionally type a security context point name or portion
of a name and then click Filter. If the list of security context points is large,
the filter will reduce the scope of the list by returning only those items that
match the text you typed.
b. In the Business Units box, select one or more security context points from
the list.
c. When finished, click Finish.
Revoking a role from a user or group:
When you revoke a role from a user or group, the role assignment is explicitly
removed from the user or group on a given entity.
Disassociating users from a security domain group does not result in removal of
their role assignments on that entity.
Procedure
1. Click Administration > Users, Groups and Domains.
2. Under the Security Domain root group, click the name of the business entity
security domain group from which you want to revoke a role.
3. On the detail page of the selected security domain group:
a. Navigate to the Role Assignments tab.
b. Select the check box next to the name of each group or user you want to
revoke.
c. When finished, click Revoke. The name of the selected group or user is
removed from the list.
Viewing roles assigned to users or groups
You can use several methods to view which roles are assigned to users and groups.
v Running reports
52
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
v Navigating to a user or group detail page and see the list of all roles granted to
that user or group.
v Navigating to the detail page of a business entity security domain group as
described in the following steps.
Note: Role Templates that were assigned directly to a parent or child business
entity security domain group can only be viewed from the detail page of that
parent or child. Role assignments made on a security domain are only displayed
for that domain.
In the case of an extended security context model, for example,
SOXBusEntity/SOXProcess or SOXBusEntity/SOXProcess/SOXSubprocess
security models, role assignments on processes and sub-processes associated
with the current security domain are also displayed.
Procedure
1. Click Administration > Users, Groups and Domains.
2. Under the Security Domain root group, click the name of the business entity
security domain group whose role assignments you want to view.
3. On the detail page of the selected security domain group, navigate to the Role
Assignments tab.
4. To view role assignments made directly to another business entity security
domain group, repeat Steps 2 and 3.
Security rules
With security rules, administrators can define a more granular control over the
access to individual objects in a folder.
Security rules do not replace folder-based security. Security rules can work with
folder-based security. Additionally, security rules are honored by all system
components, including Reporting, Workflow, FastMap, Triggers, Reporting Periods,
and all available views.
For example, a folder contains 10 tasks. The folder-based security grants the Read
and Write access controls on all users who are in a certain role. You define a
security rule to limit the access for one user who is in that role so that this one
user has Read access for Task 1 and Task 8 only.
Security rules include the following features:
v Criteria for the rule can be based on field values, including actor fields,
enumerated fields, text fields, date fields, numeric fields, and currency fields.
v Criteria for the rule can be based on a user being a member of particular user
group or profile.
v Complex security rules can be based on associations between objects.
For example, a loss event is owned by the business unit where it occurred and is
also shared with other business units that are impacted by the loss event.
Selected users of the other business units should see its details.
v Complex expressions that use AND, OR, NOT, a nested parenthetical, and so on
are supported.
v Security rules specify Read, Update, Associate, and Delete access to object
instances.
v Security rules do not support field criteria on computed text fields or large text
fields.
Chapter 3. Security
53
Scenarios for security rules
This section includes several examples of scenarios that can help you understand
security rules.
Scenario: Objects that are shared across GRC domains
Your company implemented the financial management and operational risk
modules. Because the teams that use these modules share a common organizational
hierarchy, they share some common object instances, such as processes. But they
do not want to share other object instances, such as risks and controls.
Folder-based security means that all users in the financial management and
operational risk teams have access to all objects and object instances in the folder.
Access controls need to be set for each domain so that users work with only the
objects that they are responsible for. As well securing objects, you are improving
usability for your users.
For example, both of the financial management and operational risk teams use the
Control object type but they use different instances of the Control object type. You
want to enable users in the operational risk team to be able to update their
instances of the Control object type. You also want to prevent users in the financial
management team from viewing the instances that belong to the operational risk
team.
You have two user groups for financial management and operational risk.
Folder-based security is already defined to grant Read and Write access controls to
all users in the two teams. For example, a user in the SOXUsers group can update
the controls that belong to the operational risk team.
Table 8. Permissions for each user group in the scenario
Domain
User Group
Permitted to work with
Not allowed to work with
Financial
Management
SOXUsers
Compliance Controls
Operational Controls
Operational Controls
Compliance Controls
Operational Risk ORMUsers
To satisfy the security requirements for these two user groups, folder-based
security is not changed. You add a security rule that further restricts the security
that you already defined for the folder.
You define a security rule on the Control object type with the following
information:
The formula is:
[SOXControl].[OPSS-Ctl].[Domain] IN (’Financial Management’) AND
END_USER IN GROUP(’SOXUsers’))
OR
[SOXControl].[OPSS-Ctl].[Domain] IN (’Operational Risk’) AND
END_USER IN GROUP(’ORMUsers’))
The Security property is set to:
Restrict
This means that both folder-based security and the security rule are
applied.
54
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
The Access controls are set to:
Read
Update
Procedure
1.
2.
3.
4.
Click Administration > Security Rules.
Click the name of the Control object type.
Click Add.
Add a name and description for the security rule.
5. Add the formula:
v Click Field and select the SOXControl object in the Object Type field.
v In the Field box, select Domain and select the Financial Management domain
for the compliance team.
v Click Insert.
v Click Field and select AND, then END_USER, and IN GROUP.
v Type (’SOXUsers’).
v Repeat for the Operational Risk domain.
6. In the Security property, select Restrict to have folder-based security and the
security rule both apply. Restrict prevents Compliance users from being able to
view or work with the Operational Control.
7. Select the Read and Update check boxes.
8. Click Save.
Related tasks:
“Defining security rules” on page 60
Use security rules to define a more granular control over the access to individual
objects in a folder.
Scenario: Lifecycle security
Security on an object can change during the lifecycle of that object. As an object
moves through the lifecycle, its status changes and different users are allowed to
change it. For example, users in different job functions, such as reviewers and
approvers, work with the object at different times in the lifecycle. The same user
can be an owner of one object and a reviewer of another object.
In this scenario, the Process object is the primary parent. The Risk object is a child
of the Process object because part of the process is to assess risk. As the Process
object moves through the lifecycle, the status of the Process object affects the Risk
object.
The following table shows who can update the object when the status changes for
the object instance and its descendants.
Table 9. Lifecycle security based on the status of an object
Status of the object
The role of the user who can update the object
New
Only a level of administrative user, such as a business
administrator, can change the object. The administrator
assigns the object to an owner.
Under Development
Owner
Ready for Review
Reviewer
Ready for Approval
Approver
Chapter 3. Security
55
Folder-based security is already defined to grant Read and Write access controls to
all users in these roles. All users in these profiles have access to all objects in the
folder. Access controls must be set on the status of the Process object so that users
work with only the object when they are responsible for it.
You define the following security rule for the Process object type that restricts
when users can update the Process object. When users who belong to a role login,
they can update the Process object at the correct point in the lifecycle of the
Process object.
The formula is:
[SOXProcess].[OPSS-Process].[Status] IN (’Under Development’) AND
END_USER IN([SOXProcess].[OPSS-Process].[Owner])
OR
[SOXProcess].[OPSS-Process].[Status] IN (’Ready for Review’) AND
END_USER IN([SOXProcess].[OPSS-Process].[Reviewer])
OR
[SOXProcess].[OPSS-Process].[Status] IN (’Ready for Approval’) AND
END_USER IN([SOXProcess].[OPSS-Process].[Approver])
The Security property is set to:
Restrict
Both folder-based security and the security rule are applied. For example,
when the status of the object is set to New, only a user in the
Administrator profile can work with the object.
The Access control is set to:
Update
Folder-based security grants the Read access control.
Procedure
1. Click Administration > Security Rules.
2. Click the Process object type.
3. Complete the following actions to define the security rule that grants the
Update access control:
v Click Add.
v Add a name and description for the security rule.
v Use Path, Field, and Terms to define the formula.
v Select the Update check box.
v In the Security property, select Restrict to have folder-based security and the
security rule both apply.
4. Click Save.
Related tasks:
“Defining security rules” on page 60
Use security rules to define a more granular control over the access to individual
objects in a folder.
Scenario: Access to Issue Action Items
Issues that are created under one business unit can cause action items to be
assigned to other lines of business. You need to ensure that all action item owners,
regardless of business unit, can view the related issue.
56
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
An issue can have multiple action items that resolve the issue. The action items can
be assigned to different business units and each business unit needs access to the
issue object.
In this example, the compliance team has an Issue object that has two action items.
One action item is for the compliance team. The other action item is for another
business unit to complete some systems work.
Folder-based security is set for the compliance team. They have access to all the
objects in the folder, including the Issue object. A security rule is not required for
the compliance team.
The other business unit needs access to the Issue object that is associated to the
action item that they are responsible for. If you add the other business unit to
folder-based security, the other business unit has access to all objects in the folder.
A security rule extends access to the other business unit for their action item and
prevents them from working with other objects in the folder.
You define a security rule for the Issue object type with the following information:
The formula is:
FOR (Any Child [SOXIssue]/[SOXTask] : [SOXTask].[OPSS-AI].[Assignee]
= END_USER)
The Security property is set to:
Extend
This means that security is extended beyond folder-based security. Users in
the other business unit who are the owner of an action item that is
associated to this issue can view the issue. However, they cannot view
other issues that do not meet the criteria in the formula.
The Access controls are set to:
Read
Procedure
1. Click Administration > Security Rules.
2. Click the name of the SOX Issue object type.
Click Add.
Add a name and description for the security rule.
Use Path, Field, and Terms to define the formula.
Select the Read check box.
In the Security property, select Extend to have the security rule extend the
security that is set on the folder.
8. Click Save.
Related tasks:
“Defining security rules” on page 60
Use security rules to define a more granular control over the access to individual
objects in a folder.
3.
4.
5.
6.
7.
Other scenarios
There are other scenarios for security rules that you can consider that are variants
of the scenarios that are covered already.
Chapter 3. Security
57
Scenario: Security by job function:
All auditors on the same team have the same profile, role template, and security
context points. However, each auditor can have a different function for each audit.
As an administrator, you want more flexibility in the way you apply security at the
field level for each auditor.
This scenario is a variant of the scenario called Lifecycle security.
An auditor can have a different job function on different audits. For example, in
Audit A, Jim is the lead auditor and can edit more fields than the other auditors.
Table 10. Audit A scenario
Auditors
Job function
Permissions
Jim
Lead (In-charge)
Jim can edit the Audit A instance of the
Audit object and its descendants, Audit
Sections, and Audit Workpapers.
Jim's access controls are Create, Read,
Update, and Associate.
Susan
Field
Susan can read and update specific
areas of the Audit Sections and Audit
Workpapers in the Audit A instance.
Susan's access controls are Read and
Update for these areas.
Ellen
Field
Ellen can read and update specific areas
of the Audit Sections and Audit
Workpapers in the Audit A instance.
Ellen's access controls are Read and
Update for these areas.
However, in Audit B, Susan is the lead auditor while Jim is a field auditor.
Table 11. Audit B scenario
Auditors
Job function
Permissions
Susan
Lead (In-charge)
Susan can edit the Audit B instance of
the Audit object and its descendants,
Audit Sections, and Audit Workpapers.
Jim's access controls are Create, Read,
Update, and Associate.
Jim
Field
Jim can read and update specific areas of
the Audit Sections and Audit
Workpapers in the Audit B instance.
Jim's access controls are Read and
Update for these areas.
Ellen
58
Not involved in this audit
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
Ellen has no access controls set for her.
Scenario: Access for business administrators:
Some users or groups need access to objects in a different way than most other
users and groups in your organization. For example, business administrators need
more access controls compared to other users, such as being able to update or
delete an object.
This scenario is a variant of the scenario that is called Objects that are shared across
GRC domains.
Exception management
One example is exception or waiver management.
In general, exceptions from a requirement, control, or process are granted on a
project basis. The project is a child of a business entity and is implemented as a
risk entity. The project can have secondary associations to a process, a subprocess,
or a requirement. Exceptions are child objects of the project and define the
requirement, control, or process from which the exception is seeking relief. The
project is granted the exception. If no specific project is involved in the exception,
the business entity is granted the exception
All users can create exceptions but they can view only the exceptions that they
created. The exception process custodians in IT have the job of reviewing and
approving exceptions. You must extend folder-based security to grant the exception
process custodians in IT the ability to read and update all exceptions.
Privacy incidents
Another example involves the employees who are responsible for privacy
incidents.
Specific individuals across the enterprise have responsibility for entering and
maintaining information about Privacy incidents. In addition to other access that
they have, they are designated as Privacy users and they might be in a Privacy
Group or a Privacy Profile. The Privacy users can see all privacy incidents
regardless of where the Privacy users are in the business hierarchy. They have
access to additional fields on privacy incidents.
Similar functionality can be provided on other object types, such as audit findings,
incidents, and waivers.
Scenario: All users can view objects and some users can update objects:
Objects can be stored in a common area and shared across GRC domains. In this
scenario, only a few users are allowed to update the objects. All other users have
read access only.
This scenario is a variant of the scenario that is called Objects that are shared across
GRC domains.
Folder-based security is defined for all users to be able to read the objects in the
folder. You want a small group to be able to create and another group to be able to
update and associate.
Chapter 3. Security
59
Defining security rules
Use security rules to define a more granular control over the access to individual
objects in a folder.
Before you begin
You must enable System Administration Mode before you can administer security
rules.
Procedure
1.
2.
3.
4.
Click Administration > Security Rules.
Click the name of the object type for which you want to define a security rule.
Click Add.
Add a name and description for the security rule.
5. Add the formula for the security rule. You can type the formula or use the
Path, Field, and Terms to define parts of the formula, or both.
6. To reference another object, either a parent or child, in the rule criteria,
complete the following actions:
a. Click Path.
b. In the Parent or Child field, specify whether the path follows parent
objects or child objects.
c. Select the object type that is the starting point for the path.
d. Select the object type that is the ending point for the path.
e. Click Search to view the possible paths.
f. Select one or more paths. If you select more than one path, use the
Combine Paths field to specify how to use the multiple paths. Select Any
Path if you want to use any of the paths or select All Paths if you want all
paths to be used for the rule to be applied.
g. Click Insert.
7. To define a field condition, complete the following actions:
a. Click Field.
b. Select an object type.
c. Select the field that you want to use.
d. Select an operator. The list of operators changes depending on the field
data type.
e. Enter the value of the field condition.
f. Click Insert to add the field condition into the rule formula.
If you type the field condition, ensure that you use system names. If you do
not specify an object type, the rule uses the object type for the object to which
the rule applies. If you specify an object type, the object type must be either
the subject of the rule or be specified in a path expression that contains the
field reference.
Optionally, you can use square brackets to ensure that when elements of field
references contain spaces or other special characters, these field references are
parsed.
8. To add operators or keywords, use the Terms menu.
9. Specify the access controls. Security rules for Create access are defined
separately from rules for Read, Update, Delete, and Associate access.
Create Users can create objects. When a rule enables users to create objects,
60
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
the rule cannot depend on the content of an object that is being
created. It can depend on the content of a parent. If you select Create,
you cannot select any other access control for the rule.
You must use Intended Parent in the Terms field when you use
Create.
You must also select the Associate access control for this object and
for the parent under which the object is created.
If you want to create a rule on a business entity, ensure that the
business entity is granted the Associate access control in its Role
Template.
Read
Users can view the object.
Update
Users can modify the object.
Delete Users can delete the object.
You must also select the Associate access control for the object and for
all currently associated parents.
Associate
Users can create associations between objects.
10. In the Security property, specify how the security rule is combined with
folder-based security:
v Select Restrict to have folder-based security and the security rule both
apply. This limits the user's access to the more restricted security. For
example, if the folder-based security is set to Read and the security rule is
set to Update, the Restrict setting results in users being able to read only.
v Select Extend to bypass folder-based security. For example, if the
folder-based security is set to Read and the security rule is set to Update,
the Extend setting results in users being able to update.
11. Click Save.
Related concepts:
“Paths for parent and child objects” on page 62
There can be several paths between objects. For example, there might be two paths
between Object A and Object D: A-B-D and A-C-D. In the Path picker, you specify
the starting point (Object A) and the end point (Object B). You are given a given a
list of paths from which to pick.
“Terms for data types” on page 65
This list contains the operators, keywords, and other terms that are supported in
security rules.
“Scenario: Objects that are shared across GRC domains” on page 54
Your company implemented the financial management and operational risk
modules. Because the teams that use these modules share a common organizational
hierarchy, they share some common object instances, such as processes. But they
do not want to share other object instances, such as risks and controls.
“Scenario: Lifecycle security” on page 55
Security on an object can change during the lifecycle of that object. As an object
moves through the lifecycle, its status changes and different users are allowed to
change it. For example, users in different job functions, such as reviewers and
approvers, work with the object at different times in the lifecycle. The same user
can be an owner of one object and a reviewer of another object.
Chapter 3. Security
61
“Scenario: Access to Issue Action Items” on page 56
Issues that are created under one business unit can cause action items to be
assigned to other lines of business. You need to ensure that all action item owners,
regardless of business unit, can view the related issue.
“Data Types” on page 150
The IBM OpenPages GRC Platform application provides a variety of data types
from which you can choose.
Related tasks:
“Enabling and Disabling System Admin Mode” on page 82
You can enable and disable the system admin mode.
Related reference:
“Grammar for security rules” on page 68
As an administrator, you need to understand the grammar for security rules so
that you understand the potential impact of adding a rule.
“Minimum requirements for access controls” on page 63
You must select a minimum set of access controls for parent objects and child
objects under folder-based security and security rules in IBM OpenPages.
Paths for parent and child objects
There can be several paths between objects. For example, there might be two paths
between Object A and Object D: A-B-D and A-C-D. In the Path picker, you specify
the starting point (Object A) and the end point (Object B). You are given a given a
list of paths from which to pick.
To help you understand parent objects and child objects, consider the metaphor of
a school. The students in the entire school can be thought of as having the role of
any child. A classroom has a teacher, who can be thought of as the primary parent.
The students in this classroom are the primary children of the teacher. Other
teachers have the role of any parent. If you want to use the path from a teacher to
the students in the teacher's classroom, you use Primary Parent or Primary Child
as the path qualifier.
Parent objects
You can use the following parent objects in the path.
Primary Immediate Parent
Paths follow only to the lowest level primary parent. Use Primary
Immediate Parent for recursive object types only.
Primary Parent
Paths follow only to the primary parent. There can be only one primary
parent.
If a primary parent is specified, the path follows only primary parent
relationships.
Any Immediate Parent
Paths follow only to the lowest level parent. Use Any Immediate Parent
for recursive object types only.
Any Parent
Paths follow to any level of parent, such as grandparent or parent, within
recursive object types. For example, a control has a parent that is a
subprocess and the subprocess has a parent. When you use Any Parent in
the path for the control, the parent can be the subprocess or the
subprocess's parent.
62
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
Child objects
You can use the following child objects in the path.
Primary Immediate Child
Paths follow only to the immediate, highest level child or to the immediate
primary child. Use Primary Immediate Child for recursive object types
only.
Primary Child
Paths follow only to the primary child, which is a child of a primary
parent. A primary parent can have several primary children. A child can
have one primary parent.
If a primary child is specified, the path follows only primary child
relationships.
Any Immediate Child
Paths follow only to the immediate, highest level children, if the child is a
recursive object type. Grandchildren are excluded.
Any Child
Paths follow to any level of child, grandchildren or children, within
recursive object types.
Related tasks:
“Defining security rules” on page 60
Use security rules to define a more granular control over the access to individual
objects in a folder.
Minimum requirements for access controls
You must select a minimum set of access controls for parent objects and child
objects under folder-based security and security rules in IBM OpenPages.
Create access control
When you define a Create rule, you must set the following access controls for
folder-based security:
v Parent object: Read, Associate
v Child object: Read, Write, Associate
When the security rule restricts folder-based security, you must set the following
access controls:
Folder-based security
Parent object: Read, Associate
Child object: Read, Write, Associate
Security rule
Parent object: Read, Associate
Child object: Read, Associate
When the security rule extends folder-based security, you must set the following
access controls:
Folder-based security
Parent object: no access controls
Child object: Read, Write
Chapter 3. Security
63
Security rule
Parent object: Read, Associate
Child object: Read, Associate
You can define a security rule that controls when a child object of a particular type
can be created based on the condition of its parent. You can also define a create
rule that is applicable to any parent, but this rule cannot involve any object type or
its properties.
Update access control
When you define an Update rule, you must set the following access controls for
folder-based security:
v Read
v Write
When the security rule restricts folder-based security, you must set the following
access controls:
Folder-based security
Read
Write
Security rule
Read
Update
When the security rule extends folder-based security, you must set the following
access controls:
Folder-based security
Parent object: Read, Write
Child object: no access controls
Security rule
Parent object: Read, Update
Child object: Read, Update
Delete access control
For regular object types, you must set the following access controls for folder-based
security:
v All parent objects for the child object: Read, Associate
v Child object: Read, Delete, Associate
If the object type is self-contained, such as a Business Entity, and the security rule
will restrict folder-based security, you must set the following access controls:
Folder-based security
All parent objects for the child object: Read, Associate
Child object: Read, Delete, Associate
Security rule
All parent objects for the child object: Read, Associate
64
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
Child object: Read, Delete, Associate
If the object type is self-contained, such as a Business Entity, and the security rule
will extend folder-based security, you must set the following access controls:
Folder-based security
All parent objects for the child object: no access controls
Child object: Read, Delete
Security rule
All parent objects for the child object: Read, Associate
Child object: Read, Delete, Associate
If the object type is not self-contained, such as a Risk or Loss Event, and the
security rule will restrict folder-based security, you must set the following access
controls:
Folder-based security
All parent objects for the child object: Read, Associate
Child object: Read, Delete, Associate
Security rule
All parent objects for the child object: Read, Associate
Child object: Read, Delete, Associate
If the object type is not self-contained, such as a Risk or Loss Event, and the
security rule will extend folder-based security, you must set the following access
controls:
Folder-based security
All parent objects for the child object: no access controls
Child object: Read, Delete
Security rule
All parent objects for the child object: Read, Associate
Child object: Read, Delete, Associate
Restrictions
When the Associate access control is used for parent objects in security rules, the
rule cannot involve any object type or its properties. For example,
[SOXBusEntity].[OPBE].[Executive Owner] = END_USER is not allowed but
END_USER IN GROUP(’ABC’) is allowed.
When the Associate access control is used for child objects in security rules and
the rule involves an object type, you must use the FOR INTENDED PARENT clause. For
example, FOR (INTENDED PARENT OF TYPE [SOXBusEntity] : [SOXBusEntity].[OPBE].[Executive Owner] = END_USER)
Related tasks:
“Defining security rules” on page 60
Use security rules to define a more granular control over the access to individual
objects in a folder.
Terms for data types
This list contains the operators, keywords, and other terms that are supported in
security rules.
Chapter 3. Security
65
The following data types are supported:
v Boolean
v Integer
v Decimal
v Date
v Currency
v Simple string including all display types
v Enumerated (single-valued and multivalued)
Terms that can be used with all data types
The following terms are used with all data types.
AND
Narrows the search for objects. The objects must meet all of the criteria.
OR
Broadens the search for objects. The objects must meet one of the criteria,
not all of them.
NOT
Narrows the search by excluding all objects that match the specified
criteria.
( ) (parentheses)
Groups criteria together to show the order in which the rule is applied.
If parentheses are not used, the precedence rules are:
1. NOT
2. AND
3. OR
Terms that are used with numeric data types
The following operators are used with numeric data types, such as decimal,
integer, and currency data types. Security rules do not support field criteria on
computed text fields or large text fields.
= (equal)
Compares the values in two fields and returns "true" if both contain the
same value.
< (less than)
Compares the values in two fields and returns "true" if the second field is
less than the first field. The two fields must be of the same data type. For
example, both are decimal data types.
> (greater than)
Compares the values in two fields and returns "true" if the second field is
greater than the first field. The two fields must be of the same data type.
For example, both are decimal data types.
<= (less than or equal)
Compares the values in two fields and returns "true" if the second field is
less than or equal to the first field. The two fields must be of the same data
type.
>= (greater than or equal)
Compares the values in two fields and returns "true" if the second field is
greater than or equal to the first field. The two fields must be of the same
data type.
66
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
< > (not equal)
Compares the values in two fields and returns "true" if both contain
different values.
Uses string variables.
Terms that are used with string data types
The following operators are used with data types that require strings, such as
enumerated strings and simple strings. Security rules do not support long strings.
CONTAINS
Determines whether a multiple-select field contains a specific value or set
of values.
ENDS WITH
Determines if the field value ends with the specified text.
LIKE
Determines if a field value matches the specified pattern string.
STARTS WITH
Determines if the field value starts with the specified text.
IN
Determines if the field value is in the specified field.
Terms that are used with date data types
TODAY
Returns today's date.
TOMORROW
Returns tomorrow's date.
NOW Returns the current date and time.
You can specify a date in the future or in the past. For example:
v
v
v
v
NOW(5) specifies a date five days from now.
NOW(2,’m’) specifies a date two months from now.
NOW(-5) specifies a date five days ago.
NOW(-2,’y’) specifies a date two years ago.
You can use year, month, week, day, hour, minute, or second.
YESTERDAY
Returns yesterday's date.
DATE Specifies the date and time as a string in the ISO format: YYYY-MM-DD and
hh:mm:ss.sTZD.
You can also specify the date and its format as a string:
DATE(’09/05/2013’,’MM/dd/yyyy’)
Terms that are used with other data types
END_USER
Returns the logged-in user.
END_USER_PROFILE
Returns the profile for the logged-in user.
IN GROUP
Returns the user group for the logged-in user.
Chapter 3. Security
67
IN PROFILE
Returns the specified field value that is in the specified profile.
INTENDED PARENT
Tests the parent under which a new object is to be created. It can be used
only when you define a Create rule.
Use INTENDED PARENT when you want to control what a user or group
can create. For example, you can allow specific users to create risks for
subprocesses but not for issues.
When you use INTENDED PARENT, the condition can depend on the
object type that is referenced as intended parent. The condition can also
depend on the object type of the security rule's subject. A path expression
that uses intended parent is considered false if the intended parent is not
of the specified object type.
Related tasks:
“Defining security rules” on page 60
Use security rules to define a more granular control over the access to individual
objects in a folder.
Grammar for security rules
As an administrator, you need to understand the grammar for security rules so
that you understand the potential impact of adding a rule.
field-reference
>>--+-----------------+-- . -- field-group -- . -- field-name --<<
’-- object-type --’
The following rules apply to the field-reference:
v If no object-type is given, the object type is that of the object to which the rule
applies.
v If an object-type is given, it must either be the subject of the rule or been
specified in a path expression that contains the field-reference.
v All elements of the field reference must be system names.
v Optional square brackets can be used to assure parsing in case elements of field
references contain spaces or other special characters.
like-predicate
|-- field-reference -- LIKE -- pattern-string --|
The following rule applies to the like-predicate:
v The pattern string must be a string constant.
v For information on what is supported for the like-predicate, see “Limitations
on Using Special Characters in Filters for Long String Fields” on page 201 and
“Using Complex Logic in a Search Filter” on page 203.
starts-with-predicate
|-- field-reference -- STARTS WITH -- string --|
contains-predicate
|-- field-reference -- ENDS WITH -- string --|
ends-with-predicate
|-- field-reference -- ENDS WITH -- string --|
68
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
end-user-profile
|-- END_USER_PROFILE ( --+-- field-reference --+-- ) --|
’-- string -----------’
function
|--+-- TODAY ----------------------------------------------+--|
+-- TOMORROW -------------------------------------------+
+-- NOW ------------------------------------------------+
|
.-- ( 0, ’d’ ) ----------------------------. |
|
|
.-- , ----- ’d’ ---.
| |
’-- NOW --+-- ( -- offset +------------------+-- ) --+--’
’-- , --+-- ’y’ ---+
+-- ’m’ ---+
+-- ’d’ ---+
+-- ’h’ ---+
+-- ’mi’ --+
’-- ’s’ ---’
scalar-value
|--+-- field-reference -- +--|
+-- end-user-profile --+
+-- boolean -----------+
+-- integer -----------+
+-- decimal -----------+
+-- date --------------+
+-- currency ----------+
+-- simple string -----+
+-- enum-value --------+
’-- function ----------’
in-predicate
|-- scalar-value -- IN --+-- scalar-value ----------------+--|
|
v--- , -----------.
|
’-- ( --- scalar-value --+-- ) --’
The following rules apply to in-predicate:
v If a single field reference is given, it must be a multivalued field.
v If multivalued fields are used in the list, they are unnested.
in-group-predicate
|-- scalar-value -- IN GROUP --+-- scalar-value ----------------+--|
|
v--- , -----------.
|
’-- ( --- scalar-value --+-- ) --’
The following rules apply to in-group-predicate:
v If a single field reference is given, it must be a multivalued field.
v If multivalued fields are used in the list, they are unnested.
in-profile-predicate
|-- scalar-value -- IN PROFILE --+-- string ----------------+--|
|
v--- , -----.
|
’-- ( --- string --+-- ) --+
The following rules apply to in-profile-predicate:
v If a single field reference is given, it must be a multivalued field.
v If multivalued fields are used in the list, they are unnested.
Chapter 3. Security
69
predicate
|--+-- scalar --+-- = ---+-- scalar --+--|
|
+-- < ---+
|
|
+-- > ---+
|
|
+-- <= --+
|
|
+-- >= --+
|
|
’-- <> --’
|
+-- like-predicate ----------------+
+-- starts-with-predicate----------+
+-- contains-predicate-------------+
+-- ends-with-predicate------------+
+-- in-predicate ------------------+
+-- in-group-predicate-------------+
’-- in-profile-predicate-----------’
condition
|--+-- predicate ---------------------+--|
+-- NOT -- condition --------------+
+--condition -- AND -- condition --+
+--condition -- OR -- condition ---+
+-- path-condition ----------------+
’-- ( -- condition -- ) -----------’
The following rule applies to condition:
v If parentheses are not used, the precedence rules are:
1. NOT
2. AND
3. OR
path-condition
v------- AND ---------------.
>>-- FOR ( --+--- path-direction -- path --+--+-- : -- condition -- ) --<<
| v-------- OR ---------------. |
+--- path-direction -- path --+--+
’-- intended-parent -------------’
path
v----------------------.
|-- object-type ----- / -- object-type --+--|
path-direction
.-- ANY ------.
.-- CHILD ---.
|--+-- PRIMARY --+---------------+--+-- PARENT --+--|
’-- IMMEDIATE --’
intended-parent
|-- INTENDED PARENT OF TYPE -- object-type -- |
Rules
v Combining multiple paths with AND or OR is semantically equivalent to specifying
multiple path expressions with the same condition combined by AND or OR.
v For combined paths, the end point of all paths in the path expression must have
the same object type. The condition can contain references only to the shared
starting points and ending points as well as any references to outer paths that
lead up to the subject.
v A path expression for a given path of object types is considered true if the
condition is true for any instantiation of the path.
70
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
v Except for combined paths described above, the condition can depend on any
object type along the path of the path-expression.
v The condition may also depend on object types along the path of containing
path-expressions or the subject object type of the rule.
v When using intended-parent, the condition can depend on the object-type
referenced as intended parent as well as the subject object-type of the rule. A
path expression that uses the intended parent clause is considered false if the
indented parent is not of the specified object-type or the operation is not
Associate or Create.
v Depending on the path-direction specified, the path lists a connected series of
object types relative to the current context either following parent or child
relationships.
v The outermost path must start with the rule's subject type. Nested paths must
start with the endpoint of the immediately containing path.
v If IMMEDIATE is specified and the end point of the path is a recursive object type,
the path stops at the bottom most parent of that type or the top most child.
v If PRIMARY is specified, the path will follow only primary parent relationships.
Related tasks:
“Defining security rules” on page 60
Use security rules to define a more granular control over the access to individual
objects in a folder.
Enabling or disabling a security rule
You can work on a security rule without making it available to your users. When
the security rule is ready, you can enable it. Conversely, you can withdraw a
security rule by disabling it so that you can make all required changes to it.
Before you begin
You must enable System Administration Mode before you can work with security
rules.
Procedure
1. Click Administration > Security Rules.
2. Select the object type that contains the security rule that you want to enable or
disable.
3. Enable or disable the security rule.
Related tasks:
“Enabling and Disabling System Admin Mode” on page 82
You can enable and disable the system admin mode.
Validating a formula for a security rule
When you validate a formula for a security rule, IBM OpenPages GRC Platform
checks the completeness of the formula that you entered.
Before you begin
You must enable System Administration Mode before you can work with security
rules.
Chapter 3. Security
71
Procedure
1.
2.
3.
4.
Click Administration > Security Rules.
Select the object type that contains the security rule that you want to validate.
Click Edit to work with the security rule.
Click Validate for the formula that you want to validate.
5. When you see a message that the formula has successfully validated, click
Save.
Related tasks:
“Enabling and Disabling System Admin Mode” on page 82
You can enable and disable the system admin mode.
Deleting a security rule
When a security rule is no longer required, you can delete it. You cannot undo the
deletion.
Before you begin
You must enable System Administration Mode before you can work with security
rules.
Procedure
1. Click Administration > Security Rules.
2. Select the object type that contains the security rule that you want to delete.
3. For the security rule that you want to delete, click Delete.
Related tasks:
“Enabling and Disabling System Admin Mode” on page 82
You can enable and disable the system admin mode.
Custom security for projects
You can set custom security access control (Read, Write, Delete, Associate) on
folders for Project Milestones and Project Action Items.
Use the Custom Security Access Control page to set custom security access control.
By default, inheritance for access control (ACL) is set to ‘true’.
By default, the custom ACL shows only Project Milestone and Project Action Items.
To show other object types in the custom ACL, add values to the OpenPages |
Common | Custom ACL Object Types setting in the Settings page. Add object
names separated by commas.
Related tasks:
“Accessing the Settings Page” on page 313
To access the Settings menu item, you must have the Settings application
permission set on your account.
About the folder hierarchy and inheritance
On the Access Control page, the ‘Milestone’ folder is the container for Project
Milestone objects and the ‘Task’ folder is the container for Project Action Item
objects. Both of these folders are under a ‘Plan’ folder.
72
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
By default, inheritance on the ‘Plan’ folder is set to ‘false’ and cannot be changed.
Inheritance on the ‘Milestone’ and ‘Task’ object folders, by default, is set to ‘true’.
If wanted, you can disable inheritance on these folders. If a folder does not have
an ACL set for a particular group, the application looks back up the folder tree
until it finds an ACL for that group and uses it for the current folder. When folder
inheritance is enabled and a folder does not have an ACL set for a particular
group, the application looks backwards up the folder tree until it finds an ACL for
that group and uses it for the current folder.
Accessing the Access Control page
You can set custom security access control (Read, Write, Delete, Associate) on
folders for Project Milestones and Project Action Items in the Access Control page.
Only an IBM OpenPages Super Administrator can access the Custom Security
menu item.
Procedure
1. Log on to the IBM OpenPages application user interface as a Super
Administrator user with the Access Control Lists application permission set.
2. From the menu bar, select Administration and click Custom Security.
Creating an Access Control List
If wanted, you can control which users and/or groups can access Project
Milestones and/or Project Action Items.
Before you begin
Before you can add an Access Control List (ACL), you must disable system admin
mode.
Procedure
1. Click Administration > Custom Security.
2. Under the ‘Plan’ folder, do the following:
v For Project Milestones - click the Milestone link.
v For Project Action Items - click the Task link.
3. On the Access Control List tab, click Add.
4. On the access control entry page:
a. Click the User/Group arrow and select the user or group you want to add.
b. For each permission (Read, Write, Delete, Associate), select a setting value
(Granted, Inherited, Denied).
Note: ‘Read’ permission is required for ‘Write’ and ‘Associate’ access, and
‘Write’ access is required in order for ‘Delete’ access to be granted. You can
select any combination of permissions, but when you save the ACL, it will
be modified to be a valid combination of permissions.
c. When finished, click OK.
Related tasks:
“Enabling and Disabling System Admin Mode” on page 82
You can enable and disable the system admin mode.
Chapter 3. Security
73
Editing an Access Control List
You can edit an Access Control List for a user or group.
Before you begin
Before you can edit an Access Control List (ACL), you must disable system admin
mode.
Procedure
1. Click Administration > Custom Security.
2. Expand the folder hierarchy and click the folder that has the Access Control
List you want to modify.
3. On the Access Control List tab:
a. Select the check box next to the user or group for which you want to
modify access control.
b. Click Edit.
c. Make the necessary changes.
d. When finished, click Save.
Related tasks:
“Enabling and Disabling System Admin Mode” on page 82
You can enable and disable the system admin mode.
Deleting an Access Control List
You can delete an Access Control List for a user or group.
Before you begin
Before you can delete an Access Control List (ACL), you must disable system
admin mode.
Procedure
1. Click Administration > Custom Security.
2. Expand the folder hierarchy and click the folder that has the Access Control
List you want to modify.
3. On the Access Control List tab:
a. Select the check box next to the user or group for which you want to delete
access control.
b. Click Delete.
Related tasks:
“Enabling and Disabling System Admin Mode” on page 82
You can enable and disable the system admin mode.
LDAP user authentication
The IBM OpenPages platform supports the use of an LDAP (Lightweight Directory
Access Protocol) authentication server to control user access.
This section details the configuration steps required to integrate the IBM
OpenPages application with an LDAP data source.
74
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
Only one login module can be active at the same time. The underlying IBM
OpenPages platform supports a single namespace, so all users must be
authenticated through the same data source. Multiple authentication modules can
be used in a multi-forested environment.
Any users that are created or imported into the IBM OpenPages application must
also be present in the LDAP authentication server. It is the responsibility of the
person managing the IBM OpenPages users to maintain the correlation between
the IBM OpenPages user list and the external LDAP data source. If a user is
disabled on the IBM OpenPages server, they must be manually disabled on the
LDAP Directory server.
Note: If an LDAP Directory Server is being used for user authentication, the
Change Password button will be disabled in the IBM OpenPages user interface.
When an LDAP server is used, passwords are not maintained in the IBM
OpenPages application. The password must be changed directly in the LDAP
server.
Supported LDAP servers
The IBM OpenPages platform has been certified for use with certain LDAP servers
IBM OpenPages supports the following LDAP servers:
v Microsoft Active Directory
v Sun ONE Directory Server (formerly known as iPlanet Directory Server)
Configuring the LDAP Authentication Module
To successfully use an LDAP Directory Server with the IBM OpenPages
application, you must configure the LDAP Authentication Module to recognize the
presence of the LDAP server.
To configure IBM OpenPages to work with an external LDAP authentication
source, complete the following tasks:
v
v
v
v
“Adding existing users to the LDAP server”
“Updating the logon account used by the Framework Generator” on page 76
“Changing the OPSystem password (optional)” on page 76
“Modifying the LDAP configuration file” on page 77
Adding existing users to the LDAP server
You can add existing IBM OpenPages users to an LDAP server.
Make sure to refer to your LDAP Directory Server documentation for the steps
required to add users to the LDAP server.
Important: If you are using Microsoft Active Directory Users and Computers as
your LDAP authentication server, the user name is limited to a length of 20
characters. User names that exceed the 20 character limit are truncated to 20
characters. This length limitation does not occur in the LDAP server provided by
Sun.
All users that require access to the IBM OpenPages GRC Platform application or
server platform must be added to the LDAP authentication server. In addition, the
following users will need to be added to the LDAP server:
Chapter 3. Security
75
v OPSystem
Note: If you specify a password for the OPSystem account that is different from
the one installed by the product, you will need to complete “Changing the
OPSystem password (optional)” to change the OPSystem account password
system-wide.
v The IBM OpenPages Super Administrator (for more information, see “The Super
Administrator” on page 11)
v OPAdministrator (only if you are using this account)
Updating the logon account used by the Framework Generator
The OpenPagesAdministrator account is used, by default, as the logon account to
Cognos during reporting framework generation.
Note: Some upgrade customers can also use SOXAdministrator.
Whether you choose to use the OpenPagesAdministrator account or use a different
valid LDAP account for Cognos logon, the LDAP and Cognos logon user names
and passwords must match. If there is a mismatch between these logon user names
and passwords, the framework generation process will fail.
To change the user name and password for the administrator account used for
reporting framework generation, you must edit values in the
framework.properties file to a valid LDAP user name and password.
For details on editing the framework.properties file, see “Changing the
Administrator Logon Account and Framework Generation” on page 90.
Changing the OPSystem password (optional)
If the OPSystem password on the LDAP server does not match the one installed by
the IBM OpenPages application, you will need to change the OPSystem password
using the provided tool.
Procedure
1. Start all services.
2. Open a command or shell window on the application server.
3. Navigate to the <OP_Home>|bin directory.
For Microsoft Windows operating systems, the default installation location of
the directory in the IBM OpenPages GRC Platform application is C:\OpenPages.
For AIX and Linux operating systems, the default installation location of the
directory in the IBM OpenPages GRC Platform application is /opt/OpenPages.
4. Execute one of the following commands to open the chng-sys-pswd tool:
Windows chng-sys-pswd.bat
AIX chng-sys-pswd.sh
You will be prompted for the old OPSystem password and then the new
password.
5. Follow the on-screen prompts.
6. When directed, stop all services.
7. In a command or shell window, navigate to the following workflow bin
directory:
<Workflow_Home>|server|deployment|bin
76
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
For Microsoft Windows operating systems, the default installation location of
the workflow server is C:\Fujitsu\InterstageBPM.
For AIX and Linux operating systems, the default installation location of the
workflow server is /opt/Fujitsu/InterstageBPM.
8. From the workflow bin directory, run the importProperties command (on a
single line) as follows:
Windows importProperties.bat <Workflow_Home>\server\instance\default\
ibpm.properties <opworkflow_db_user> <opworkflow_db_password>
AIX importProperties.sh <Workflow_Home>/server/instance/default/
ibpm.properties <opworkflow_db_user> <opworkflow_db_password>
Example (Windows)
importProperties.bat c:\Fujitsu\InterstageBPM\server\instance\default\
ibpm.properties opworkflow opworkflow
9. Restart all services to enable the new password.
Modifying the LDAP configuration file
You must modify the authentication configuration file to enable the LDAP
Directory Server you are using.
The aurora_auth.config file contains three authentication modules:
v Openpages - the default internal user directory
v OpenpagesIP - the LDAP configuration for the Sun One Directory Server
v OpenpagesAD - the LDAP configuration for the Microsoft Active Directory
Server
The only module that the IBM OpenPages system pays attention to is the module
named ‘Openpages’. Therefore, in this step we will modify the configuration file to
change the name of the correct LDAP authentication server module to
‘Openpages’, and then change the settings to reflect the settings of your LDAP
server.
Procedure
1. Stop all IBM OpenPages services.
2. Open and edit the <OP_Home>\aurora\conf\aurora_auth.config file in a text
editor.
Where:
<OP_Home> is the installation location of the OpenPages application. By default,
this is c:\OpenPages.
3. Find the module named ‘Openpages’ and change the name to
‘OpenpagesDefault’ (without the quotes).
4. Depending on the LDAP server you intend to use, modify either the
OpenpagesIP or OpenpagesAD module name to ‘Openpages’ (again without
the quotes).
If you are using a Microsoft Active Directory server, change the OpenpagesAD
module. If you are using a Sun One Directory Server, change the OpenpagesIP
module.
5. Specify the correct values for the following properties in the appropriate
module:
v provider.url - Change the value to the hostname and port number for the
LDAP authentication server.
Chapter 3. Security
77
v base.dn - The top level of the LDAP directory tree structure (Domain Name)
on the LDAP server. If the users to be authenticated are located in multiple
locations within your Active Directory structure, you will need to list all of
the locations explicitly by using the distinguished names of the locations,
each separated by a semi-colon.
For example:
base.dn="DC=LDAPTesting,DC=local;CN=Users,DC=LDAPTesting,DC=local;
OU=Auditors,OU=External Auditors,OU=Staff,DC=LDAPTesting,DC=local"
v user.attr.id - the attribute name of the user identifier (for example, "uid", "cn",
etc.)
v Additional custom parameters can be added by preceding them with the
prefix "ctx.env." (without the quotes).
For example, when using the Sun One Directory Server:
OpenpagesIP
{
com.openpages.aurora.service.security.namespace.LDAPLoginModule
required debug=false
provider.url="ldap://192.168.0.169:30429"
security.authentication="simple"
base.dn="DC=LDAPTesting,DC=local;OU=People,DC=LDAPTesting,
DC=local"
user.attr.id="uid"
ctx.env.your.param="paramvalue"
;
};
An example when using the Microsoft Active Directory server:
OpenpagesAD
{
com.openpages.aurora.service.security.namespace.LDAPLoginModule
required debug=false
provider.url="ldap://192.168.0.165:389"
security.authentication="simple"
security.search.user.dn="CN=Paul Smith,CN=Users,DC=LDAPTesting,
DC=local"
security.search.user.credentials="openpages"
base.dn="CN=Users,DC=LDAPTesting,DC=local"
user.attr.id="CN"
;
};
6. When you are finished editing the file, save your changes and exit.
7. Restart all services.
Results
You have configured the IBM OpenPages system to use an external LDAP user
authentication server.
Setting up mixed-mode authentication
Use mixed-mode authentication when not all users can use a single namespace for
authentication.
This solution should be used by customers who do not want to create the
OPSystem, SOXAdministrator, OpenPagesAdministrator, or OPAdministrator user
accounts on their LDAP server but do want all their users to be authenticated by
78
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
LDAP. The following procedure creates a new namespace and modifies user names
(such as OPSystem) to authenticate against the OpenPages authentication module
rather than LDAP.
Procedure
1. To create the namespace modules in the aurora_auth.config file, log on to the
application server.
2. Find and open the aurora_auth.config file.
3. Create or update the namespace modules in the file as follows:
OpenpagesDefault
{
com.openpages.aurora.service.security.namespace.AuroraLoginModule
required debug=false;
};
Openpages
{
com.openpages.aurora.service.security.namespace.LDAPLoginModule required
debug=false
provider.url="ldap://192.168.0.169:30429"
security.authentication="simple"
base.dn="DC=LDAPTesting,DC=local;OU=People,DC=LDAPTesting,DC=local"
user.attr.id="uid"
;
};
4. To create the namespace in the database, log into the database instance with the
database id (ie: OPENPAGES).
5. Run the following SQL to create the 'OpenpagesDefault' namespace:
insert into namespaces (NAMESPACEID, NAME, JAASLOGINMODULE,
DESCRIPTION) values (namespaceidseq.nextval, ’Openpages Security’,
’OpenpagesDefault’, ’Default Openpages Security Namespace’);
6. Run the following SQL to point an ID to the new namespace:
update actors set namespaceid = (select namespaceid from
namespaces where JAASLOGINMODULE = ’OpenpagesDefault’) where actorid =
(select actorid from actorinfo where name = ’user_name’);
For example, the following SQL will have the OPSystem use the
OpenPagesDefault namespace for authentication:
update actors set namespaceid = (select namespaceid from
namespaces where JAASLOGINMODULE = 'OpenpagesDefault') where actorid =
(select actorid from actorinfo where name = 'OPSystem');
7. Commit the changes to the database.
Configuring a multi-forested LDAP authentication
IBM OpenPages supports the use of multiple LDAP authentication servers in a
multi-forested configuration. If IBM OpenPages cannot find the user in the first
authentication server, it will check the next server in the list and repeat until it
finds the user or checks all listed authentication servers.
When listing multiple LDAP servers, the aurora_auth.config file must be modified
to contain multiple sets of server information.
This file is located in the <OP_Home>\aurora\conf directory, where <OP_Home> is the
installation location of the OpenPages application. By default, this is c:\OpenPages.
Chapter 3. Security
79
This is accomplished by grouping the server information by index key, as in the
following example:
com.openpages.aurora.service.security.namespace.LDAPLoginModule required
debug=true
provider.url.1="ldap://10.128.22.106:389"
security.authentication.1="simple"
security.search.user.dn.1="CN=Administrator,CN=Users,DC=parent,DC=parentchil
d,DC=localdomain"
security.search.user.credentials.1="Op3nPag3s"
base.dn.1="DC=parent,DC=parentchild,DC=localdomain"
user.attr.id.1="CN"
provider.url.2="ldap://10.128.22.107:389"
security.authentication.2="simple"
security.search.user.dn.2="CN=Administrator,CN=Users,DC=child,DC=parent,DC=p
arentchild,DC=localdomain"
security.search.user.credentials.2="Op3nPag3s"
base.dn.2="DC=child,DC=parent,DC=parentchild,DC=localdomain"
user.attr.id.2="CN"
By adding a ".1" key to the end of each parameter, IBM OpenPages can parse the
settings correctly and differentiate between separate LDAP server information sets.
You would append a ".2" to the keys for the second LDAP server, and so on.
For single LDAP server implementations, you do not need to append an identifier
to the end of the parameter names.
80
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
Chapter 4. Using System Admin Mode
This chapter contains the following topics:
v “About System Administration Mode (SAM)”
v “Enabling and Disabling System Admin Mode” on page 82
About System Administration Mode (SAM)
You use System Administration Mode (SAM) to restrict user access to the IBM
OpenPages application when you apply configuration changes or other updates to
the system.
When System Administration Mode (SAM) is enabled:
v Only administrative users with System Administration Mode application
permission can log on to the system. All other users are restricted from logging
on.
v All Write operations are restricted, with these exceptions:
– Reporting period operations if the Reporting Schema is not enabled
– Metadata (schema) changes
– Enumerated string conversions from single to multivalued selection
– Setting changes that are made through the user interface
Before you enable SAM, you may want to notify application users to log off the
system. If a user is already logged on to the system when SAM is enabled, the user
will only be able to view objects and will not be able to create new instances of
objects or save any modifications made to existing objects.
Depending on your configuration, SAM mode may not start until all asynchronous
background jobs run to completion (see “Running Asynchronous Background Jobs
and Administrative Functions” on page 375).
You must be in System Administration Mode (SAM) if you:
v Want to perform any of the actions on the Reporting Schema list view page
(such as create, re-create, enable, or drop a reporting schema). For Reporting
Schema details see, “Administering the Reporting Schema” on page 83.
v Have an existing Reporting Schema and want to add, remove, or refresh a
reporting period.
v Have configuration changes to make to the system, such as changes to the object
model hierarchy or modifications to object types, field groups, and object fields.
v Are converting an enumerated string value from a single selection to a
multi-value selection (see “Data Types” on page 150 for multi-value conversion
details).
In all other instances you can make configuration changes without enabling SAM.
However, there may be situations where you want to enable SAM to restrict
general user access. For example, if you need to modify one or more object text
labels, you may not want users to create new instances of the object type while
you are making these changes.
81
Enabling and Disabling System Admin Mode
You can enable and disable the system admin mode.
You must have the System Administration Mode application permission set on
your account to view the System Admin Mode link at the top of a page and the
System Admin Mode menu item from the Administration menu.
Table 12. Settings for System Administration Mode
If Link...
If button...
Use to...
Enabled
Enable
enter System Administration Mode
Disabled
Disable
exit and terminate System Administration Mode
The link switches between Enabled and Disabled, and the button switches
between Enable and Disable depending on which mode it is in.
If the system is processing operations that require System Admin Mode, you will
have to wait until processing is complete before you can disable System Admin
Mode.
Procedure
1. Log on to the OpenPages application user interface as a user with the System
Administration Mode application permission set.
2. Do one of the following:
v Click the System Admin Mode Enabled or Disabled link at the top of a
page
v From the menu bar, select Administration and click System Admin Mode
and click Enable or Disable.
3. At the prompt, click OK to change modes.
82
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
Chapter 5. Managing the Reporting Schema and Framework
This chapter contains the following topics:
v “Administering the Reporting Schema”
v “Using the Reporting Framework” on page 86
v “Generating the Reporting Framework” on page 87
v “Configuring Facts and Dimensions” on page 91
v “Configuring Recursive Object Levels” on page 97
v “Configuring Object Type Dimensions” on page 101
Administering the Reporting Schema
The IBM OpenPages application supports the use of a real-time reporting schema
model that allows reports to access information as it is entered into the IBM
OpenPages system.
Users no longer need to export their data to an external reporting database
repository.
System administrators will only need to re-create their reporting schema after
changing their object schema. There is no need to restart the IBM OpenPages
application after regenerating the reporting schema.
The Reporting Schema page is used to control the creation and deletion of the
reporting schema. It is usable by administrative-level users who have the
Reporting Schema application permission.
Reporting Schema and Framework Permissions
Before performing any actions on a reporting schema, you must have specific
application permissions set on your account.
For more information, see “Configuring Application Permissions” on page 21).
Table 13. Reporting Schema and Framework Permissions
This Application Permission...
Is used to...
Reporting Schema
access the Reporting Schema menu item.
System Administration Mode
enable and disable System Administration
Mode.
Reporting Framework
update the reporting framework.
Accessing the Reporting Schema
You can create, re-create, disable, drop, and view the status of a reporting schema
from the Reporting Schema detail page.
83
Important: The system must be in System Administration Mode (see Chapter 4,
“Using System Admin Mode,” on page 81) to make any modifications to the
reporting schema.
Procedure
1. Log on to the IBM OpenPages application user interface as a user with the
Reporting Schema application permission set.
2. From the menu bar, select Administration and click Reporting Schema.
Updating the Reporting Schema
The IBM OpenPages application allows users to create a new or updated reporting
schema when necessary.
Any of the following changes to the application, for example, would require an
update to the reporting schema:
v Configuring the triangles setting (see “Configuring Triangle Object
Relationships” on page 355)
v Changing the value of the ‘Populate Past Periods’ setting (see “Populating Past
Reporting Periods” on page 85)
v Changing any setting that is used to compose the URL links in the Reporting
Schema (such as the ‘Host’, ‘Port’, and ‘Protocol’ settings, see “Updating URL
Host Pointers for Reports” on page 504)
v Adding an index to an RT_ column (done through the setting ‘Create Index on
Fields’).
Note: The ‘Create Index on Fields’ setting is located on the Settings page under
the OpenPages | Platform | Reporting Schema folder.
There are two ways to update the reporting schema:
v Incrementally through scripts - contact your IBM representative for assistance in
executing special PL/SQL scripts that will incrementally update the reporting
schema. These scripts are maintained by IBM OpenPages Support and do not
ship as part of the product.
v Application user interface - this method updates the entire reporting schema (see
“Creating or Re-creating the Reporting Schema”). It is a good idea to schedule
this activity ahead of time, since creating a reporting schema requires that the
application be in System Administration Mode. In this mode, users are not able
to log onto the system and users who are currently logged in are not able to
commit changes to the repository.
Note: Depending on your changes, recreating the reporting schema and updating
the reporting framework (for Cognos reports) may not cause your modifications to
appear in the standard (out-of-the-box) reports. You may also need to modify the
existing reports or create new reports to display the additional information (such
as adding new fields).
Creating or Re-creating the Reporting Schema
You can create or re-create the reporting schema.
Procedure
1. Access the Reporting Schema page (see “Accessing the Reporting Schema” on
page 83).
84
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
2. Enable System Administration Mode (for details, see “Enabling and Disabling
System Admin Mode” on page 82).
3. As needed, either create a new reporting schema or re-create the existing
reporting schema. Do one of the following:
v If a reporting schema already exists - drop the existing schema before
creating the new schema. Click the Re-Create button to drop the existing
schema and create a new schema.
v If no reporting schema exists - click the Create button to create a new
reporting schema.
4. When the creation task (or re-creation task) is completed, update the Reporting
Framework so that the Cognos reports can access the new schema. For details,
see “Updating the Reporting Framework” on page 89.
Populating Past Reporting Periods
You can control whether data from previous reporting periods is included in the
reporting schema.
By default, the reporting schema is only populated with the data from the current
reporting period.
Procedure
1. From the menu bar, select Administration and click Settings.
2. Expand the OpenPages | Platform | Reporting Schema folder hierarchy.
3. Click the Populate Past Periods setting to open its details page.
4. In the Value field, type one of the following values:
If the value is set
to...
Then...
true
The reporting schema is populated with the data from previous
reporting periods.
Note: Turning this setting on will add to the amount of data that is
published by the Reporting Schema operation and will increase the
time it takes to drop and recreate the Reporting Schema.
false
The reporting schema is populated with the data from the current
reporting period.
This value is set by default.
5. When finished, click Save.
6. Recreate the reporting schema (see, “Updating the Reporting Schema” on page
84).
Enabling and Disabling the Reporting Schema
Creating a new reporting schema automatically enables the reporting schema,
while dropping the reporting schema automatically disables it.
When the reporting schema is ‘Enabled’, the database tracks changes to the
application data and allows the reporting engine to access the updated data. When
the schema is ‘Disabled’, the database no longer tracks changes to the application
data, but is still aware of changes to the schema (such as new fields).
Chapter 5. Managing the Reporting Schema and Framework
85
Note: You must be in System Administration Mode (SAM) to enable the buttons
that allow you to perform these tasks.
Enabling the Real-time Reporting Schema
Procedure
1. Enable System Administration Mode (for details, see “Enabling and Disabling
System Admin Mode” on page 82).
2. From the menu bar, select Administration and click Reporting Schema.
3. Click the Enable button to enable the reporting schema. A reporting schema
must be created in order to enable the reporting schema using the Enable
button.
4. If one does not exist, click the Create button to create the reporting schema.
Creating the reporting schema will automatically enable the new schema.
5. Once the task is completed, disable System Administrator Mode.
Disabling the Real-time Reporting Schema
Procedure
1. Enable System Administration Mode (for details, see “Enabling and Disabling
System Admin Mode” on page 82).
2. From the menu bar, select Administration and click Reporting Schema.
3. If you want to reclaim the database space taken by the reporting schema tables,
you must click the Drop button. This will automatically disable the reporting
schema. Otherwise, continue to the next step.
4. Click the Disable button to disable the reporting schema. A reporting schema
must be created in order to disable the reporting schema using the Disable
button.
5. Once the task is completed, disable System Administrator Mode.
Viewing Reporting Schema Operation Details
The IBM OpenPages application keeps a log of each reporting schema operation
that has been performed.
Procedure
1. Access the Reporting Schema page (see “Accessing the Reporting Schema” on
page 83).
2. On the Reporting Schema Operations tab, click the name of the operation in
the list.
3. On the Operation Detail tab, click the View Log button.
The log message detail page appears.
Using the Reporting Framework
If you have the correct permissions, you can update the reporting framework when
the real-time reporting schema is updated. You can also use the reporting
framework to configure facts and dimensions for object types in the dimensional
namespace.
For more information, see “Generating the Reporting Framework” on page 87.
86
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
Accessing the Reporting Framework
To update components of the reporting framework or to configure facts and
dimensions, you must access the reporting framework.
Before you begin
To update or configure the reporting framework, you must NOT be in System
Administration Mode (for more information, see Chapter 4, “Using System Admin
Mode,” on page 81).
Make sure the correct application permissions are set on the user account:
To do this...
Requires this application permission...
Update all or selected components of the
reporting framework
Reporting Framework
Configure facts and dimensions
Reporting Framework Configuration
Procedure
1. Log on to the IBM OpenPages application user interface as a user with the
correct application permission set.
2. From the menu bar, select Administration, point to Reporting Framework, and
click one of the following:
v Generation — to update all or selected components of the reporting
framework, such as metadata, labels, dimensions and facts, and custom
query subjects.
v
Configuration — to configure facts and dimensions, object type dimensions,
and date dimension types.
Generating the Reporting Framework
The IBM OpenPages Reporting Framework V6
IBM OpenPages Reporting Framework V6 supports two data models.
v A relational model based upon the object types defined in your system and their
relationship to each other
v A dimensional model based upon facts and dimensions selected for each object
type
When the Reporting Framework V6 is generated, the OPENPAGES_REPORTING_V6
package is published to the Cognos server with the following default namespaces:
v DEFAULT_REL — this relational namespace is similar to the framework model
included with previous versions of IBM OpenPages but has been reorganized for
easier access and higher performance.
v DEFAULT_DIM — this dimensional namespace is organized into facts and
dimensions, and gives report authors access to Analysis Studio and the online
analytical processing (OLAP) features that are available in Cognos.
Using the query subjects and query items in these namespaces, report authors can
create a variety of reports with faster execution from within IBM OpenPages .
Chapter 5. Managing the Reporting Schema and Framework
87
Backward Compatibility with the Legacy Reporting Framework
For systems that have been upgraded from IBM OpenPages version 5.x or earlier
and want to continue to use the Legacy Reporting Framework for certain reports,
Legacy Framework Generation options are available.
About Choosing Update Options in the Reporting Framework
When you generate the Reporting Framework V6 and/or the Legacy Reporting
Framework, you can choose to update all or particular components of the
reporting framework.
Table 14 lists the various options for updating the reporting framework.
Table 14. Reporting Framework Generation Options
This option...
Is available in this
Reporting Framework...
Framework
Model
v
Labels
v
Reporting Framework V6
v Legacy Reporting
Framework
Reporting Framework V6
v Legacy Reporting
Framework
Facts and
Dimensions
And does this...
Generates the relational model for all your
object types.
Imports your object text into the reporting
framework.
Reporting Framework V6
Generates the dimensions and facts in the
dimensional model.
Custom Query Reporting Framework V6
Subjects
Generates any custom query subjects that
are defined.
When you update the reporting framework, any changes to the reporting schema
are reflected in Cognos. Once the reporting framework model in Cognos is
updated, report authors can create new (or modify existing) reports based on these
changes. If the reporting framework is not updated, external reports such as those
built with Cognos will not be able to access the updated reporting schema.
Example
Let’s say you add two new fields to a Risk object type and add a new child or
parent relationship to a Control object type. You also want users to be able to run
reports that contain these new fields or relationships.
To make these changes available to a report author in the Cognos tool, you would
update the reporting framework through the administrative application interface.
Once the Cognos reporting framework is updated, a report author could then
create new (or modify existing) reports that contained the new fields or
relationships.
Regenerating the Reporting Framework
If you make any of the following changes in the IBM OpenPages application, you
must regenerate the reporting framework:
v Adding a new field to a field group
v Adding a new object type
v Adding a new association between object types
88
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
Important: Whenever you Update the reporting framework, you need to
revalidate reports. Failing to do so may result in reporting errors.
Updating the Reporting Framework
Once the reporting schema has been updated, the reporting framework must be
updated as well to propagate the changes to the Cognos reports.
Note: For purposes of this procedure, we are assuming that you have just created
a new reporting schema.
Procedure
1. Access the Reporting Framework Operations page (see “Accessing the
Reporting Framework” on page 87).
2. Disable System Administration Mode if it is enabled (for details, see “Enabling
and Disabling System Admin Mode” on page 82).
3. On the Reporting Framework Operations page, click Update.
4. In the Reporting Framework Generation window, do the following:
a. Under Framework Generation, select the Framework Model and Labels
options (and any additional options you want) for generation in the
Reporting Framework V6 relational data model.
Note: For upgraded systems that have the Legacy Reporting Framework
setting enabled, if you also want to generate the Legacy Reporting
Framework relational data model, under Legacy Framework Generation,
select the Framework Model and Labels options.
b. Click Submit to begin the update procedure.
You are returned to the Reporting Framework Operations page with the
new task listed in the Reporting Framework Operations table.
5. To view the progress of the update, click Refresh. The Percent Complete
column on the Reporting Framework Operations table will update the
percentage of completion.
Viewing Reporting Framework Details
You can view the details of a refresh operation, including any errors that were
encountered.
Procedure
1. Access the Reporting Framework page (see “Accessing the Reporting
Framework” on page 87).
2. On the Reporting Framework Operations tab, click the name of the operation
in the list.
3. On the Operation Detail tab, click the View Log button.
The log message detail page appears.
4. If a sub-operation exists, it is listed in the Sub Operations table of the detail
page.
a. To view sub-operation details, click the name of the sub-operation.
b. To view log details, click the View Log button.
Chapter 5. Managing the Reporting Schema and Framework
89
Changing the Administrator Logon Account and Framework
Generation
The Reporting Framework Generator, by default, uses the Super Administrator
account (set during initial installation) as the Cognos logon account to update the
reporting framework model.
For details about Administrator accounts, see “About Administrators” on page 11).
If you change the logon user name and/or password of the Super Administrator
account after installation (using the application interface), you must make the
corresponding changes in the framework.properties file on the Cognos server.
If a mismatch exists between the logon user name and/or password and the
specified user name and/or password in the property file, the Reporting
Framework Generator will not be able to log on to Cognos to update the reporting
framework.
The procedure to manually change the Cognos framework generator property file
follows.
Procedure
1. Log on to the Cognos server as a user with administrative permissions.
2. Stop the OpenPages Framework Model Generator service.
3. Navigate to the CommandCenter|framework|conf folder.
By default, the path is:
Windows C:\OpenPages\CommandCenter\framework\conf
AIX and Linux /opt/OpenPages/CommandCenter/framework/conf
4. Locate the framework.properties file in the conf folder and do the following:
a. Make a backup copy of the file before modifying it.
b. Open the framework.properties file in a text editor of your choice.
c. Locate the following code lines in the file:
op.password=<password value>
op.user=OpenPagesAdministrator (this is the default user)
Where: <password value> is the password that corresponds to the user
account value in the op.user property.
d. Edit the password property with the new value (the new password will be
in clear text). If you also changed the user account, edit that value as well.
e. When finished, save the change to the file.
5. Restart the OpenPages Framework Model Generator service.
Note: The passwords will be automatically re-encrypted the next time the
service accesses the files.
6. Update the reporting framework (see “Updating the Reporting Framework” on
page 89).
90
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
Configuring Facts and Dimensions
Facts and Dimensions
Facts and dimensions are components of a dimensional data model.
Dimensionally-modeled data works well with crosstab and graphical reports (such
as charts and maps).
Facts are fields with a numeric data type (such as Currency, Integer, Decimal) that
can be aggregated and analyzed. For each fact that is selected for inclusion in the
dimensional model, you can also use the Fact Types setting to globally control the
types of aggregations that can be created for each configured fact field (see
“Reporting Framework Configuration Settings” on page 357).
Dimensions include enumerated fields, date fields, and dependent picklists that
can be used by report authors as business filters and grouping fields.
You can control which facts and dimensions are represented in the dimensional
namespace for each object type that can be used by report authors in reports.
Process Overview
The following table provides an overview of the configuration tasks for setting up
facts and dimensions and a reference to the related information.
Table 15. Tasks for Configuring Reporting Fragment Fields
U
Task Description
Related Topic
h
For the selected object type, configure the
facts you want available for reports in the
dimensional namespace.
“Enabling and Disabling Facts”
h
If the object type has enumerated fields and “Enabling and Disabling Enumeration
and Dependent Picklist Dimensions”
dependent picklists, configure the
dimensions you want in reports for these
on page 92
fields and picklists in the dimensional
namespace.
h
If wanted, configure the types of date
dimensions you want available for reports
in the dimensional namespace.
“Using Date Dimension Types” on
page 94
h
Update the Reporting Framework V6 to
effect changes to facts and dimensions.
“Updating the Reporting Framework”
on page 89
Enabling and Disabling Facts
If an object type includes fields with a numeric data type (such as Currency,
Integer, Decimal) then these fields are automatically listed in the Facts table for
selection.
For example, fact fields for a Risk object type might include such fields as
‘Inherent Frequency’ (a decimal data type field) and ‘Inherent Severity’ (a currency
data type field).
Chapter 5. Managing the Reporting Schema and Framework
91
When regenerating the reporting framework to effect the changes made to fact
fields, you can choose the ‘Dimensions and Facts’ option to regenerate and update
only that portion of the reporting framework that has changed.
Note: When you disable facts that were previously enabled, any reports that used
these facts will no longer run.
Procedure
1.
Do one of the following to access facts and dimensions for an object type:
From the Administration
menu, select this...
And then do this...
Reporting Framework >
Configuration
From the list on the Facts and Dimensions table, click the
name of the object type you want.
Note: To access this menu item, you must have the
Reporting Framework Configuration application
permission set.
Object Types
1. From the list on the Object Types table, click the name
of the object type you want.
2. Navigate to the Facts and Dimensions table, and click
Edit.
2. Under the Facts table, do one of the following:
v To enable a fact, select the box next to each fact you want included in the
reporting framework.
v To disable a fact, clear the box next to each fact you want excluded from the
reporting framework.
3. When finished, click Save.
4. At the prompt, click OK.
5. Update the reporting framework to effect the changes (see “Updating the
Reporting Framework” on page 89).
Enabling and Disabling Enumeration and Dependent Picklist
Dimensions
You can enable and disable enumerated fields and dependent picklists as
dimensions.
If an object type includes fields with an Enumerated String data type, then these
fields are automatically listed under the Enumerated Fields column in the
Enumeration and Dependent Picklist Dimensions table for selection as
dimensions. For example, enumerated fields for a Risk object type might include
such fields as ‘Category’ (a single value selection field) and ‘Domain’ (a
multivalued selection field).
All dependent picklists that have been defined in the application user interface
(including any disabled picklists) for a selected object type are automatically
displayed under the Dependent Picklists column in the Enumeration and
Dependent Picklist Dimensions table.
Note:
92
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
v Disabling an enumerated field or dependent picklist that was previously enabled
as a dimension will cause any reports that used these dimensions to no longer
run.
v Enabling a dependent picklist as a dimension automatically enables the parent
enumerated field, which is located in the same row as the dependent picklist. A
dependent picklist cannot be enabled as a dimension without the parent
enumerated field also being enabled.
v Disabling an enumerated field as a dimension will also disable all child
dependent fields.
v If you disable a dependent picklist as a dimension, the parent enumerated field
remains enabled.
v A dependent picklist that is disabled for an object type cannot be selected as a
dimension.
Procedure
1.
Do one of the following to access facts and dimensions for an object type:
From the Administration
menu, select this...
And then do this...
Reporting Framework >
Configuration
From the list on the Facts and Dimensions table, click the
name of the object type you want.
Note: To access this menu item, you must have the
Reporting Framework Configuration application
permission set.
Object Types
1. From the list on the Object Types table, click the name
of the object type you want.
2. Navigate to the Facts and Dimensions table, and click
Edit.
2. Under the Enumeration and Dependent Picklist Dimensions table, do one of
the following:
To do this...
Then...
Enable an enumerated field as a dimension
Under the Enumerated Fields column, select
the box next to each enumerated field you
want included as a dimension in the
reporting framework.
Disable an enumerated field as a dimension
Under the Enumerated Fields column, clear
the box next to each enumerated field you
want excluded as a dimension from the
reporting framework.
Enable a dependent picklist as a dimension
1. Under the Dependent Picklists column,
select the box next to the picklist you
want included as a dimension in the
reporting framework.
2. In the same row as the dependent
picklist, under the Enumerated Fields
column, select the box next to the parent
enumerated field if is not already
selected.
Chapter 5. Managing the Reporting Schema and Framework
93
To do this...
Then...
Disable a dependent picklist as a dimension
1. Under the Dependent Picklists column,
clear the box next to the picklist you
want excluded as a dimension from the
reporting framework.
2. In the same row as the dependent
picklist, under the Enumerated Fields
column, clear the box next to the parent
enumerated field if not wanted as a
dimension.
3. When finished, click Save.
4. At the prompt, click OK.
5. Update the reporting framework to effect the changes (see “Updating the
Reporting Framework” on page 89).
Using Date Dimension Types
When date fields are used as dimensions in reports, users could, for example, drill
down through a date hierarchy from the year to a specific quarter, month, and/or
day.
For date fields to be used as dimensions, you must first define a date dimension
type then map that dimension to the date fields of an object type. The date
dimension types that you define are globally available for all object type date
fields.
If wanted, you can localize the name of a date dimension type for display in the
reporting framework. If no translated text is provided, the value that is typed into
the Name field for a date dimension type is automatically used.
By default, the following system date fields are available under the Date
Dimensions table for all object types but are not automatically configured with a
date dimension type:
v Creation Date
v Last modification Date
Note: If a system date field is configured with a date dimension type, it applies to
all object types.
Adding a Date Dimension Type
When you define a date dimension type, that dimension is available for selection
on all date fields for any object type.
See Table 16 on page 95 for a list and brief description of each date dimension
type.
Procedure
1. From the Administration menu select Reporting Framework, and then
Configuration.
2. On the Date Dimensions Type table, click Add.
3. In the Name box, type a name for this date dimension.
94
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
4. If wanted, localize the text of the Name field for display in the reporting
framework as follows.
Note: If no localized display text is specified, the value in the Name field is
used by default.
a. Click the Translate link.
b. In the Translate window, next to each language you want, type the localized
text into the box.
c. When finished, click Apply.
5. In the Description box, optionally type some descriptive text.
6. Click the arrow next to each dimension you want for this date type and select a
value.
Note: Only one value can be selected from the list for each type of date
dimension.
Table 16. Date Dimension Types
Date Type
Description
Year
Returns the calendar year of the field.
Example : 2010
Quarter
Returns the quarter within the calendar year.
Example : ‘Quarter’ would return ‘3’ for the month of
August.
Month
Depending on the selection, will return either a
numeric or text string for the month.
Example : ‘Month of Year’ would return ‘8’ for the
month of August.
Week
Depending on the selection, will return the number of
the week for either the month, quarter, or year based
on a starting criteria.
Example : ‘Week of Year (Starts on Sunday)’ would
return ‘33’ for August 18, 2010.
Day
Depending on the selection, will return either a
numeric or text string for the day of the week,
month, quarter, or year based on an optional starting
criteria.
Example : ‘Day of Year’ would return ‘230’ for
August 18, 2010.
7. When finished, click Save.
8. If wanted, map the date dimension to an object type’s date fields. See
“Mapping Date Dimension Types to Date Fields.”
Mapping Date Dimension Types to Date Fields
After you create a date dimension type, you can then map that dimension to one
or more date fields for an object type.
Each column in the Date Dimensions table represents a defined date dimension
type, and each row represents a date field for the selected object type.
Chapter 5. Managing the Reporting Schema and Framework
95
Procedure
1.
Do one of the following to access facts and dimensions for an object type:
From the Administration
menu, select this...
And then do this...
Reporting Framework >
Configuration
From the list on the Facts and Dimensions table, click the
name of the object type you want.
Note: To access this menu item, you must have the
Reporting Framework Configuration application
permission set.
Object Types
1. From the list on the Object Types table, click the name
of the object type you want.
2. Navigate to the Facts and Dimensions table, and click
Edit.
2. On the Date Dimensions table, for each date field in a row, select one or more
date dimension types represented in a column.
Note: To select or clear a value from a row, click the name of the value.
3. When finished, click Save.
4. At the prompt, click OK.
5. Update the reporting framework to effect the changes (see “Updating the
Reporting Framework” on page 89).
Enabling and Disabling a Date Dimension Type
When you disable or re-enable a date dimension type, that date dimension type is
disabled or re-enabled for all date fields in any object type.
Note: When you disable a date dimension type, any reports that used that date
dimension type will no longer run.
Procedure
1. From the Administration menu select Reporting Framework, and then
Configuration.
2. In the Date Dimension Types table, navigate to the row containing the date
dimension type you want to disable or re-enable.
3. Under the Actions column in the same row for that date dimension type, click
Disable or Enable.
4. At the prompt, click OK.
5. Update the reporting framework to effect the changes (see “Updating the
Reporting Framework” on page 89).
Modifying a Date Dimension Type
If wanted, you can modify a date dimension type after you create it. Perhaps, for
example, translated text needs to be modified or added, or a previously selected
value needs to be changed.
Note: When you modify a date dimension type, any reports that used that date
dimension type will no longer run.
96
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
Procedure
1. From the Administration menu select Reporting Framework, and then
Configuration.
2. In the Date Dimension Types table, click the name of the date dimension type
you want to modify to open its detail page.
3. Make the changes you want.
4. When finished, click Save.
5. At the prompt, click OK.
6. Update the reporting framework to effect the changes (see “Updating the
Reporting Framework” on page 89).
Deleting a Date Dimension Type
When you delete a date dimension type, that date dimension type is permanently
removed from the system on all date fields for any object type and cannot be
retrieved.
Note: When you delete a date dimension type, any reports that used that date
dimension type will no longer run.
Procedure
1. From the Administration menu select Reporting Framework, and then
Configuration.
2. In the Date Dimension Types table, navigate to the row containing the date
dimension type you want to delete.
3. Under the Actions column in the same row for that date dimension type, click
Delete.
4. At the prompt, click OK.
5. Update the reporting framework to effect the changes (see “Updating the
Reporting Framework” on page 89).
Configuring Recursive Object Levels
If you want reporting capability in the dimensional data model of the reporting
framework, you can use recursive object types to create sets of levels that will be
reflected in the reporting framework for use by report authors.
A recursive object type can repeat itself indefinitely or until some set limit is
reached. The following object types are recursive within the IBM OpenPages
application:
v Business Entity (SOXBusEntity)
v Sub-Process (SOXSubprocess)
v Sub-Account (SOXSubaccount)
v Sub-Mandate (Submandate)
About Recursive Object Levels
For each recursive object type, you can define multiple object levels. For the
Business Entity object type, you can also create multiple sets of recursive object
levels with each set having a different number of levels.
Chapter 5. Managing the Reporting Schema and Framework
97
Recursive object levels allow you to create a representation of corporate data using
common names for each level of the set thereby providing the report author with
additional context for creating reports (see Table 17).
When the Reporting Framework V6 is generated, all levels that have been defined
for recursive object types are reflected in the dimensional data model of the
reporting framework. These structures allow report authors to create, for example,
drill-down dimensional reports where users can progressively navigate through the
levels to more detailed data.
For a finer level of control, if wanted, you can also specify which recursive object
level sets you want available in a given namespace (see “Configuring Namespaces
in the Reporting Framework” on page 351).
Note:
v You cannot delete Level1 for non-entity recursive object types.
v If you remove or edit levels in a set, reports that used these levels will no longer
run.
Example
A report author works for Global Financial Services (GFS), a large multinational
bank, with an organizational structure that is comprised of many business
functions and groups. The report author has a requirement to create reports so
business users at GFS can assess the risks associated with various processes that go
across the company’s business units. GFS has its business organized around
functions, divisions, departments, and units.
To return data about the various business processes and their associated risks for
each organizational level of the business, you might create a new set of recursive
object levels for the Business Entity object type called ‘Risk Assessment’ with the
following levels as shown in Table 17.
Table 17. Sample Recursive Object Levels
Level number
Level name
Example Business Entity instance user
data
1
Group
Global Financial Services
2
Global Function
Client Markets
3
Division
Asia
4
Department
Underwriting
5
Unit
Japan
In addition to defining the business levels of the organizational structure for the
Business Entity object type, you need to determine which business entity should be
the starting point for scoping the data. In this example, we want the reporting data
to start at the Global Function level. In the ‘Starting Entity’ field, you would type:
/Global Financial Services
When the reporting framework is updated, a new ‘Risk Assessment’ folder with
the corresponding level folders and query items would be created within the
OpenPages_Reports_V6 package under the GRC Objects|Business Entity Folder for
report authors to use in creating Cognos reports.
98
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
Rules for Defining Sets of Recursive Object Levels
Rules apply to the definition of sets of recursive object levels.
v Business Entity — this is the only recursive object type where you can define
multiple sets of recursive object levels with a different starting entity for each
set. Sets of Business Entity recursive object levels can also be edited and deleted.
By default, no recursive object levels are predefined for Business Entity object
types.
v All other recursive object types (Sub-Process, Sub-Account, Sub-Mandate) have
only one set of recursive object levels that, by default, is predefined and cannot
be deleted.
By default, each of these recursive object types (excluding Business Entity) have
a predefined first level that cannot be deleted but can be renamed.
v Each set of recursive object levels for the Business Entity object type requires a
name and a root path.
v The name of each user-defined level must be unique across all recursive object
types.
v The names of sets and levels can be localized.
Working With Business Entity Recursive Object Levels
For the Business Entity object type, you can define and delete sets of recursive
object levels, and modify the levels within each set.
By default, the Business Entity object type does not have any predefined sets of
recursive object levels.
When the Reporting Framework V6 is generated, all user-defined sets of recursive
object levels are available to report authors under the
GRC_OBJECTS|SOXBUSENTITY_FOLDER folder in the default dimensional namespace. In
addition, this structure is also available in the IBM OpenPages administrator
interface when configuring object type dimensions (see “Configuring Object Type
Dimensions” on page 101).
Defining Business Entity Recursive Object Levels
You can create multiple sets of recursive object levels for generation in the
Reporting Framework V6.
Procedure
1. Access the Object Types page (see “Accessing Object Types” on page 185).
2. From the list of object types, click the SOXBusEntity (Business Entity) link to
open its detail page.
3. Navigate to the Recursive Object Levels table and click Edit.
4. In the definition pane, do the following:
Table 18. Recursive Object Levels Definition Boxes
In this box...
Do this...
Name
Type a name for this set of levels.
Description
Optionally type a description of this set.
Chapter 5. Managing the Reporting Schema and Framework
99
Table 18. Recursive Object Levels Definition Boxes (continued)
In this box...
Do this...
Starting Entity
Type the full path, beginning with a slash, to the starting Business
Entity.
Note: If wanted, you can use a single slash (/) to specify all top
level (Level 1) business entities.
Level 1
Type a unique name for this level.
5. To add another level to this set, click the (plus symbol) button and type a
unique name for this level. Repeat this step for each level you want to add to
this set.
Note: To remove a level that was added, click the (minus symbol) button.
6. If wanted, localize the text for the names of the set and levels for display in
the reporting framework as follows.
Note: If no localized display text is specified, the values in the Name and
Level fields are used by default.
a. Click the Translate link.
b. In the Translate window, for the language you want, type the localized text
into the box.
c. When finished, click Apply.
7. To add another set, click Add and repeat Steps 4 - 6.
8. When finished, click Save.
9. At the prompt, click OK.
10. To specify which recursive object level set you want available in a given
namespace, configure the Entity Recursive Object Levels setting (see
“Configuring Namespaces in the Reporting Framework” on page 351).
11. When finished, update the reporting framework to effect the changes (see
“Updating the Reporting Framework” on page 89).
Deleting Business Entity Sets of Recursive Object Levels
You can delete a set of recursive object levels for a Business Entity
Note: When you delete a set of recursive object levels for a Business Entity, all the
levels that have been defined for that set are deleted and any reports that used
these levels will no longer run.
Procedure
1. Access the Object Types page (see “Accessing Object Types” on page 185).
2. From the list of object types, click the SOXBusEntity (Business Entity) link to
open its detail page.
3. Navigate to the Recursive Object Levels table and click Edit.
4. Navigate to the pane with the set you want to delete, and do the following:
a. Click the Delete link.
b. At the prompt, click OK.
5. When finished, click Save.
6. At the prompt, click OK.
7. Update the reporting framework to effect the changes (see “Updating the
Reporting Framework” on page 89).
100
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
Modifying Recursive Object Levels
You can add and remove levels in a set for all recursive object types.
Note:
v You cannot delete Level1 for non-entity recursive object types.
v If you modify existing recursive object levels in a set, reports that used these
levels will no longer run.
Procedure
1.
2.
3.
4.
Access the Object Types page (see “Accessing Object Types” on page 185).
From the list, click the name of the recursive object type you want to modify.
On the Recursive Object Levels table, click Edit.
In the definition pane, make the required changes.
To add or remove levels, do the following:
If you want to do this...
Then...
Add another level to the set
Click the (plus symbol) button and type a
unique name for this level.
Remove a level that was added
Click the
(minus symbol) button.
5. When finished, click Save.
6. At the prompt, click OK.
7. Update the reporting framework to effect the changes (see “Updating the
Reporting Framework” on page 89).
Configuring Object Type Dimensions
To enhance report authoring capability in the dimensional data model, you can
define object type dimensions.
Object Type Dimensions
Object type dimensions allow report authors to represent associations between
object types as a dimension in the reporting framework. The object types do not
have to be directly associated.
Example
A report author works for Global Financial Services (GFS), a large multinational
bank, with an organizational structure that is comprised of many business
functions and groups. The report author has a requirement to create a report that
shows aggregate test results and their associated controls for each division of the
company.
The typical parent-child path in an object hierarchy between Business Entity and
Test Result objects types is: Business Entity - Process - Risk - Control - Test - Test
Result.
To skip object types in the hierarchy and create an association between Business
Entity and Control objects, you could define an object type dimension called
‘Entity-Control.’
Chapter 5. Managing the Reporting Schema and Framework
101
Since you already created a set of recursive object levels for the Business Entity
object type (as shown in Table 17 on page 98), you could use the ‘Division’
recursive object type level as a filter for the starting object type followed by the
Control object type.
If wanted, you can localize the name of the object type dimension for display in
the reporting framework. If no translated text is provided, the value that is typed
into the Name field for the object type dimension is automatically used.
When the Reporting Framework V6 is generated, the ‘Entity-Control’ object type
dimension would be available to report authors under the OBJECT_TYPE_DIMENSIONS
folder in the DEFAULT dimensional namespace.
Selecting a Starting Object Type for a Dimension
Rules apply to the selection of an object type as a starting point for object type
dimensions.
v Any object type can be selected as the starting object type.
v For the Business Entity object type, you can select a recursive object level as a
starting point (for details on recursive object levels, see “Defining Business
Entity Recursive Object Levels” on page 99).
Adding Object Type Dimensions
Use the following instructions to define object type dimensions for generation in
the Reporting Framework V6.
Procedure
1. From the Administration menu select Reporting Framework, and then
Configuration.
2. On the Object Type Dimensions table, click Add.
3. In the Name box, type a name for this object type dimension.
4. If wanted, localize the text of the Name field for display in the reporting
framework as follows.
Note: If no localized display text is specified, the value in the Name field is
used by default.
a. Click the Translate link.
b. In the Translate window, next to each language you want, type the localized
text into the box.
c. When finished, click Apply.
5. In the Description box, optionally type some descriptive text.
6. Click the Starting Object Type arrow and select an object type or a recursive
object level (if defined for Business Entity object types) from the list, then click
Go.
7. To add another object type to this dimension, do the following:
a. In the Selected Object Types table, under the Actions column, click the
Choose Object Type link.
b. In the Choose Object Type window, select an object type then click Apply.
c. Repeat Steps a and b to add another object type to this dimension.
8. When finished, click Create.
102
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
9. Update the reporting framework to effect the changes (see “Updating the
Reporting Framework” on page 89).
Modifying Object Type Dimensions
If wanted, you can modify an object type dimension after you create it. Perhaps,
for example, translated text needs to be modified or added, or a previously
selected object type in a level needs to be changed.
Note: If you modify object types in an existing object type dimension, reports that
used this object type dimension will no longer run.
Procedure
1. From the Administration menu select Reporting Framework, and then
Configuration.
2. From the list in the Object Type Dimensions table, click the name of the object
type dimension you want to modify.
3. Make the changes you want (see Table 19).
Table 19. Modifying an Object Type Dimension
If you want to...
Then do this...
Change an object type Click the Choose Object Type link above the object type you want
to change and make another selection.
Note: When you change an object type, all previously selected
levels below that level are also deleted.
Delete a level
Click the Choose Object Type link above the object type level you
want to delete and clear the selection box.
Note: When you delete a level, all levels below that level are also
deleted.
Change or add
Click the Translate link to open the Translate window.
translation text for the
Name field
4. When finished, click Save.
5. At the prompt, click OK.
6. Update the reporting framework to effect the changes (see “Updating the
Reporting Framework” on page 89).
Enabling and Disabling Object Type Dimensions
If wanted, you can disable and then re-enable an object type dimension at a later
time.
Note: When you disable an object type dimension, reports that used this object
type dimension will no longer run.
Procedure
1. From the Administration menu select Reporting Framework, and then
Configuration.
2. In the Object Type Dimensions table, navigate to the row containing the object
type dimension you want to disable or re-enable.
3. Under the Actions column in the same row for that object type dimension, do
one of the following:
Chapter 5. Managing the Reporting Schema and Framework
103
To do this...
Click this link...
Disable an object type dimension
Disable
Enable a previously disabled an object type
dimension
Enable
Note: The link toggles between ‘Disable’ and ‘Enable’ depending on the
selected action.
4. At the prompt, click OK.
5. Update the reporting framework to effect the changes (see “Updating the
Reporting Framework” on page 89).
Deleting Object Type Dimensions
When you delete an object type dimension, that object type dimension is
permanently removed from the system and cannot be retrieved.
Note: When you delete an object type dimension, reports that used this object
type dimension will no longer run.
Procedure
1. From the Administration menu select Reporting Framework, and then
Configuration.
2. In the Object Type Dimensions table, navigate to the row containing the object
type dimension you want to delete.
3. Under the Actions column in the same row for that object type dimension,
click the Delete link.
4. At the prompt, click OK.
5. Update the reporting framework to effect the changes (see “Updating the
Reporting Framework” on page 89).
104
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
Chapter 6. Business Process Visualizations
As a Risk analyst or Compliance manager, you can graphically render your
business process and communicate it to other users of risk analysis. By visualizing
the business process, which can include the subprocesses, activities, risks, and
controls, you can speed the risk management process and data analysis.
Some of the visualizations that you can add to your processes are Business Entity
Organization charts and process diagrams. These built-in templates are available to
help users create interactive visualizations. You can use the visualizations to
communicate information about the process flows and the business organizational
structure and to share the information throughout the enterprise. You can design
the flow of a business process and key components from beginning to end.
The business process visualizations provide users with the following benefits:
Navigation
Users can go from the process flow to the details page of the IBM
OpenPages GRC object or to the Activity View.
Representation
Data is displayed graphically for easier interpretation and analysis.
Context
To understand the context in which models are shown, supporting
information is provided.
By using visualizations, users can achieve the following goals:
v Proactively assess risks that affect the organization.
v Analyze materialized risks, such as losses or violations.
v Identify and track actions in response to risks.
v Identify problems or trouble areas.
v Conduct a risk and control self-assessment to identify missing risks.
v Determine whether the organization has the necessary controls on the risks, and
evaluate those controls.
v Capture changes to laws and regulations, and provide visibility into policies,
incidences, and issues, and ultimately provide the status of regulatory
compliance.
v Report on the data.
The process flow diagrams are dynamic and directly connected to the underlying
data that supports them. The diagrams represent the status of the OpenPages GRC
data. You can directly access data from common databases, such as DB2 and
Oracle, including data that is stored in report services definitions. Report authors
can also embed visualizations in IBM Cognos reports.
Restriction: Navigational views are not available for the following visualization
object types and cannot be defined in any object profile:
v Process Diagram
A process diagram object can be accessed only through the Detail page of the
parent Process object.
v Data Input and Data Output
105
These object types are connectors that are used in visualization diagrams and
can be accessed only through the Detail page of the associated Process and Risk
objects.
As an administrator, even if you enable a navigational view for the Process
Diagram, Data Input, or Data Output object type, the navigation view is not
available as a standard menu item in the appropriate menu for users who are
associated with that profile. These objects are available only in the context of
business process flow and Business Entity visualization diagrams.
If you are upgrading the IBM OpenPages GRC Platform from a version before
7.0.0, the visualization object types and related diagrams are not available. To add
support for visualizations, contact IBM OpenPages Professional Services for
assistance.
The reporting schema is required to successfully render visualizations. Because the
reporting schema is populated only with the data for the current report period,
active reporting periods are not supported for visualizations.
Types of visualizations
Built-in visualizations are provided as a starting point for designing new process
diagrams or viewing the organizational chart for a Business Entity.
By default, the following visualization templates are installed on all IBM
OpenPages GRC systems:
v Business Process Flow visualization
v Business Entity Organizational Charts
Business process flow visualization
Risk professionals can use the process flow visualization to get alignment of
assessment, which includes ensuring the right set of process, risk, and controls are
in place. Users can also update in real time to reflect any changes.
A process flow visualization is a child object of the Process. You can use the
following major elements to build your process flow diagram.
Process Object
Process object types represent the major end-to-end business activities
within a business entity that are subject to risk. Process objects are typically
used in areas such as financial reporting, compliance, and information
security. Depending on the diagram, the process object is not explicitly
shown; however, it exists to provide context.
Subprocesses (or Activities)
A Subprocess object type is a component of a Process object. It is used to
break down processes into smaller granular units for assessment purposes.
Risks
106
Risk object types represent potential liabilities. Risk objects can be
associated with, for example, business processes, business entities, or
compliance with a particular mandate. Each Risk object has one or more
Control objects that are associated with it that provide safeguards against
the risk and help mitigate any consequences that might result from the
risk.
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
You can use the Risk object to categorize risks; capture the frequency,
rating, and severity of inherent and residual risk data; and view reports
that help identify your top risk items.
The process flow is visually optimal when risks for each process are fewer
than five.
Controls
Control object types typically represent policies and procedures to help
ensure that risk mitigation responses are carried out. After you identify the
risks in your practices, you can then establish controls (such as approvals,
authorizations, and verifications) that remove, limit, or transfer these
potential risks.
A process flow is visually optimal when you have one to two Controls per
Risk.
The flow of the process is represented by connectors that link the activities, inputs
and outputs, and decision-branching points. You can specify labels for the decision
connections.
All elements and relationships of the Business Process visualizations are stored as
data in the OpenPages repository on the IBM OpenPages server. The element types
are shown or hidden in the Application Object Views that are based on Profiles.
You can have multiple diagrams per process. For example, some diagrams can be
at different stages of the process, such as those diagrams that are published or are
being revised or approved.
Business Entity organization charts
The Hierarchy diagram provides contextual and aggregate views of the Business
Entity data model. The organizational structure of a company is captured as
Business Entity objects in the IBM OpenPages GRC repository, which can be
visualized as an organizational chart.
This type of structure is useful for infrequent users who must understand the
complex model quickly and who have business entities with risk assessments.
Color codes indicate the status that is based on aggregation.
The visualization includes the recursive object levels for the Business Entity object
type. Users can select to show a specified number of levels of the structure. The
following table outlines what the different business levels of the organizational
structure might include.
Table 20. Levels of a Business Entity
Level
Description
1
Company name
2
Divisions and subsidiaries
3
Regions
Because the chart is a rendering of the Business Entity objects and the parent-child
associations, users cannot modify or author a Hierarchy diagram.
Chapter 6. Business Process Visualizations
107
Visualizing a Business Entity organization chart
You can view a graphical representation of the Business Entity as an organization
chart.
Procedure
1. Complete one of the following actions:
v To use a hierarchical view of the Business Entity, click Organization >
Business Entity Overview and select a Business Entity.
v To use the Filtered List View of Business Entities, click Organization >
Business Entities and select a Business Entity.
2. In the details pane, in the Business Entity Chart field, click the Hierarchy
Diagram link.
A new browser window shows the organization chart as a visualization of the
Business Entity. To view the legend, click the down arrow.
3. To view a different level of the organizational chart, from the Level list, click
the level that you want.
In general, level 1 is the company name, level 2 is the divisions and
subsidiaries, and level 3 is the regions and branches. If an element includes a
child level that you can expand further, the element includes an ellipsis in a
small circle.
4. To make a branch within the root level, right-click the element in the chart, and
select Make Root.
Tip: To return to the last level viewed, click Back
5. To view more information about an element in the chart, choose one of the
following actions:
v To view detailed information about an element, right-click the element and
click Properties.
v To open the corresponding Detail page or Activity View for any element,
right-click the element, and click Open Detail Page.
v To show the chart that is zoomed to fit entirely into your browser window,
.
click Fit to Window
6. To refresh the chart and retrieve the most recent data from the database, click
Refresh
.
Visualizing a business process flow
You can view a graphical representation of the flow for a business process and key
components from the beginning of the process to the end.
About this task
The associated IBM Cognos reports control which elements are shown in the
diagram. IBM OpenPages GRC objects are obtained from the report that is
associated with the process. If you want to view only the controls or risks, the
report authors must specify or filter the control or risk data when they design the
report specification.
108
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
If you have permission to view the process, you have permission to view all of its
subprocesses. Although you can view the object associations, you cannot create or
change associations between subprocesses, risks, or controls.
A process diagram can have a status of Draft, Published, or Obsolete.
Procedure
Click Organization > Processes.
In the Filtered List View, select a Process.
On the Process Detail page, under Associations, click Process Diagrams.
On the Process Diagram List page, under Name, click the diagram that you
want to view.
5. In the form page, click the Process Diagram link. The Process Diagram editor is
opened in Read-only mode or Edit mode, depending on your access
permissions to the process.
6. To view more information about the diagram, choose one of the following
actions:
v To view detailed information about an element, right-click the element and
click Properties.
1.
2.
3.
4.
v To open the corresponding Detail page or Activity View for any subprocess,
risk, control, input, or output node, right-click the element, and click Open
Detail Page.
The Detail page is opened in a new browser window, and you can view the
data for the selected object, including fields and any associations it has to
other objects.
v If the connections and nodes in the diagram represent a complex flow and
you want to optimize the visualization, click Auto Layout.
When Auto Layout is turned off, the objects and nodes are pinned to the
canvas as you interact with the diagram. Existing nodes do not move as you
add connecting links to the diagram. As a result, you might have complex
to
routing that is difficult to understand. Click Relayout Diagram
automatically move objects and connecting links to show a less complex
diagram.
If Relayout Diagram is the default setting, the diagram is recast to provide
optimal visualization when you change the diagram.
v To show the diagram so that it is zoomed to fit entirely into your browser
window, click Fit to Window
7. To remove an element from the diagram, right-click the element and click
Remove.
8. To update the diagram with any objects that were added since the diagram was
last saved, click Refresh
Restriction: If you modified the diagram, and you do not complete the refresh
step, and if there is a discrepancy between the current diagram and the
diagram when it was last saved, you cannot save the changes until you resolve
the conflict between the two versions.
9. Click Save.
Chapter 6. Business Process Visualizations
109
If the editor is in Read-only mode, you do not have permission to save the
changes to your diagram.
Creating a process diagram
As a Risk Analyst, you can create the flow or steps of a business process and key
components by using a diagram to visualize the data.
Before you begin
You must have Read+ Write+Associate access to the process diagram object and
Read+Associate access to the parent process object to add a diagram.
About this task
You can show the directional flow of a process through a diagram by connecting
the following elements:
v Subprocesses
v Input and output
v Decision node
The following figure shows how these elements are represented in the diagram
legend.
You can create a process diagram as a child association of the selected Process.
Because the process diagram is a child object of the Process, the diagram is
displayed under Associations in the Process Details page.
You can apply labels to flows or directional links. However, flow data, such as
reporting or logic, must be available to use in the diagram.
If you have permission to view the process, you have permission to view all of its
subprocesses. Although you can view the object associations, you cannot create or
change associations between subprocesses, risks, or controls.
Procedure
1. Click Organization > Processes.
2. Select the process for which you want to graphically show the flow.
3. On the Detail page, under Associations, click Process Diagram.
The Process Diagram list page is displayed.
4. From the Actions menu, click Add a new Process Diagram.
5. In the Name and Description fields, enter information about the process
diagram.
110
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
6. In the Status field, click Draft, and then click Save.
The new process diagram is now available for selection for modifying. In the
Process Diagram detail pane, the Process Diagram link field contains the URL
to the process diagram.
7. In the Process Diagram detail pane, in the Process Diagram link field, click
the link.
When the Process Diagram canvas is opened, the IBM OpenPages GRC objects
that are available for your diagram, and to which you were granted access
permission, are listed on the left. Objects that were removed from the
repository or data model are marked with an X in the upper left corner of the
object. You cannot save diagrams that include objects that are marked for
deletion.
.
Tip: To view the legend, click the down arrow
8. To view more information about an object, complete one or more of the
following actions:
v To view the full label and description of an IBM OpenPages GRC object,
right-click the object and click Properties.
v To open the corresponding Detail page or Activity View for any subprocess,
risk, control, input, or output node, right-click the element, and click Open
Detail Page
Note: The security privileges that are defined for your profile determine
whether you are able to drill to the Detail page or Activity View.
9. To create the process flow, complete the following actions:
v To connect objects, select the first object that you want, and press Ctrl and
click the next object in the flow. When all the objects that you want are
selected, right-click the selection, select Add Link, and select whether the
flow of objects is to the left, right, top, or bottom of the first object.
When the objects are selected, they are removed from the available list of
objects on the left of the window.
v To add a label for the connecting link between two objects, right-click the
link, and select Properties. In the Label field, type the description for the
connector, and click OK.
v To add a decision node, right-click the object, select Add Decision, select
the direction in which you want to place it, and click OK.
Remember: To change the label for the Decision node, right-click the node
and click Properties. In the Label field, enter the condition that must be
met at this stage of the flow and click OK.
v To remove a connector or an object, right-click the element, and select
Delete.
Note: You cannot remove controls or risks that are associated with a
subprocess element.
10. To manage the process flow for better viewing, choose how you want to
optimize it:
v If the connections and nodes in the diagram represent a complex flow, turn
on Auto Layout by clicking Auto Layout.
Tip: By default, Auto Layout is turned off. When Auto Layout is turned
off, the objects and nodes are pinned to the canvas as you interact with the
Chapter 6. Business Process Visualizations
111
diagram. Existing nodes do not move as you add connecting links to the
process flow. As a result, you might have complex routing that is difficult to
understand. You can click Relayout Diagram
to automatically move
objects and connecting links to show a less complex diagram.
If Relayout Diagram is the default setting and you change the diagram, the
diagram is changed to provide optimal visualization.
v To show the diagram so that it is zoomed to fit entirely into your browser
.
window, click Fit to Window
11. To save the process diagram that is associated with the process, click Save.
Related concept
Chapter 6, “Business Process Visualizations,” on page 105
As a Risk analyst or Compliance manager, you can graphically render your
business process and communicate it to other users of risk analysis. By
visualizing the business process, which can include the subprocesses, activities,
risks, and controls, you can speed the risk management process and data
analysis.
Updating process diagrams
If the source data or objects that a process diagram is using change, you can
refresh the diagram to ensure that you are working with the latest version of the
objects or data.
About this task
When you refresh a process diagram, you are retrieving the latest changes and
updates from the IBM OpenPages GRC repository.
Procedure
1. Open a process diagram.
a. Click Organization > Processes.
b. Under the Folder View, expand the folders and select the parent process
that contains the associated process diagram that you want to refresh.
c. Under Associations, click Process Diagrams.
The Process Detail page shows the process diagrams that are associated to
the process object.
d. Click the diagram that contains the process flow you that you want to
update.
e. In the field pane, in the Process Diagram Link property, click the Process
Diagram link.
The Process Diagram canvas is opened in a separate window.
.
2. To refresh the data, click Refresh
If you did not save the diagram or chart, a warning asks if want to update the
diagram or chart without saving the current flow.
112
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
Results
The refresh process manages the GRC objects in one or more of the following
ways:
v If the GRC object is not in the current diagram, the object and the child objects
are added.
v If the GRC object is in the current diagram but was deleted from the system, it
is marked as deleted with a red symbol at the upper left corner of the object.
v If the GRC object in the current diagram was modified (for example, a change in
name, description, or status), the GRC object data is updated.
A GRC object might not be available for use in the diagram because the object was
deleted from the IBM OpenPages system or you do not have Read access to the
object.
Process diagrams management
After you create a process diagram, you can change its status, field properties, or
process flow. You can also import from and export the diagram to another IBM
OpenPages system.
Modifying a process diagram
As a Risk Analyst, you want to revise an existing process diagram because you
want the diagram to reflect changes in the current process flow, subprocesses,
risks, or controls.
Before you begin
To change an OpenPages GRC object, such as a Risk or Process or a Process
Diagram object, you must have Write access to it. To view and add objects or
nodes to the process diagram, you must have Read access to those objects.
In addition, administrators can use security rules to define a more granular control
over access to individual objects in a folder.
About this task
You can create or delete the decision elements of the process diagram, but you
cannot delete the subprocesses, input and output objects, and risks and controls.
When you delete the subprocesses, input, and output elements from the diagram,
they are returned to the selectable list of diagram objects for future use. Deleting
these objects means that they are removed from the diagram and not from the IBM
OpenPages system.
Procedure
1. Click Organization > Processes.
2. Under Folder View, expand the folder that contains the parent process that is
associated with the process diagram that you want to revise.
3. Under Associations, click Process Diagrams.
The Process Detail page shows the process diagrams that are associated to the
process object.
4. Click the diagram that contains the process flow you that you want to change.
The field pane is displayed below the list of diagrams.
Chapter 6. Business Process Visualizations
113
5. In the field pane, in the Process Diagram Link property, click the Process
Diagram link.
When the Process Diagram canvas is opened, the IBM OpenPages GRC objects
that are available for your diagram, and to which you were granted access
permission, are listed on the left. Objects that were removed from the
repository or data model are marked with an X in the upper left corner of the
object. You cannot save diagrams that include objects that are marked for
deletion.
.
Tip: To view the legend, click the down arrow
If the editor is in Read-only mode, you do not have permission to save the
changes to your diagram.
6. To refresh the data, click Refresh
.
If you did not save the diagram or chart, a warning message asks if want to
update the diagram or chart without saving the current flow.
7. Complete one or more of the following steps to change the process flow:
v To view detailed information about an element, right-click the element and
click Properties.
v To open the corresponding Detail page or Activity View for any subprocess,
risk, control, input, or output node, right-click the element, and click Open
Detail Page.
The Detail page is opened in a new browser window, and you can view the
data for the selected object, including fields and any associations it has to
other objects.
v If the connections and nodes in the diagram represent a complex flow, and
you want to optimize the visualization, turn on Auto Layout by clicking
Auto Layout.
Tip: When Auto Layout is turned off, the objects and nodes are pinned to
the canvas as you interact with the diagram. Existing nodes do not move as
you add connecting links to the diagram. As a result, you might have
complex routing that is difficult to understand. You can click Relayout
To automatically move objects and connecting links to show
Diagram
a less complex diagram.
If Relayout Diagram is the default setting and you change the diagram, the
diagram is recast to provide optimal visualization.
v To show the diagram so that it is zoomed to fit entirely into your browser
window, click Fit to Window
8. To modify the process flow, complete the following actions:
v To connect objects, select the first object that you want, and press Ctrl and
click the next object in the flow. When all the objects that you want are
selected, right-click the selection, select Add Link, and select whether the
flow of objects is to the left, right, top, or bottom of the first object.
When the objects are selected, they are removed from the available list of
objects in the left pane.
114
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
v To add a label for the connecting line between two objects, right-click the
link, and select Properties. In the Label field, type the description for the
connector.
v To add a decision node, right-click the object, click Add Decision, and then
click the direction in which you want to place it.
Remember: To change the label for the Decision node, right-click the node
and click Properties. In the Label field, enter the condition that must be met
at this stage of the flow and click OK.
v To remove a connector or an object, right-click the element, and select Delete.
Note: You cannot remove controls or risks that are associated with a
subprocess element.
9. To save the process diagram that is associated with the process, click Save.
Copying a process diagram to use as a template
You can create a process diagram that is based on the process flow of an existing
diagram. Instead of creating the structure of a process diagram from scratch, you
can copy a diagram with a predefined process flow.
About this task
You cannot copy a process diagram to a different parent process. However, you
can copy a diagram within the same process. When a parent process is copied
from one business entity to another, the process diagram is included in the objects
that are copied.
Procedure
1. From the Organization menu, click Processes.
2. Select the process that contains the associated process diagram that you want to
copy.
3. On the Process Detail page, under Associations, click Process Diagram.
The Process Diagrams list page is displayed.
4. From the Actions menu, click Copy an existing Process Diagram.
The Copy Process Diagrams - Select Process Diagrams page is displayed.
5. On the Folder View tab, select the diagram whose process flow you want to
copy, and click Next.
6. Under Copy Options, select whether you want to copy associated files or
associated issues.
7. Under Resolving naming conflicts, choose how you want to copy and later
identify the new process diagram.
v To create a new version of the diagram with the same name, select Create a
new version of the existing object in the destination directory
v To create a new diagram by using the selected diagram as the template,
select Create new object whose name is prefixed with 'Copy of'.
v To prevent the addition of process diagrams with similar names, select Do
not copy resources with naming conflicts.
Results
A copy of the process diagram is included in the list of diagrams on the Process
Detail page.
Chapter 6. Business Process Visualizations
115
Changing the status of a process diagram
The status of a process diagram indicates whether the design of the business flow
is in progress or is in the approved state. By changing the status, the diagram
author can explicitly show whether the diagram is available for use in the
decision-making process.
Procedure
1. From the Organization menu, click Processes.
2. Under Folder View, expand the folders to locate the process for which you
want to change the status.
3. On the Process Detail page, under Associations, click Process Diagrams.
4. From the Process Diagrams detail page, under Name, click the process diagram
whose status you want to change.
5. In the field pane, from the Actions menu, click Edit this Process Diagram.
6. In the Status field, select one of the following states for your diagram:
v If work on the diagram is in progress, click Draft.
v If the diagram is ready for approval, click Published.
v If the diagram is out-of-date and no longer reflects your current process flow,
click Obsolete.
If the diagram has a status of Obsolete, it is not removed from the OpenPages
system. However, users cannot refer to it for decision making because it does
not contain updated process flows for the Business Entity.
7. Click Save.
Exporting a process diagram from an IBM OpenPages
environment
Use the ObjectManager tool to export process diagram data from an IBM
OpenPages GRC Platform environment. The export includes both child and parent
hierarchies of a process.
Before you begin
You must know the full path of the process object, which is the parent of the
process diagram that you want to export.
For example:
/_op_sox/Project/Default/ICDocumentation/Processes/TopEntity/
Process_filename.txt
Before you modify the ObjectManager.properties file, make a backup copy of the
file. When you are using the ObjectManager tool, ensure that the IBM OpenPages
GRC Platform application services are running.
About this task
You can use ObjectManager settings to specify which process diagrams you want
to export by defining the folder path of the parent process for the process diagram.
To control or limit the scope of exported data from the ObjectManager tool, you
must first modify the ObjectManager.properties file, which contains configuration
and migration settings.
116
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
Procedure
1. Verify that the IBM OpenPages application is running.
2. On the source IBM OpenPages system, in a text editor, open the
ObjectManager.properties file and set the following properties where full_path
is the full path of the process object that you want to use as the scope for the
export:
configuration.manager.dump.associated.resources.root.node.1=full_path
Change the values of the parameters whose names begin with the pattern
configuration.manager.dump.from true to false
configuration.manager.dump.associated.resources=true
Tip: The ObjectManager.properties file is in the root_installation_folder/
bin directory where root_installation_folder is the folder of your IBM OpenPages
installation.
3. At the command line, go to the bin installation directory. For example, cd
C:\OpenPages\bin
4. At the command line, type one of the following commands on a single line:
v On a computer that is running a Microsoft Windows operating system:
ObjectManager d c Super_Administrator_Account
Super_Administrator_Password OP_Home\export dump_file_name
v On a computer that is running an AIX or Linux operating system:
ObjectManager.sh d c Super_Administrator_Account
Super_Administrator_Password OP_Home\export dump_file_name
Two loader files are created in the OP_Home\export folder: loader_file_prefixop-config.xml and loader_file_prefix_op-file-content.zip where
loader_file_prefix is the dump_file_name.
These files contain the process hierarchy instance data, including the process
diagram data.
What to do next
On the target IBM OpenPages GRC Platform server, extract the files from the
output file.
“Running ObjectManager Commands” on page 643
“Modifying the ObjectManager Properties File” on page 649
The ObjectManager.properties file contains a number of settings that can
control or limit the scope of exported (dumped) configuration and related data
from the ObjectManager tool.
Importing a process diagram to an IBM OpenPages
environment
Use the ObjectManager tool to import process diagram data to an IBM OpenPages
environment. You can use a loader file to import the instance data to the IBM
OpenPages repository on the target server.
Before you begin
When you are using the ObjectManager tool, ensure that the IBM OpenPages GRC
Platform application services are running.
Chapter 6. Business Process Visualizations
117
Procedure
1. On the target server, copy the two dump files that contain the process diagram
and related data to an extract_folder.
2. In a text editor, open the ObjectManager.properties file and set the following
property:
configuration.manager.load.resource.ignore.undefined.property.value=true
Tip: The ObjectManager.properties file is in the root_installation_folder/
bin directory where root_installation_folder is the folder of your IBM OpenPages
installation.
3. At the command line, go to the bin installation directory. For example, cd
C:\OpenPages\bin
4. At the command line, type one of the following ObjectManager commands on a
single line:
v On a computer that is running a Microsoft Windows operating system:
ObjectManager l c Super_Administrator_Account
Super_Administrator_Password extract_folder_name dump_file_name
v On a computer that is running an AIX or Linux operating system:
ObjectManager.sh l c Super_Administrator_Account
Super_Administrator_Password extract_folder_name dump_file_name
Results
The following rules are observed when you import the process diagram objects:
v If the objects with matching data exist on the target environment, the objects are
not overwritten.
v If the objects with different field values exist on the target environment, new
versions of the objects are created with data from the import file.
v If the objects do not exist on the target environment, new objects are created and
associations are defined.
Deleting a process diagram
You can delete process diagrams that are obsolete or do not accurately reflect a
process flow of the business entity.
About this task
When you delete a process diagram, all associated items are also deleted.
Only users with Delete permission can delete a process diagram.
Procedure
1. From the Organization menu, click Processes.
2. Under the Folder View, expand the folders to locate the process diagram that
you want to delete.
3. On the Process Detail page, under Associations, select Process Diagrams.
4. Under Name, select the check boxes next to the process diagrams that you
want to delete.
5. From the Actions menu, click Delete selected Process Diagrams.
6. At the confirmation prompt, click OK to delete the process diagrams.
118
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
Modifying field properties of a process diagram
You can modify the properties of a process diagram when you want to change the
name, description, or status of the diagram.
Procedure
1. From the Organization menu, click Processes.
2. Under Folder View, expand the folders to go to the process for which you
want to modify the details.
3. On the Process Detail page, under Associations, click Process Diagrams.
4. Under Name, click the process diagram whose details you want to change.
5. In the Fields pane, from the Actions menu, click Edit this Process Diagram.
6. Make the necessary modifications and click Save.
Chapter 6. Business Process Visualizations
119
120
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
Chapter 7. Managing Reports
The IBM OpenPages application contains a set of reports that allows users with the
correct permissions to quickly view and organize information about the current
state of your, for example, financial, compliance, or operational project. For
example, users can quickly view information grouped by either user, by location,
or view.
Accessing Reports From the Application User Interface
You can access reports from the IBM OpenPages application user interface.
They are typically found in the /openpages folder.
Procedure
1. From a browser window, log on to the IBM OpenPages application user
interface.
2. Select Reporting on the menu bar and choose a report from the list. A separate
browser window opens with the selected report.
If you selected the ‘All Reports’ option, the Reports page is displayed. From the
list on the Reports page, click the name of the report you want to launch.
Note: Depending on your configuration, application, and permissions, you
may see different reports and folders.
3. If this is a "scoped" report, at the prompt, choose the object where you want the
report to run from. For example, if you select a business entity, then the report
will use the selected business entity as the starting point and limit the scope of
the report to all objects contained below that entity.
If the report is not scoped, it will run as soon as you click the name of the
report.
Supplied Reports
The IBM OpenPages application comes with a selection of predefined reports that
allow you to quickly view important information about your project.
The IBM OpenPages application contains supplied reports (grouped by folder).
Note: The list of reports in this documentation is for a fresh installation of the IBM
OpenPages application. If you have additional reports tailored to your particular
business needs or have upgraded from an earlier version of the IBM OpenPages
application, the classification of the supplied reports may differ from the
classification documented here.
IBM OpenPages V6 Folder Reports
The IBM OpenPages V6 folder contains a number of sub-folders (listed in the
following sections) and the following report, which resides at the top level of the
reporting hierarchy.
121
Report Name
Description
All Documentation
Detailed view of an organization's entity hierarchy, associated
internal controls documentation, and counts of related issues, files
and links in the current reporting period. This is filtered by
business entity. There are detailed sub-reports for each count.
Administrative Reports Folder
The IBM OpenPages application comes with the following, predefined
administrative reports:
Report Name
Description
Checked Out Files
Listing of attached Files in a checked out state in the current
reporting period.
You can sort by:
v Name of File.
v Full Path of the folder where the File is stored.
v User who has the File checked out.
v Date the File was checked out.
Disassociated Objects
Listing of objects that do not have associated parent objects in the
current reporting period. You can filter for specific object types and
can sort by:
v Name of object.
v Full Path of the folder where the object is stored.
Audit Reports Folder
In addition to the reports listed in the following table, the Audit Reports Folder
contains the following sub-folders:
v Configuration (see Table 22 on page 124)
v Security (see Table 23 on page 124)
Report Name
Description
Audit Change
Lists all object changes that fulfill the user’s run-time filtering
criteria. Users can filter the report on Business Entity, Start Time,
End Time, specific object type, and status. For an explanation of
audit events and the values in the Status and Item columns of the
report, see “Description of Audit Change Events and Values.”
Audit Summary
Administrative summary of changes to documentation data,
filtered by date and time range. You can also filter by Business
Entity and object type and drill into a detailed Audit sub-report.
Description of Audit Change Events and Values
An audit event is a combination of an action and object aspect (that is, the object, a
relationship, or attribute of the object) that was affected by the event. The Audit
Change report exposes change events for any field value change.
Note: This information also applies to the detail sub-report from the Audit
Summary report.
122
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
To fully understand the nature of each type of audit event it is useful to have the
context of how objects are created, associated, and shared.
In the hierarchy of objects in the system, a child object (such as a Control) may be
associated to more than one parent object (such as a Risk). Conversely, any one
parent object (such as a Risk) may have several associations to different child
objects (such as Controls). These associations or relationships are flagged as one of
two types--either Primary or Non-Primary.
Although any one parent object (such as a Risk) may have multiple child objects
(such as Controls), for any given child object the system allows only one of the
object’s parent-child relationships to be marked as "Primary". Primary associations
are used to determine the path the system should follow when executing a number
of operations that require object hierarchy traversal.
In the IBM OpenPages application, the following operations traverse the Primary
Association path:
v SCOR rule execution
v Cascade Delete (including those requested by SCOR delete rules)
v Sign-offs, Locking and Un-Locking
v Hierarchical copy and move
In general, Audit Trail Reports are "parent object centric" when reporting on events
that pertain to an object’s associations. This means that for a given object, all
association-related events are those where the object acts as a parent. Events where
the object acts as a child are reported in context of the corresponding parent
objects.
Table 21 lists the various audit change values that are listed in the Action column
of the Audit Change Report with a brief description of the value and the affected
object aspect.
Table 21. Audit Change Report Values
If the Status column
has this value...
And the Item column
has this value...
Then it indicates that...
Added
Association
An object was associated as a child object in
the hierarchy.
Object
A new object was created in the repository.
Version
A new version of the object was created in
the repository.
Changed
<property name>
The value of an object’s system or extended
property was modified.
Removed
Object
The object was logically deleted from the
repository.
Association
An object was removed as a child object.
Association
The association has been changed to
Non-Primary. This could happen if the user
selects another object relationship to be the
Primary parent-child association or the
current Primary association was deleted.
Removed Primary
Chapter 7. Managing Reports
123
Table 21. Audit Change Report Values (continued)
If the Status column
has this value...
And the Item column
has this value...
Then it indicates that...
Added Primary
Association
The association type has been set to
Primary as described in the above section.
This first association will always be set to
Primary
Table 22. Configuration Folder
Report Name
Description
Configuration Audit
Lists all configuration changes made to the IBM OpenPages
application during the chosen date range.
Table 23. Security Folder
Report Name
Description
Administrator
Permissions
Lists each administrator and their granted permissions for each
Security Domain they administer.
Security Domain Role
Assignments
Lists each Security Domain to which the selected roles are
assigned.
Login Activity
Summary
Lists all users who have accessed the IBM OpenPages system
during the specified date range. Each user is listed with the last
login time, when they last changed their password, and how many
times they logged in.
Login Activity Log
Lists all user activity during the specified date range. Report users
can filter on date range, operation (log in or log out), login status
(Failed or Succeeded), and number of login attempts.
Roles by Security
Domain
Lists each role assigned to the selected Security Domain.
Roles by User
Lists each user and group with their assigned role for the selected
Security Domain.
User Role
Assignments
Lists all the roles in the system with the assigned user or group for
each Security Domain.
Issue Reports Folder
124
Report Name
Description
Issue List
Detailed listing of Issues and associated parent objects, filtered by
reporting period and Business Entity.
Note: This report shows a subset of the Issues present in the
system. To appear in this report, Issues must be associated with
objects that are accessible through direct relationships in the
default namespace. For example, Issues associated with Controls
that are indirectly associated with a Risk Assessment will not
appear, while Issues associated with Risks that are directly
associated in a chain, from Business Entity to Process or
Sub-process to Control Objective, will appear.
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
Report Name
Description
Issues and Action
Items
Lists Issues and associated Action Items for the chosen reporting
period and Business Entity.
Note: This report shows a subset of the Issues and Action Items
present in the system. To appear in this report, Issues must be
associated with objects that are accessible through direct
relationships in the default namespace. For example, Issues
associated with Controls that are indirectly associated with a Risk
Assessment will not appear, while Issues associated with Risks that
are directly associated in a chain, from Business Entity to Process
or Sub-process to Control Objective, will appear.
Workflow Reports Folder
Report Name
Description
Active Tasks
Administrative listing of all active workflow jobs and the
corresponding task name, creation date and assignee, grouped by
Job.
Jobs and Tasks
Displays information about the jobs and tasks in the system (such
as task status, task owner, job initiator, job identifier). Allows you
to filter the results by Job ID, Job Type, Initiator, and a date range
for when the job was created.
Adding Reports
To run a report from the IBM OpenPages application user interface, the report
must have a corresponding report page published on the IBM OpenPages
application server.
A report page does the following:
v Adds a link on the Reporting menu and All Reports page to launch the Cognos
report from the IBM OpenPages application user interface
v Specifies the parameters for launching the report
v Specifies the keys used for localizing the report name and description in the IBM
OpenPages application user interface
All Studio report pages are based on the Cognos Report Redirect page template,
and all Cognos Workspace report pages are based on the Cognos Dashboard
Redirect page template. These templates are located at the root of the ‘Reporting’
publishing channel on the IBM OpenPages server.
You can use one of the following methods to add new reports to the IBM
OpenPages application user interface.
v
IBM OpenPages application user interface - this method automatically generates
the required report page and application text keys. This is the recommended
method and requires IBM OpenPages 5.5 or later. For details, see “Using the
Application User Interface to Add Reports” on page 126.
v
IBM OpenPages server administrator interface - this method involves using the
publishing channels facility on the IBM OpenPages server to manually create the
required report page and publish the report. This method is typically used for
editing report pages, troubleshooting publishing issues, and for versions of IBM
OpenPages prior to 5.5. For instructions on manually creating and publishing
Report Pages, see “Manually Creating a New Instance of a Report” on page 129.
Chapter 7. Managing Reports
125
Using the Application User Interface to Add Reports
You can add a report from the IBM OpenPages application user interface.
When you add a report, the following process occurs:
v A corresponding report page is automatically generated on the IBM OpenPages
server based on the CommandCenter Report Redirect page template.
v The report is published, by default, to the U.S. English locale.
v If the report name and description are not specified for a locale, the values in
the U.S. English locale are used by default.
v Report name and description application text keys are automatically created in
the ‘Miscellaneous’ folder on the Application Text page and populated with the
specified values.
These key values are used for localizing the report name and description on the
‘My Reports’ section of the Home page and on the Reporting menu and page.
To modify these key values, see “Localizing Application Text” on page 284.
Before you begin
Before you can add a Cognos report from the IBM OpenPages application user
interface, you must have details about the report available.
v The name of the report
v A description of the report
v The path and name of the folder to be deployed (the folder selection will be
filtered to list report folders only). By default, the path is /_cw_channels/
Reporting/SOX.
Example
A new unpublished report was created called ‘My Control Summary’ that resides
in the OPENPAGES_SHARED folder on the Cognos server. You want to publish the
report to make it available for users in the U.S. English and Japanese locales.
From the ‘Reports’ page in the IBM OpenPages application, you click ‘Add’ and
select the report from the listing. For the U.S. English locale (this locale is
automatically selected by default), you type in ‘My Control Summary’ for the
report name, and ‘All controls assigned to me’ as the description for the report.
You then select the Japanese locale and type in a localized name and description.
The application text keys for the ‘My Control Summary’ report that are
automatically generated under the ‘Miscellaneous’ folder on the Application Text
page may look similar to these:
report.name.openpages.shared.my.control.summary and
report.description.openpages.shared.my.control.summary.
If wanted, you can use these keys to modify the report name or description that is
displayed on the application user interface for a locale.
Attention: To view the new report on the Reports menu, users must log out and
log back in to the application.
126
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
Limitations
Publishing report pages from the application user interface has some limitations.
v You can publish only one report at a time.
v If you want to edit existing reports, you must use the publishing channels
facility on the IBM OpenPages server (for details, see “Modifying an Existing
Report Template” on page 133).
v If the initial publishing process failed to publish a report to any locale other than
English, you must use the publishing channels facility on the OpenPages server
to add that report (for details, see “Manually Creating a New Instance of a
Report” on page 129).
Accessing the Publish Report Page
To access the Add button on the Reports page, you must have the Add Pages
application permission set on your account (for details, see “Configuring
Application Permissions” on page 21).
Procedure
1. From a browser window, log on to the IBM OpenPages application user
interface as a user with the Add Pages application permission set.
2. From the menu bar, select Reporting and click All Reports.
3. Click Add to go to the Publish Report page.
Publishing a Report From the Application User Interface
The Report selection list contains all available reports that are not already
published.
Procedure
1. Access the Publish Report page (see “Accessing the Publish Report Page”).
2. Click the Report arrow and select a report from the list.
3. Select the check box for each locale in which you want the report to display.
For example, German. The U.S. English locale is selected by default.
4. In the Name field for each selected locale, type the display name of the report.
This name will be displayed to users in the report selection list and on the
Reports page, and, if configured on the Home page, in a tab or in a pane on
the My Work tab.
5. In the Description field for each locale, type a description of the report. This
description will be displayed to users on the Reports page.
Note: Any locale for which you do not specify a localized name and
description will, by default, contain the U.S. English name and description.
6. When finished, click Save.
After the report is published, a link to launch the report is displayed on the
Reports page along with a description of the report, and the report name is
added to the list of selections on the Reporting menu.
About Modifying the Displayed Report Name or Description
You can localize and modify the name and description that is displayed to users
on the IBM OpenPages for a report in a given locale.
You do this by locating the application text keys that correspond to the name and
description of the report and then modifying the value in the key for that locale.
Chapter 7. Managing Reports
127
For more information and instructions, see “About Modifying Display Text in the
Application User Interface” on page 286.
Working With Reports
The information described in this section requires access to the IBM OpenPages
server administrator interface.
Before you begin
The applet in IBM OpenPages Server (typically /opx) requires the Java Runtime
Environment 6 installed on the client where you launch the Internet Explorer.
Procedure
1. Launch Internet Explorer.
a. If you already have 64-bit Java 6 installed, launch 64-bit Internet Explorer.
b. If you already have 32-bit Java 6 installed, launch 32-bit Internet Explorer.
2. When you navigate to the pages in IBM OpenPages Server that requires the
Java applet, a dialog displays asking you to run the applet.
a. Click Run to run the applet.
b. If you do not have Java installed on the client side, when you navigate to
the pages in IBM OpenPages Server that requires the Java applet, you are
prompted to install Java Runtime Environment 6 Update 11. Click Install to
proceed with the installation.
Once the installation is done, the browser automatically resumes and
prompts you to run the applet on the browser.
Note: The Internet Explorer Enhanced Security Configuration should be
disabled in order to allow the installation of Java.
Understanding Reports
Reports are generated by combining report pages and page templates that provide
necessary information about the filtering and sorting of the report contents, as well
as the displayed name and description of the report.
Reports (both Cognos and JSP) are represented in a publishing channel by a page
template which lists the parameters that the source file needs in order to create a
report. A report page is an instance of a page template, and contains a set of values
for the parameters specified in the page template.
In this manner, a single page template can be supplied with multiple sets of values
for its parameters. This allows the IBM OpenPages application to create multiple
reports based on the same layout and internal logic. Each report page represents a
report as viewed in the IBM OpenPages application.
Report pages and page templates reside on the IBM OpenPages server.
Note:
v Cognos reports can be published through the application user interface. This
method automatically generates a corresponding report page and application
text keys for localizing the selected report. For details, see “Adding Reports” on
page 125.
128
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
v Reports that are placed under the Reporting/SOX folder structure on the
application server are published to the U.S. English locale. To publish to a
different locale, choose the /SOX folder under the locale you want (for example,
ja_JP/SOX for the Japanese locale).
v All Cognos report pages are based on the Cognos Report Redirect page
template, which is located at the root of the ‘Reporting’ publishing channel on
the IBM OpenPages server.
Locating Report Files
Report files, such as report pages, page templates, and JavaServer Pages (JSP)
reports, are located in the OpenPages repository on the IBM OpenPages server.
The OpenPages repository handles the data storage and access capabilities for the
IBM OpenPages application. In order to create, modify, or delete IBM OpenPages
reports, you must have an IBM OpenPages account with permission to modify
publishing channels. If you are not sure whether you have access to this
functionality, see your IBM OpenPages Administrator for additional information.
Accessing Report Pages and Page Templates
You can access report pages and page templates for JSP reports and report pages.
Note: The following procedure applies to JSP reports and Cognos report pages.
Before you begin
OpenPages administrators should be a member of the OPAdministrators group to
access report pages and page templates. If you are not a member of this group,
you will receive the following message:
You do not have permission to view this file.
Procedure
1. From a browser window, log on to the IBM OpenPages server (typically /opx)
as a user with the correct Reporting permissions.
2. Click the Browse channels link under the Publishing heading in the left
navigation Action menu. This displays a list of the available publishing
channels.
Note: If you cannot see the Publishing heading, you do not have the correct
permissions. See your IBM OpenPages Administrator.
3. Click the Reporting folder. A list of files and folders is displayed.
Each folder represents a report grouping in the IBM OpenPages user interface.
Each ‘Page’ file represents an IBM OpenPages report.
Manually Creating a New Instance of a Report
To manually create a new instance of a report, you must log on to the IBM
OpenPages server, and create a new report page based on a copy of an existing
page template.
The new report page will display clickable links in the IBM OpenPages application
user interface for running the new report.
Note: The following procedure applies to JSP reports and Cognos report pages.
Chapter 7. Managing Reports
129
Note:
v Cognos reports can be published through the application user interface. This
method automatically generates a corresponding report page and application
text keys for localizing the selected report. For details, see “Adding Reports” on
page 125.
v Reports that are placed under the Reporting/SOX folder structure on the
application server are published to the U.S. English locale. To publish to a
different locale, choose the /SOX folder under the locale you want (for example,
ja_JP/SOX for the Japanese locale).
v All Cognos report pages are based on the Cognos Report Redirect page
template, which is located at the root of the ‘Reporting’ publishing channel on
the IBM OpenPages server.
Identify the Page Template
You can determine which existing report page you want to copy from or use as the
basis of a new report page.
Procedure
1. From a browser window, log on to the IBM OpenPages server (typically /opx)
as a user with the correct Reporting permissions.
2. If you already know which page template you want to use, skip to the next
task.
Otherwise, do the following to determine which existing report page you want
to copy from or use as the basis of the new report page:
a. Click the Browse channels link under the Publishing heading in the Action
menu.
b. Click the Reporting channel link and navigate through the folder structure
to the IBM OpenPages report you want to copy or use and modify as the
basis of a new report.
c. Click the name of the report page to open its detail page.
d. In the General Information table on the detail report page, note the value
of the Template field. You will need to either reference this template or
make a copy of the referenced template.
Creating a Report Page
To create a new report, you must log on to the IBM OpenPages server, and create a
new report page based on a copy of an existing page template.
Procedure
1. Click the Browse channels link in the Action menu.
2. Click the Reporting channel link and navigate to the folder where you want
the report page to be created.
For example, a report page for a new Cognos report in the U.S. English locale
would be placed in the Reporting/SOX/OpenPages V6 folder.
If wanted, create a category folder for grouping the reports under the
appropriate /SOX folder. For example, to create a new report grouping titled
‘My Custom Reports’ on the Reporting menu and Reports page in the IBM
OpenPages application for the U.S. English locale, you could create a folder
with the path Reporting/SOX/My Custom Reports. Any report pages placed in
the folder will appear under that grouping in the reporting sections of the
IBM OpenPages application.
3. Click the Add Page button at the top of the window.
130
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
4. In the Describe page step of the Add a Page wizard, do the following:
a. Type an informative name and description for the report.
Note: You will not be able to change the name of a report after it is
created.
b. Choose the page template you will use to create the report. For reports
from IBM Cognos Analysis Studio, IBM Cognos Query Studio, or IBM
Cognos Report Studio, or IBM Cognos Workspace, use the CommandCenter
Report Redirect page template.
c. Click Next.
5. If this is a JSP report, skip to Step 7. Otherwise, for a Cognos Studio report
based on the CommandCenter Report Redirect page template, in the Specify
page contents step in the Add a Page wizard, do the following.
a. Select a value for each of the following fields:
Table 24. Cognos Report Redirect Selection Fields
Field Name
Description
Report Type
The IBM Cognos Studio application used to develop the report.
Valid values are:
v report (for Cognos Report Studio, this is the default value)
v query (for Cognos Query Studio)
v analysis (for Cognos Analysis Studio)
v pagelet (for Cognos Workspace, a type of dashboard that can
contain multiple content pieces, including reports, on a single
page)
Open with
The method for opening the report.
Valid values are:
v CognosViewer — opens the report in view-only mode, this is the
default value; required for the pagelet report type.
v ReportStudio — opens the report in Cognos Report Studio so it
can be modified.
v QueryStudio — opens the report in Cognos Query Studio so it
can be modified.
v AnalysisStudio — opens the report in Cognos Analysis Studio
so it can be modified.
v CognosWorkspace — enables the report to be opened in Cognos
Workspace.
Report Format
The display format for the report.
Valid values are:
v HTML (This is the default value. This value is required for Cognos
Workspace reports.)
v PDF
v XLS
v XLWA
Chapter 7. Managing Reports
131
Table 24. Cognos Report Redirect Selection Fields (continued)
Field Name
Description
Show prompt page
Determines whether or not a prompt page is always displayed for
a report.
If the value is set to:
v Yes — a prompt page is always displayed even if the report has
no required prompts.
v No — a prompt page only displays if it is required by the report
design. This value is set by default.
Report Folder
The report folders must be syntactically correct and separated by
forward slashes. The Public Folders folder is assumed, and does
not need to be included in the Report Folder field. For example,
the report folder could be Vision 2013/Workspaces.
Report Name
The report name must be the name that you want to appear in
IBM Cognos Connection.
b. Skip to Step 8.
6. For a report based on the CommandCenter Dashboard Redirect page template,
in the Specify page contents step in the Add a Page wizard, do the following:
a. Click the Mode arrow and select the method for opening the dashboard.
Valid values are:
v view (opens the dashboard in view-only mode, this is the default value)
v edit (opens the dashboard in Cognos Workspace so it can be modified)
b. Skip to Step 8.
7. For a JSP report, enter the sorting and filtering information for the report.
8. Enter values for all required fields (required fields have a red asterisk *)
including key field information as follows:
Table 25. Report Page Key Fields
Key Field
Format
Description
Report Name Key
report.name.<user-defined>
A key that references
an application text
string for localizing
the title of the report.
Example
report.name.control.analysis
Report Description
Key
report.description.<user-defined>
Example
report.description.control.analysis
A key that references
an application text
string for localizing a
description of the
report.
Note: You can use the values in the Report Name Key and Report
Description Key fields on the report page to manually create custom
application text keys to localize the name and description of a report after it is
created. For details, see “Using the Custom Folder” on page 290.
9. Click Apply to save the modifications.
10. Click Finish to create the new report page and exit the wizard.
132
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
Results
When you log on to the IBM OpenPages application user interface, the new report
should be visible in the selections on the Reporting menu and on the Reports page.
Modifying an Existing Report Template
You can modify an existing report template.
Important: If you want to modify one of the supplied report templates for your
own purposes, you must copy the report template to a new location outside the
SOX folder structure, and then modify the copied template. Otherwise, you will risk
losing your changes when upgrading to a newer version of the IBM OpenPages
application.
Procedure
1.
2.
3.
4.
5.
From a browser window, log on to the IBM OpenPages server (typically /opx)
as a user with the correct Reporting permissions.
Click the Browse Channels link under the Publishing heading in the left
navigation Action menu.
Navigate to the report you want to modify and click the report name to display
the detail page.
Find the section containing the information you want to change, and click the
Edit... button above the section. An editable version of the information is
displayed.
Change the desired settings. For JSP reports, if you are changing the parameter
sorting information, you will need to click Apply before clicking Save.
Note: You cannot modify the name of a report. In order to change the name of
a report, you must delete the misnamed report and create an identical report
with the new name.
As an alternative, you can use the values in the ‘Report Name Key’ and ‘Report
Description Key’ fields on the report page to manually create custom
application text keys to localize the name and description of a report after it is
created. For details, see “Using the Custom Folder” on page 290.
6. When finished, click Save. The modified information is saved and immediately
applied to the report.
Deleting a Report
You can delete an instance of a JSP report or report page for a Cognos report.
Procedure
1. From a browser window, log on to the IBM OpenPages server (typically /opx)
as a user with the correct Reporting permissions.
2. Click the Browse Channels link under the Publishing heading in the left
navigation Action menu.
3. Navigate to the report page you want to delete and select the check box next to
the report name.
Attention: Do not delete a page template! If a page template is deleted, all
report pages based on that template are deleted as well.
4. Once the report is selected, click the Delete button at the top of the table. A
confirmation dialog is displayed.
Chapter 7. Managing Reports
133
5. Click OK to delete the report page (or JSP report instance).
Working with Interactive JSP Reports
The IBM OpenPages application allows administrative-level users with the option
to create interactive reports to prompt a user at run-time for parameter values.
This section is used primarily for JSP reports and explains how to modify
newly-created and existing JSP reports to prompt a user for needed information.
Creating an Interactive JSP Report
You can either modify an existing JSP report to be interactive, or specify an
interactive parameter during report creation.
Procedure
1. From a browser window, log on to the IBM OpenPages server (typically /opx)
as a user with the correct Reporting permissions.
2. Click the Browse channels link in the left navigation Action menu and
navigate to the page template for the report you want to modify.
3. Click the name of the page template you want to modify. The detail page is
displayed.
4. Click the Edit... button above the list of report parameters. The Edit Parameters
applet is displayed.
5. Click the name of the parameter that you want to make interactive. The
parameter information is displayed at the bottom of the page.
6. Select the check box marked ‘Interactive Value’ and click the Apply button.
7. Repeat steps 5 and 6 for each parameter you want to make interactive.
8. When you are finished, click Save.
Results
The next time the report is run, the user will be prompted to enter a value for each
field marked as an interactive value.
Important: Reports with an interactive parameter named ‘label’ are a special case
and will not display a dialog to enter a value for ‘label.’ The ‘label’ field is
included to support reporting periods and should not be modified.
Note: Although any parameter type can be made an interactive value, the IBM
OpenPages application only supports the following four modes of entering values
into the value fields when the report is run:
v Date fields
v Text entry fields
v Enumerated drop-downs
v File browsers
Unsupported types may still be marked as interactive, but the value for the field
must be entered manually via a text string at run-time. A valid value must be
entered into the value field for the report to return the correct set of information.
134
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
Running an Interactive JSP Report
Note: Although any parameter type can be made an interactive value, the IBM
OpenPages application only supports the following four modes of entering values
into the value fields when the report is run:
v
v
v
v
Date fields
Text entry fields
Enumerated drop-downs
File browsers
Unsupported types may still be marked as interactive, but the value for the field
must be entered manually via a text string at run-time. A valid value must be
entered into the value field for the report to return the correct set of information.
Procedure
1. From a browser window, log on to the IBM OpenPages application user
interface (typically /openpages).
2. Select the Reporting menu on the menu bar, and choose the name of the report
you want to run. If the report contains interactive parameters, a prompt page is
displayed.
3. Enter the required information into the various fields.
4. After all of the required information has been entered, click the Next button to
generate the report based on the supplied information. The report is displayed
in a new window.
Restricting Access to Reports
To restrict access and set security on reports, you need to set permissions in both
the IBM OpenPages server interface and in the Cognos portal.
Note: If you restrict access to reports only through the Cognos portal but not in
the IBM OpenPages server interface, the reports may be displayed in a selection
list to users in the IBM OpenPages application user interface. If a group or user
who does not have permission selects the restricted report, the report will not run
and an error message will be displayed to the user.
Setting Permissions on JSP and Reports
You can restrict users and or groups from accessing and running JSP reports from
the IBM OpenPages application by setting Read, Write, Delete, and Manage
permissions on selected report folders.
For example, if you want only administrators in a ‘System Administrators’ group
to have access to administrative reports, you could set Read, Write, Delete, and
Manage access on the ‘Administrative Reports’ subfolder (which is under the SOX
>> Cognos folder). Once you grant access to administrative reports for the ‘System
Administrators’ group, you could then break inheritance on the folder to restrict
other users and groups from accessing these reports.
Procedure
1. From a browser window, log on to the IBM OpenPages server (typically /opx)
as a user with administrative privileges.
Chapter 7. Managing Reports
135
2. Click the Browse channels link under the Publishing heading in the left
navigation Action menu. This displays a list of the available publishing
channels.
Note: If you cannot see the Publishing heading, you do not have the correct
permissions.
3. Click Reporting. A list of files and folders is displayed.
4. Expand the folder, if necessary, and select the /SOX folder you want.
Note:
v Each folder represents a report grouping in the IBM OpenPages user
interface.
v Reports that are under the Reporting/SOX folder structure are published to
the U.S. English locale. To select a different locale, choose the /SOX folder
under the locale you want (for example, ja_JP/SOX for the Japanese locale).
5. Under the selected /SOX folder, do the following:
a. Select the box next to the name of the folder containing the reports to which
you want to limit access through the IBM OpenPages application user
interface.
b. Click Properties to open the Folder Details page.
c. On the Access Controls tab, click Edit to open the permissions window.
6. In the Edit Permissions applet window, select and grant access to the groups
and users you want:
a. Click Add to open the user or group selection box.
b. Select a group or user to whom you want to grant permission and click OK.
c. Select the permissions you want to allow or deny the group or user (Read,
Write, Delete, Manage).
d. When finished, click Apply. The selected group or user appears in the list.
e. To select another group or user, repeat Steps a-d.
f. To remove a group or user, select the group or user then click Remove.
g. When finished, click Close.
The Access Controls tab on the Folder Details page displays the selected
groups and/or users with their assigned permissions.
7. Break inheritance on the folder so other groups or users cannot access these
reports from the IBM OpenPages user interface:
a. On the Folder Details tab, click Edit to open the edit window.
b. In the edit window, clear the Inherit access controls from parent folder?
box.
c. Click OK.
The status of the Inherit access controls row on the Folder Details tab
displays changes from ‘Yes’ to ‘No’.
Securing Access to the CommandCenter Portal
You can restrict which user groups are allowed to modify CommandCenter reports.
Use the following instructions to allow a group, in this example the
‘OPAdministrators’ group, to update, add, and delete reports, and to restrict other
users from changing settings within the CommandCenter portal.
136
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
Note: OpenPages standard (out-of-the-box) reports could be overwritten during
an upgrade. If you want to modify IBM OpenPages standard reports, we strongly
recommend that you copy the reports to your own folder structure where you can
then modify and control access to these reports.
Create a CommandCenter Group in OpenPages with
Administrator Permissions
Procedure
1. From a browser window, log on to the IBM OpenPages application user
interface as a user with administrative privileges.
2. Create a group in the OpenPages application to which you want to give
CommandCenter administrative rights or use an existing group (such as,
‘OpenPagesAdministrators’).
Note: For information on creating groups, see the “Creating a New
Organizational Group” section in the IBM OpenPages Administrator’s Guide .
3. Continue to the next task.
Restrict User Access to Administrative Functions Within the
Cognos Portal
Procedure
1. From a browser window, log on to the CommandCenter portal as a user with
administrative privileges (for example, OpenPagesAdministrator)
By default, the URL is:
http://<hostname>/ibmcognos (if you are using port 80 for CommandCenter)
Where <hostname> is the name of the Web server machine that contains the
cognos8 virtual directory.
2. Launch the IBM Cognos Administration page:
v If the CommandCenter splash page appears, click the Administer IBM
Cognos Content link.
v If the IBM Cognos Connection page appears, click Launch then select IBM
Cognos Administration.
3. On the Security tab, click the Cognos link in the Directory list.
4. On the Directory > Cognos page:
a. Locate the ‘System Administrators’ group in the list.
b. Click the More link in the same row as the System Administrators group.
5. Under Available Actions on the Perform an Action page, click the Set
members link.
6. On the Members tab of the Set Properties page, click the Add link.
7. On the Select entries (Navigate) page, do the following:
a. Click the OpenPagesSecurityRealm link to find the OpenPages group or
role to access CommandCenter administrative functions.
b. Select a group. For example, ‘OPAdministrators’.
c. Click the green arrow to add the role and then click OK.
8. On the Members tab of the Set Properties page, remove the ‘Everyone’ group
from accessing the administrative functions as follows:
a. Select the ‘Everyone’ group.
b. Click the Remove link.
Note: There is no confirmation prompt.
Chapter 7. Managing Reports
137
c. Click OK to save your changes.
9. Continue to the next task.
Restrict Access to OpenPages Reports in Public Folders
Procedure
1. On the IBM Cognos Connection page, click the Public Folders tab.
2. On the Public Folders page, click the More link in the same row as the
OpenPages folder for which you want to restrict access (for example,
OPENPAGES_REPORTS_V6).
3. Under Available actions, click the Set properties link.
4. On the Set properties page, select the Permissions tab and do the following:
a. If not already selected, select the box to ‘Override the access permissions
acquired from the parent entry.'
b. Click the Add link (located near the bottom of the page).
5. In the Select entries (Navigate) window, click the Cognos link, and do the
following:
a. Select the group to be added (for example, ‘System Administrators’).
b. Click the green arrow to add the role.
c. When finished, click OK.
6. On the Permissions tab of the Set Properties page, do the following:
a. Select the box next to the newly added group (for example, ‘System
Administrators’).
b. Grant the group Read, Write, Set Policy, and Traverse permissions.
c. Remove the Write and Set Policy permissions from the other groups.
d. Click OK to save your changes.
Now, if a user logs on to CommandCenter with a user name that is not in,
for example, the ‘OPAdministrator’ group, and the user tries to delete,
change, or save a report, for example, in the ‘OPENPAGES_REPORTS_V6’
package, an error message is displayed to the user.
7. Continue to the next task.
Restrict End Users From Running Report Studio and Query
Studio but Still Run OpenPages Reports
You can restrict user access from within the Cognos portal to run Report Studio
and Query Studio tools to modify CommandCenter reports.
Procedure
1. If not already logged on to the CommandCenter portal, log on to the
CommandCenter portal as a user with administrative privileges (for example,
OpenPagesAdministrator) and launch the IBM Cognos Administration page:
v If the CommandCenter splash page appears, click the Administer IBM
Cognos Content link.
v If the IBM Cognos Connection page appears, click Launch then select IBM
Cognos Administration.
2. Select the Security tab, and click the Cognos link in the Directory list.
3. On the Directory > Cognos page, click the More link in the same row as the
‘Authors’ role.
4. On the Perform an action page, under Available Actions, click the Set
members link.
5. On the Members tab of the Set properties page, click the Add link.
138
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
6. On the Select entries (Navigate) page, do the following:
a. Click the OpenPagesSecurityRealm link.
b. Select the group you want (for example, OPAdministrators).
c. Click the green arrow to add the group and then click OK.
7. On the Members tab of the Set Properties page:
8.
9.
10.
11.
12.
a. Select the ‘Everyone’ group
b. Click Remove.
c. Click OK to save the changes.
Repeat Steps 2 - 6 for the ‘Query User’ role.
When finished, return to the IBM Cognos Administration page and select the
Security tab.
On the Security tab, click the Capabilities link, and do the following:
a. Click the Report Studio link.
b. Click the Actions arrow next to HTML Items in Report and select Set
properties.
On the Set properties - HTML Items in Report page, do the following:
a. Select the Permissions tab.
b. If not already selected, select the box to ‘Override the access permissions
acquired from the parent entry.'
In the list on the Permissions tab, select the ‘Everyone’ group and grant the
group Execute and Traverse permissions. Click OK to save the changes.
Note: If the ‘Everyone’ group is not listed, then add it to the list as follows:
a. Click the Add link.
b.
c.
d.
e.
f.
On the Select entries (Navigate) window, click the Cognos link.
Select the ‘Everyone’ group.
Click the green arrow to add the role.
When finished, click OK.
Select the ‘Everyone’ group and grant the group Execute and Traverse
permissions.
g. Click OK to save the changes.
13. Return to the Security tab and do the following:
a. Click the Capabilities link again.
b. Click the Report Studio link.
c. Click the Actions arrow next to Create/Delete and select Set properties.
14. On the Set properties - Create/Delete page, do the following:
a. Select the Permissions tab.
b. If not already selected, select the box to ‘Override the access permissions
acquired from the parent entry.'
c. Remove the ‘Everyone’ group, if it is listed there.
d. Add the ‘System Administrators’ group with Read, Write, Set Policy, and
Traverse permissions.
e. Click OK to save the changes.
Results
After making the changes defined in this section, when a user logs on to
CommandCenter, unless the user is a member of a group with proper
Chapter 7. Managing Reports
139
authorization, the user cannot modify reports but can still run out-of-the-box
reports.
140
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
Chapter 8. Configuring Fields and Field Groups
This chapter contains the following topics:
v “Fields and Field Groups”
v “Adding New Field Groups” on page 149
v “Data Types” on page 150
v
v
v
v
v
v
v
“Using Currency Data” on page 155
“Modifying Field and Field Group Properties” on page 159
“Creating Computed Fields” on page 161
“Modifying Enumerated String Values” on page 169
“Configuring Reporting Fragment Fields” on page 172
“Configuring Save As Draft Fields” on page 178
“Deleting Field Groups and Definitions” on page 180
v “Working with Long String Fields” on page 181
Related concepts:
“Use short field names and field group names” on page 781
When creating field groups and field names, use short field group names and short
field names.
“Be aware of shared field groups” on page 783
When using a field group that is shared amongst other object types, the
administrator should be aware that a small change in that field group will have an
affect on all the object types using it.
Fields and Field Groups
A field group is a container for fields and each field you create must belong to a
field group.
The IBM OpenPages GRC Platform application allows administrators to add new
fields to object types (such as Business Entities, Processes, Risks, Controls, and so
forth) and custom forms, and manage existing fields.
To extend the fields of an object type, you can either add new fields to an existing
field group that you previously created, or create a new field group and then add
these new fields to that group.
A field group is identified in the application by the Field Group icon
object field is identified by the Object Field icon
, and an
.
Definition of Fields
An object field generally represents a particular item of information specific to an
object type.
Fields can be object fields, computed fields, and report fragment fields.
By default, each object type within the IBM OpenPages GRC Platform application
has a predefined field group that contains predefined fields specific to that object
141
type. For example, the ‘Effectiveness Rating’ and ‘Operating Effectiveness’ fields
belong to the Control object’s OPSS-Control field group.
Fields can be added to new or existing field groups and then associated with a
profile for display in various views.
If you create a new object type for a custom form or survey, you must add field
groups to that object type. Field groups can be new field groups that you create,
existing field groups, or some combination of both. For more information see,
“Adding an Object Type for a Custom Form” on page 196.
Important: Do not use the four-byte characters as defined in the CJK Unified
Ideographs EXTENSION-B Unicode Block Name in field values because these
characters will not be saved.
Definition of a Field Group That is In Use
When a field group is associated to an object type, an instance of that object type is
created and the field group is considered to be ‘in use’.
Once a field group is in use, you cannot delete the field group or any fields from
that field group.
For example, let’s say you create a new field group (called Extra Fields) with three
object fields (called Field 1, Field 2 and Field 3). You then add the new field group
to the Risk object type - even if you never display any of the three new fields on
any Risk object’s view page - the "Extra Fields" field group is now considered to be
‘in use’ and cannot be deleted.
Note: If the same management operation is being concurrently modified by
another administrator, an error message is displayed requesting that you try again
at a latter time.
Accessing the Field Groups Page
An administrator with the Administration Field Groups application permission can
administer field groups.
Procedure
1. From a browser window, log on to the IBM OpenPages GRC Platform
application user interface as a user with the Field Groups permission set.
2. From the menu bar, select Administration and click Field Groups.
From the Field Groups list page, you can:
v Add a new field group
v Delete a field group that is not in use (no instances of that object were
created)
v View descriptive information about a field group
v Access the details page of a field group where you can:
– Modify field group information
142
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
– Add or delete unused field definitions from a field group
– Access the details page of a field definition where you can manage the
configuration of its properties, such as the default value or field entry
requirement. If a field group includes fields with enumerated strings, you
can also add new values to the list of enumerated string values, modify
the display order of values in the list, and hide existing values that no
longer reflect your current business needs.
Process Overview
You can add new fields to an object type and then display the new fields.
Fields can be object fields, computed fields, and report fragment fields.
Chapter 8. Configuring Fields and Field Groups
143
Figure 6. Tasks for Configuring New Fields
Table 26 on page 145 provides a reference for where to find information related to
the various configuration tasks.
144
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
Table 26. Tasks for Configuring New Fields
Task
Task Description
Related Topic
1
Identify the new field.
See “Identifying New Fields” for a
discussion of the type of information
you need to identify before you create
a new field.
2
Add a new field group or identify the
existing group to which you want to
add the field.
See “Adding New Field Groups” on
page 149 for step-by-step instructions
on how to create a new field group that
will contain the new field (or fields).
3
Add one or more field definitions to
the field group.
See “Adding Field Definitions to a
Field Group” on page 149 for
instructions on how to add new field
definitions to a new field group.
4
If you created a new field group, add it See “Including Field Groups for an
to the appropriate object type.
Object Type” on page 186 for
information about how to add the new
field group to a particular object type
or custom form object type so the fields
can be available for display.
5
Display the new field or fields in an
object view.
See “Views for objects” on page 238 for
information on selecting an object view,
displaying the new field or fields in the
selected view, modifying the display
order of the fields in that view, and
configuring a display type.
Identifying New Fields
Before you create a new field, you need to determine the characteristics of the field
and identify the object types that will use the new field.
Planning your changes ahead of time helps to minimize the necessary work and
prevents duplication of effort.
The following list will help you identify some of the information you need to have
before you create a new field:
v The affected object - Will the new field be added to a custom form or object? If
an object, which object type or types will the new field be added to?
v The name - How will the new field be identified? The name of the field is
important because it is also the initial label that will appear next to the field.
Note that special characters cannot be used. For additional discussion, see
“Considerations When Naming New Fields” on page 147.
v The label - What text will be displayed whenever this field appears on an
object’s view page? The initial label text is the same as the name of the field. For
example, if this field is added to the detail view page of an object, it will also
appear on the add and edit pages for that object. If the field is added to a folder
or list view, it will appear in those views. You can modify the label text at a
future time (for details see the chapter, Chapter 12, “Localizing Text,” on page
279).
v The data type - What is the type of data (such as Boolean, Date, Enumerated
String, Simple String, Reporting Fragment, and so forth) that will be captured by
the field? For details see, “Data Types” on page 150.
Chapter 8. Configuring Fields and Field Groups
145
v The entry type - Will the user be required to enter data into the field or will data
entry be optional? For details see, “Making Fields Either Required or Optional”
on page 160.
v A default value - Will the field have a default value or will it be blank?
v The number of fields that will be included in the field group - how many new
fields will the new field group contain? If you are creating more than one new
field for an object, you may want to consider categorizing collections of object
field definitions in the same field group for ease of maintenance.
v The object view - Which view page or pages (Detail, Folder, or List) will display
the new field? Note that a custom form or survey can only have a detail view
page. For details see, “Views for objects” on page 238.
v The display order - Where on a view page do you want the new field
displayed? What field or fields should be listed before or after the new field? If
no display order is set, the new field will automatically be displayed at the end
of the list of fields. For details see, “Setting the Global Display Order of Object
Types” on page 224.
Example
Suppose you want to add an ‘Owner’ field to several object types. You can either
modify the field group for each object type by adding an ‘Owner’ field, or you can
simply create a generic ‘Owner’ field and field group for all object types and
re-use it later if you want to add it to an object.
To simplify the work, let’s follow the generic approach and create a generic field
that can be added to any object type.
The new field needs a field group and a generic name, so let’s call the field group
‘Custom Fields’ and the name of the field ‘Owner’. The name of the field is
important because it is the initial label that will appear next to the field wherever
the field displays in the application. If necessary, you can modify the label text at a
future time. For details on modifying label text, see the chapter, Chapter 12,
“Localizing Text,” on page 279.
The ‘Owner’ field will be used to capture a name, so the data type for this field
will be ‘Simple String.’ Since the ‘Owner’ field is considered important, we will
make it a required field so the user must enter a name into the field before they
can save and exit the page. No default value will be set for the field so the field
will appear empty.
To complete the planning, let’s say there are no other fields to be added to the
‘Custom Fields’ field group (‘Owner’ is the only field), and that the new ‘Owner’
field will only be displayed on the detail page of the Business Entity and Issue
object types (this also includes the add and edit pages).
We now need to determine the display order on the Detail view page for both
object types. The default order for new fields is at the end of the display list. For
simplicity, let’s place the ‘Owner’ field for both object types after the ‘Modified By’
field on the detail page. Because we are using the Platform schema that is supplied
by default, the display order of the ‘Owner’ field will need to be set to ‘8’, which
is after the ’Modified By’ field (which is in position ‘7’) on the Detail view page for
both objects.
146
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
Now that all the necessary information has been identified, you can begin “Adding
New Field Groups” on page 149 in the Task list. For details, see Table 26 on page
145.
Considerations When Naming New Fields
If you want to create an object field that you can use in reports, you need to
consider the following factors when choosing a field definition name.
Avoid using the object name in the field definition
The IBM OpenPages GRC Platform application uses a three- or four-character
prefix naming convention when generating the Cognos framework model. When
Cognos reports are run, the prefix is converted to the object name in the column
headers.
For example, in the supplied (out-of-the-box) field definitions, the OPSS-TestResult
field group contains a field named "Test Result".
This prefix...
For this object type’s
fields...
Is displayed in a report column header as
this...
RI_
SOXRisk
Risk
CN_
SOXControl
Control
TR_
SOXTestResult
Test Result
When the Cognos framework model is generated, the "Test Result" field becomes
the query item "TR_TEST_RESULT".
When the Cognos report is run, the "TR_TEST_RESULT" field column header
displays as "Test Result Test Result" by default.
Keep new field definition names to less than or equal to 20 (≤20)
characters
Note:
v The object prefix is not counted in these 20 characters.
v The framework generator reserves character positions 21 and 22 for a unique ID
in the query item name, so field definition names that exceed 20 characters (>20)
are truncated after the 20th character.
If there are multiple long (>20 character) field definition names in which the only
unique characters are beyond the 20-character limit, then recreate the Reporting
Schema only when necessary. This is because the Cognos Reporting Schema
generator may not generate the same two-digit unique ID for the same field
definition from one generation to the next. As a result, reports that use these field
definitions may not contain correct data as demonstrated in the following example.
For example:
This Reporting
Schema
generation...
For a field definition with this
name...
May result in this...
Generation #1
Total Actual Financial Loss 2008
LE_TOTAL_ACTUAL_FINANCI01
Generation #2
Total Actual Financial Loss 2007
LE_TOTAL_ACTUAL_FINANCI01
Chapter 8. Configuring Fields and Field Groups
147
This Reporting
Schema
generation...
For a field definition with this
name...
May result in this...
Generation #3
Total Actual Financial Loss 2006
LE_TOTAL_ACTUAL_FINANCI01
If a long field definition name cannot be avoided, then try to create the name with
the unique characters at the beginning of the name instead of at the end (for
example, "2008 Total Actual Financial Loss" instead of "Total Actual Financial Loss
2008").
Running the Schema Analysis Report
Before adding fields to an object type, run the Schema Analysis Report to
determine the number of object fields that can be added to an object type.
The report shows how many object fields:
v Are currently configured for an object type
v Can "safely" be added to extend that object type
In general, 175 is the threshold limit for the number of fields that can be added to
a given object type when the average of all field names is 22 characters in length.
By keeping the average field name short, it may be possible to include more than
the 175 threshold limit for the number of fields.
Important: Each currency field within an object type equates to 6 fields. This is
because each currency field has 6 distinct columns within the database ‘RT_’ table.
These 6 columns equate to the following 6 fields: Amount, Currency, Exchange
Rate, Base Amount, and Base Code.
The Schema Analysis Report is accessed through the Cognos portal. The Report
lists all object types, in alphabetical order, that are in the schema. For purposes of
illustration, Table 27 shows the name of each column in the Report and sample
data for only the Control object type.
Table 27. Information in the Schema Analysis Report
Report Column Name
Example
Object type
Note: All names start with the prefix ‘rt_’
rt_control
Current number of fields
39
Current Field Length Statistics (Highest/Average)
22/14
Number of Additional Fields that can be added (assuming Maximum
Field Lengths are used)
136
Potential Number of Additional Fields that can be added (if the
Average Field Length for this Object Type does not increase)
187
For example, you want to add 3 currency fields to the Control object type. Because
each currency field equates to 6 fields, you would be adding 18 fields to the
Control object type (3 × 6).
Using the numbers from the ‘Example’ column in Table 27, the Schema Analysis
Report indicates that the Control object type (rt_control) in the sample schema
148
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
currently has 39 fields. Of those 39 fields, the largest field length is 22 characters,
with an average field length (for all fields) of 14 characters.
The Report also indicates that you could add 136 additional fields with names that
do not exceed 22 characters in length, or up to 187 additional fields if the field
names are 14 characters (or less). Adding the 3 currency fields (for a total of 18
fields) would be well within the threshold for this object type.
Procedure
1. From a browser window, log on to the IBM Cognos 10 portal as a user with
administrative privileges.
By default, the URL is:
http://<hostname>/ibmcognos (if you are using port 80 for Cognos)
Where: <hostname> is the name of the Web server machine that contains the
ibmcognos virtual directory.
2. On the Cognos Home page, click the Public Folders tab.
3. On the Public Folders page, navigate through the links as follows:
OPENPAGES_SHARED >> Administrative Reports
4. On the Administrative Reports page, click the Schema Analysis Report link to
run the report.
Adding New Field Groups
A field group is a container for fields. Each field you create must belong to a field
group.
Note:
v To perform these steps, System Administration Mode must be enabled in the
application interface (see “Enabling and Disabling System Admin Mode” on
page 82).
v You can add new fields to existing field groups - you do not have to create
another new field group.
Procedure
1. Access the Field Groups page (see “Accessing the Field Groups Page” on page
142).
2. On the Field Groups table, click Add.
3. On the Field Groups page, do the following:
a. In the Name box, type a name for the field group. For example, Custom
Fields.
b. In the Description box, optionally type a brief description of this field
group.
c. Click Create.
4. Add one or more field definitions to the newly created field group. For details,
go to “Adding Field Definitions to a Field Group.”
Adding Field Definitions to a Field Group
A field group can contain one or more field definitions.
Chapter 8. Configuring Fields and Field Groups
149
A field definition stores the data type and other properties of a field. For each new
field you want to add to an object type, you must create a field definition that
defines the properties of that field. You can add a field definition to a new field
group or an existing field group that is not in use.
Note: To perform these steps, System Administration Mode must be enabled in
the application interface (see “Enabling and Disabling System Admin Mode” on
page 82).
Procedure
1. Navigate to the Field Definitions table of the field group you want.
2. Click Add.
3. On the field definition page:
Table 28. Field Definition Boxes
In this box...
Do this...
Name
Type a name for the field.
Important: The name must start with a letter, and can only
contain letters, numbers, spaces, and the underscore (_) character.
Examples:
Owner, owner1, Owner1_Risk
Description
Optionally type a description of the field.
Data Type
Select a data type for this field:
1. Click the down arrow and select a data type from the list.
2. Click the double arrows (>>) to display additional options for
the selected data type.
For details see, “Data Types.”
Computed
Note: This additional
option appears for
most data types.
Select this box if you want this field to be a computed field.
Additional boxes will be displayed.
By default, the ‘Computed’ box is clear (not selected).
For details, see, “Creating Computed Fields” on page 161.
Required
Note: This additional
option appears for all
data types.
Optionally select this box if you want the field to require data
entry.
By default, the box is clear (not a required data entry field).
For details, see, “Making Fields Either Required or Optional” on
page 160.
4. Click Create. The new field definition is listed on the Field Definitions table of
the selected field group.
5. To add another field definition to this field group, repeat Steps 2, 3, and 4.
6. When finished adding field definitions, add the field group to one or more
object types. For details, go to “Including Field Groups for an Object Type” on
page 186.
Data Types
The IBM OpenPages GRC Platform application provides a variety of data types
from which you can choose.
150
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
Once you select a data type for a field and save it, only the parameters or settings
for the data type can be modified; the data type itself cannot be changed.
To display additional parameters for a selected data type, click the double arrow
button next to the data type selector.
The following table contains a description of the available data types with their
corresponding settings.
Table 29. Data Types and Descriptions
Data Type
Description
Boolean
A logical operator that has the following predefined values: true
(default) or false.
To change the default value, click the Default Value arrow and select
another value from the list.
Chapter 8. Configuring Fields and Field Groups
151
Table 29. Data Types and Descriptions (continued)
Data Type
Description
Currency
v Include Conversion - this setting controls whether or not the
exchange rate and base amount conversion are visible.
If this value is set to:
– True -- the following sub-items are displayed in the currency field
(this is the default setting):
Local Currency Code (drop down)
Local Amount (text input)
Exchange Rate (text input)
Base Code (static text)
Base Amount (static text)
For example, you could use this setting when the field represents
a currency amount relative to a specific point in time where the
exchange rate is applicable, such as a financial loss on a given
date.
– False -- the following sub-items are displayed in the currency
field:
Local Currency Code (drop down)
Local Amount (text input)
For example, you could use this setting when the field represents
a hypothetical currency amount not relative to a specific point in
time, such as Inherent Severity on the Risk object.
v The currency data type accepts numeric values with decimal places
for the following settings:
Setting Description
Minimum Value
The lowest allowable currency value that will be accepted
for this field.
Maximum Value
The greatest allowable currency value that will be accepted
for this field.
If a user enters a value that is either below or above the
specified value range, an error message displays.
Note:
v The Minimum Value and Maximum Value settings are expressed in
terms of the base currency (base currency is set during installation).
v You cannot use non-numeric characters when entering currency
values. For example, either 125000 or 125,000 is legal, but not
$125000. This format is set per user locale.
For more information about working with currency, see “Using
Currency Data” on page 155.
Date
152
The date data type default value is blank and this value cannot be
changed. (The date picker pop-up box defaults to the current date.)
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
Table 29. Data Types and Descriptions (continued)
Data Type
Description
Decimal
The decimal data type accepts numeric values with decimal places for
the following settings:
Minimum Value
The lowest allowable decimal value that will be accepted for
this field.
Maximum Value
The greatest allowable decimal value that will be accepted for
this field.
Default Value
The default value of the field is blank.
To display a default decimal value in the field, type a numeric
value that is between the minimum and maximum allowable
values.
If a user enters a value that is either below or above the
specified value range, an error message displays.
Enumerated
String
The enumerated string data type accepts a list of string values and has
these settings:
Add Value
A string value that you want in a list of values.
To add a value to the list:
1.
In the Add Value box, type a string value.
2. Click Add.
3. To add another value to the list, repeat Steps 1 and 2.
To remove a value from the list, select the value then click
Delete only if the field is not in use.
Multi-valued
Sets whether or not a user is allowed to select more than one
value from the list.
If the box is:
Cleared
only one value can be selected from the list. This is
the default setting.
Selected
multiple values can be selected from the list.
You can convert a single value selection setting to a
multi-value selection setting. You cannot convert a multi-value
selection setting to a single value selection.
Default Values
The field, by default, is empty and has no value.
To display a default value from the list, click the arrow and
select a value from the list.
To re-order the list of values, see “Modifying Enumerated
String Values” on page 169.
To set the display of the enumerated string data, such as a list, radio
buttons or check boxes, you must do it through the profile, see
“Configuring Display Types for Enumerated Strings” on page 278.
Chapter 8. Configuring Fields and Field Groups
153
Table 29. Data Types and Descriptions (continued)
Data Type
Description
Integer
The integer data type accepts numeric values without decimals for the
settings:
Setting Description
Default Value
The field, by default, is empty and has no value.
To display a default integer value in the field, type a numeric
value that is between the minimum and maximum allowable
values.
Minimum Value
The lowest allowable integer value that will be accepted for
this field.
Maximum Value
The greatest allowable integer value that will be accepted for
this field.
If a user enters a value that is either below or above the
specified value range or a non-integer value, an error message
displays.
Long String
A long string is considered to be any text of length more than 4000
bytes. Long strings allow users to enter more than 4000 bytes in a
single field.
The long string has two sub types, medium and large.
The size of the medium sub type is fixed to 32KB. The medium sub
type is the only sub type supported for FastMap uploads.
The size of the large sub type set by default to 256KB. It can be
increased by changing OpenPages | Platform | Repository | Resource
| Large Text | Maximum Size setting. Enter a value in bytes. The
maximum size applies to all large sub-type long strings.
Important: Once set, this value cannot be reduced.
Note: The maximum size is a hidden setting. To show hidden settings
set OpenPages | Applications | Common | Configuration | Show
Hidden Settings to true. See “Working with Long String Fields” on
page 181
Reporting
Fragment
The fragment data type displays a component (such as a bar or line
chart) from a Cognos report or dashboard in a field.
For details, see “Configuring Reporting Fragment Fields” on page 172.
Simple String
The simple string data type, by default, displays data as text. The
default value of the field is blank. The maximum size of a simple string
is 4000 bytes.
To display a default value in the field, type a string of either plain text
or HTML-formatted text.
To set the display of the string data to another type, such as a user
drop-down, user or group selector, rich text area and so forth, you must
do it through the profile. For details, see “Configuring Display Types
for Simple String Fields” on page 266.
Single File
154
For internal use by workflow jobs. Do not use because this data type
cannot be used in profiles.
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
Using Currency Data
This section describes how to work with currency data and how to modify existing
data.
Accessing the Currencies Page
Procedure
1. Log on to the IBM OpenPages GRC Platform application interface (typically
port 7009) as a user with the Currencies application permission set.
2. From the menu bar, select Administration and click Currencies. The Currencies
page is displayed.
Modifying Currency Exchange Rates
Procedure
1. Access the Currencies page (see “Accessing the Currencies Page”).
2. On the Currencies table, click Edit. The Edit Exchange Rates page is displayed.
3. Modify the desired exchange rates.
4. When finished, click Save.
Adding and Editing Currency Fields in a Field Group
This section describes how to add and modify one or more currency fields to an
existing field group.
Adding a New Currency Field to a Field Group
Procedure
1. Access the Field Groups page (see “Accessing the Field Groups Page” on page
142).
2. In the Field Groups table, click the name of the field group to which you want
to add a currency field. The page containing information for that field group
appears.
3. In the Field Definitions table, click Add. The page containing the information
to add field groups appears.
4. On the add page:
a. In the Name box, type a name for the new currency field.
b. In the Description box, optionally type a brief description of this field.
c. Select Currency from the Data Type drop-down list.
d. Check Required if the field is to be a required field.
Note: The Currency data type does not support computed fields. See
“Defining a Computed Field” on page 163 for information on computed
fields.
e. Check Include Conversion if the field is to include currency conversion.
f. Click the >> button and type the minimum and maximum allowable
currency values to be allowed in the field in the Minimum Value and
Maximum Value boxes.
g. Click Create. The system creates the new currency field.
Note:
Chapter 8. Configuring Fields and Field Groups
155
v If a user enters a value that is either below or above the specified value
range, an error message displays.
v You cannot use non-numeric characters when entering currency values. For
example, either 125000 or 125,000 is legal, but not $125000.
v This format is set per User Locale.
v Object fields with this data type cannot be included in the profile of
predefined objects or custom forms that use the supplied JSP file for
rendering.
Editing Currency Field Information
You can edit currency field information.
Procedure
1. Access the Field Groups page (see “Accessing the Field Groups Page” on page
142).
2. In the Field Groups table, click the name of the field group that contains the
currency field you want to edit, for example, OPSS-External Loss. The page
containing information for that field group appears.
3. In the Field Definitions table, click the name of the currency field you want to
edit, for example, Loss Amount. The page containing the information for this
currency field appears.
4. Edit the information on this page.
5. When finished, click Save.
Viewing a Currency Display Type
You can view currency display type information for object types that contain a
currency field.
Procedure
1. From the menu bar, select Administration and click Profiles. The Profiles page
appears.
2. From the list on the Profiles table, click the name of the profile that contains
both the object type and currency field you want to view.
3. From the list on the Object Types table, click the desired object type. For
example, to view the currency display type for the Inherent Severity object
field, select the SOXRisk object type.
4. From the list on the Object Fields table, locate and click the desired object
field. The Display Type column of the selected field should be ‘Currency’.
On the detail page of the selected object field, the currency display information
appears.
Editing a Currency Display Type
You can edit the currency display type for object types that contain a currency
field.
Procedure
1. From the menu bar, select Administration and click Profiles. The Profiles page
appears.
2. In the Profiles table, click the name of the profile that contains both the object
type and currency field you want to view.
156
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
3. In the Object Types table, click the desired object type. For example, to view
the currency display type for the Inherent Severity object field, select the
SOXRisk object type.
4. In the Object Fields table, locate and click the desired object field. In the Object
Field Information table, the Display Type field should be Currency.
5. Click Edit. The currency display information appears.
6. In the Read Only drop-down list, select either True or False.
7. Check the Required box if desired.
8. When finished, click Save.
Editing Currency Field Values in Individual Accounts
If you have OpenPages FCM (Financial Controls Management) installed, you can
edit currency field values for individual accounts.
Procedure
1. Log on to the IBM OpenPages GRC Platform application.
2. From the menu bar, select Financial and click Account.
3. From the list, click the name of the account you want to open its details page.
4. Under Account Details, click the Fields link.
5. Select the Actions menu and choose Edit this Account.
6. In the Annualized Value field, change the Currency, Exchange Rate, or USD
values as desired.
7. When finished, click Save.
Modifying Currency Exchange Rates
This section describes how to add, edit, and enable or disable currency exchange
rates.
There are several methods for updating currency exchange rates. You can:
v Upload a CSV file with currency exchange rates from:
– The IBM OpenPages GRC Platform application user interface. “Uploading a
CSV File - User Interface Procedure” on page 158
– An ObjectManager loader file. “Importing Exchange Rates” on page 656
v Manually edit the rates in the IBM OpenPages GRC Platform application user
interface. “Editing Exchange Rates for an Existing Currency Code - User
Interface Procedure”
v Upload currency exchange rates in an ObjectManager loader file. “Importing
Exchange Rates” on page 656
Note: You cannot use these functions with a new currency. The currency must
already exist.
Editing Exchange Rates for an Existing Currency Code - User
Interface Procedure
Procedure
1. Access the Currencies page (see “Accessing the Currencies Page” on page 155).
2. On the Currencies page, click Edit.
3. On the Edit Exchange Rate page, edit the currency exchange rates as wanted.
Chapter 8. Configuring Fields and Field Groups
157
4. When finished, click Save. The edited currency exchange rates appear on the
Currencies page.
Formatting a CSV File for Upload
The file containing the exchange rate currency data must be in a comma separated
value (.csv) file.
The file must have the following format:
<currency code>,<exchange rate>
<currency code>,<exchange rate>
Where:
Field
Description
<currency code>
The 3-letter ISO Currency Code.
<exchange rate>
The numeric exchange rate value.
The default value is ‘1.0’.
<start date>
Optional. The date the exchange rate was (or will be) applied.
The format is:
mm/dd/yyyy
- or mm/dd/yyyy HH:mm:sss
If no historic date is supplied, the current date is used.
The following data sample from a CSV file shows the ISO currency codes for
Euros, Canadian dollars, and Japanese yen with the corresponding exchange rate
for each currency, and the historical date that the rate was applied for two of the
four currencies.
EUR,0.1589,12/26/2007
CAD,0.8636
JPY,0.0083,5/8/2008
Uploading a CSV File - User Interface Procedure
Procedure
1. Access the Currencies page (see “Accessing the Currencies Page” on page 155).
2. On the Currencies page, click Upload.
3. Type the CSV file name into the Exchange Rates File Name box or select the
appropriate file by clicking Browse.
4. When finished, click Upload. The new currency exchange rate appears in the
Currencies table on the Currencies page.
Enabling Currency Exchange Rates - User Interface Procedure
You can enable disabled currency rates, making them available to the appropriate
processes.
Procedure
1. Access the Currencies page (see “Accessing the Currencies Page” on page 155).
2. On the Currencies page, click Enable.
3. On the Enable Currencies page, check all the currencies you want to enable.
158
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
4. Optionally change the exchange rate for any listed currencies.
5. When finished, click Save. The enabled currencies appear on the Currencies
table.
Disabling Currency Exchange Rates - User Interface Procedure
You can disable enabled currencies. When you disable a currency it is no longer
available to the system. However, it is not deleted. You can enable it at any time.
Note: You cannot enable or disable the base currency, which is set during
installation.
Procedure
1. Access the Currencies page (see “Accessing the Currencies Page” on page 155).
2. On the Currencies page, click the check box next to the currencies you want to
disable. (You can re-enable these currencies at any time.)
3. Click Disable.
Modifying Field and Field Group Properties
Modifying Field Group Properties
You can modify the description property of any field group; however, the name of
a field group cannot be changed.
Procedure
1. Access the Field Groups page (see “Accessing the Field Groups Page” on page
142).
2. Click the name of the field group that you want to modify to open its details
page.
3. On the Field Group Information table, click Edit.
4. Modify the description as necessary.
5. When finished, click Save.
Modifying Object Field Definitions
After you create an object field, you can modify field definition properties.
v For any type of object field - you can modify the description of the field, change
whether or not the field is required or optional, and set a default value for the
field (excluding the Date data type).
v For numeric fields - such as decimal or integer - you can change the minimum,
maximum, and default values.
v For fields with enumerated strings, you can add, delete (if not in use), hide or
unhide, and update the order of the values in the list. For details, see
“Modifying Enumerated String Values” on page 169.
Note: You cannot modify the name of any object field or its data type.
Procedure
1. Access the Field Groups page (see “Accessing the Field Groups Page” on page
142).
Chapter 8. Configuring Fields and Field Groups
159
2. Click the name of the field group containing the object field that you want to
modify.
3. On the Field Definitions table, click the name of the field that you want to
modify.
4. On the Field Definition Information table, click Edit.
5. To modify the field description, place the cursor in the Description box and
type or edit the description.
6. To make object fields required or optional, go to the topic, “Making Fields
Either Required or Optional.”
7. To set a default value for an object field, go to the topic, “Setting a Default
Value for an Object Field” on page 161.
8. When finished, click Save.
Making Fields Either Required or Optional
You can globally set whether or not all users will be required to enter data in an
object field.
When you create a new object field, by default, the Required box is cleared
(optional or non-required data entry).
Note: If you want to require a specific group of users (not all users) to enter data
for a field, for maximum flexibility we recommend that you set the field as
required in the profile and not in the field definition (see “Setting a Field in a
Profile to Required or Optional” on page 224).
When you set an object field to be required, a red asterisk * displays after the field
label in the Add and Edit pages of the object type. For example, if you were to
change the setting of the optional "Additional Description:" field of the Account
object to be a required data entry field, it displays to users as "Additional
Description*:" Users are required to enter information in the field when they
created a new Account object.
You can omit a required field for a particular view if the field is filled in by a
trigger or if the field will have been filled in prior to this view being used to edit
the object.
Procedure
1. Access the Field Groups page (see “Accessing the Field Groups Page” on page
142).
2. Click the name of the field group containing the object field that you want to
modify.
3. On the Field Definitions table, click the name of the object field you want to
modify.
4. On the Field Definition Information table, click Edit.
5. If you want this field to be:
v A required data entry field - select the Required box.
v A non-required (optional) data entry field - clear the Required box.
6. When finished, click Save.
Note: Changing a field to Required also causes all profile references to the
field to be required as well.
160
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
Setting a Default Value for an Object Field
When you create a new object field, by default, the Default Value property is
empty (not populated).
When you set a default value for an object field, that value displays to users in
that field. For example, if you were to set a default value for the "Additional
Description:" field of the Account object that contained the text "Enter any
additional information here.", it displays to users when they created a new
Account object.
Restriction: The new default value will only be populated for new instances of an
object type. In other words, if a user attempts to edit an existing object where the
value was blank, it will remain blank. The new default value will be used when a
user or administrator creates a new instance of that object type. For example, if an
administrator modifies an enumerated string (dropdown field) on a test object. The
new default value will be populated if new test objects are created. If an end user
attempts to edit an existing test object, the new default value won't be set or
modified for it.
Procedure
1. Access the Field Groups page (see “Accessing the Field Groups Page” on page
142).
2. Click the name of the field group containing the object field that you want to
modify.
3. On the Field Definitions table, click the name of the object field you want to
modify.
4. On the Field Definition Information table, click Edit.
5. In the Default Value box, either type a value or click the arrow and select an
enumerated string value.
6. When finished, click Save.
Creating Computed Fields
You can create, edit, or view an object field whose value is computed from the
values of other fields.
These computed fields can exist on either the same object or on another, related
object.
Computed fields have the following characteristics:
v Are always read-only
v Can be used in reports
v Can be added to Detail, List, and Folder view pages in the IBM OpenPages user
interface
Note: Computed fields require an installed and active Cognos server as they use
the Cognos Computation Handler. If a computed field is executed in the
application and the Cognos server is not available, the following message is
displayed to users, Cognos is unavailable. Please contact your System Administrator.
Process Overview
You must follow a process to set up a new computed field.
Chapter 8. Configuring Fields and Field Groups
161
Procedure
1. In Report Studio, model the computed field in a calculation object. For details,
see “Modeling a New Computed Field in Cognos.”
2. In the IBM OpenPages GRC Platform application user interface:
a. Define the computed field. For details, see “Defining a Computed Field” on
page 163.
b. Regenerate the reporting framework. For details, see “Updating the
Reporting Framework” on page 89.
Modeling a New Computed Field in Cognos
This section explains the steps required to model an equation in Cognos that can
be used to define a computed field in the application.
It assumes that you have experience using the Report Studio tool.
Note: If you do not have knowledge of how to use the Report Studio tool, either
seek the help of an experienced Cognos report author or call your IBM
representative for assistance.
Procedure
1. Log on to the Cognos portal as an IBM OpenPages user with the locale set to
"Report Design Language".
Create a new list report that you can use to model the computed field
equation.
3. Drag the following ID query items onto the report page to establish a context
for the calculation:
v An object ID
Example
2.
SOXBUSENTITY HIERARCHY >> SOXPROCESS–SOXCONTROLOBJECTIVE HIERARCHY
>> [SOXRISK] >> [RI_RISK_ID]
v A reporting period ID
Example
SOXBUSENTITY HIERARCHY >> SOXPROCESS–SOXCONTROLOBJECTIVE HIERARCHY
>> [SOXRISK] >> [REPORTING_PERIOD_ID]
4. Click the Toolbox tab on the Insertable Objects pane:
a.
b.
c.
5. In
a.
162
Drag a Calculation object onto the report page.
At the prompt, type a name. For example, Calc-Risk.
Click OK.
the Expression Definition pane of the model:
Enter an expression using model query items from the same namespace,
function, or parameters.
The Cognos SQL used to define this computed value can be an existing
query item in the published Cognos framework or an equation involving
multiple query items. Some of the predefined database functions may also
be useful for computed fields (such as getting an exchange rate or localizing
strings).
Example
The following equation returns a value representing the percentage by
which the inherent severity of a risk was reduced after associated controls
were applied to that risk. Sample output might be: 2.46.
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
total ([DEFAULT].[SOXCONTROL].[CN_INHERENT_SEVERITY_REDU]
for [DEFAULT].[SOXCONTROL].[RISK_ID]) / 100
b. Validate the expression, make any needed changes, and then click OK.
6. Run the report to make sure that you are receiving the intended results.
7. Click the XML Show Specification button on the toolbar to view the Cognos
SQL in an XML representation. The following XML sample shows which
sections of the report will be used to define the computed field in the IBM
OpenPages GRC Platform application and the corresponding field name in the
application.
<querySet xml:lang="en-ca">
<BIQuery name="Query1">
<cube>
<factList>
<item refItem="RI_RISK_ID" aggregate="none"/>
<item refItem="REPORTING_PERIOD_ID" aggregate="none"/>
<item refItem="Calc-Risk" aggregate="none"/>
<tabularModel>
<dataItem name="RI_RISK_ID">
<expression>[DEFAULT].[SOXRISK].[RI_RISK_ID]</expression>
</dataItem>
<dataItem name="REPORTING_PERIOD_ID">
<expression>[DEFAULT].[SOXRISK].[REPORTING_PERIOD_ID]</expression>
</dataItem>
<dataItem name="Calc-Risk">
<expression>total ([DEFAULT].[SOXCONTROL].[CN_INHERENT_SEVERITY_REDU]
for [DEFAULT].[SOXCONTROL].[RISK_ID]) / 100</expression>
</dataItem>
</tabularModel>
</querySet>
Note: Because the values in the Report Specification XML window are not
selectable, you can copy the report specification to the Clipboard (Tools | Copy
Report to Clipboard) and then paste the information into a text document
where you can then copy the attribute values into the application user
interface. The value to be used in the application’s Equation definition box can
also be obtained from the Expression Definition pane of the calculation object.
8. In the IBM OpenPages GRC Platform application user interface, define the
computed field. For details, see “Defining a Computed Field.”
Defining a Computed Field
You can define a computed field.
Note: The following data types do not support computed fields: Currency,
Enumerated String, and Single File.
Procedure
1. Access the Field Groups page (see “Accessing the Field Groups Page” on page
142).
2. Click the name of the field group in which you want to include the new object
field.
3.
4.
5.
6.
On the Field Definitions table, click Add.
In the Name box, type a name for the new computed field.
In the Description box, optionally type some descriptive text.
Click the Data Type arrow and use Table 30 on page 164 to select a data type
for the new computed field.
Chapter 8. Configuring Fields and Field Groups
163
Table 30. Data Types for Computed Fields
Data Type
Return Value
Boolean
TRUE or FALSE (case Takes a boolean string, parses it, localizes it,
insensitive)
and displays it.
Date
Date in the format:
yyyy-MMdd’T’hh:mm:ss
When to Use
Takes a date string, parses it, localizes it,
and displays it.
Decimal
Any numbers
Takes any number string and parses it,
localizes it, and displays it.
Integer
Whole numbers
Takes a whole number string and parses it,
localizes it, and displays it.
Simple String
Any
Can be used for any computed field. Takes
the result of the computation engine and
displays it.
This will not be localized - it displays the
exact output of the computation.
If the field is any other data type, use the ‘Simple String’ data type.
7. Click the double arrow button
additional parameters.
next to the selected data type to display
8. Select the Computed option to make the new field a computed field.
When you select Computed, the Required option disappears and the Cognos
Computation Handler attribute fields appear.
Note: Note for Steps 9, 12, and 13:
If you modeled the computed field in Report Studio, the values displayed in
the Report Specification XML window are not selectable (see “Modeling a
New Computed Field in Cognos” on page 162). You can copy the report
specification to the Clipboard (Tools | Copy Report to Clipboard) and then
paste the information into a text document where you can then copy the
attribute values into the application user interface. The value to be used in the
application’s Equation definition box can also be obtained from the
Expression Definition pane of the calculation object.
9. Enter a value in the Equation box. The equation is the Cognos SQL used to
define the computed value for the object field. It can be a reference to an
existing query item in the published Cognos framework or an equation
involving multiple query items.
Example:
total ([DEFAULT].[SOXCONTROL].[CN_INHERENT_SEVERITY_REDU] for
[DEFAULT].[SOXCONTROL].[RISK_ID]) / 100
10. Enter a value in the Primary Namespace box. The Primary Namespace is the
Cognos framework namespace in which the computation is to be performed.
Note: All referenced query items in the values for ‘Equation’, ‘Object ID
Column’, and ‘Reporting Period ID Column’ must be in the same namespace.
For example, DEFAULT.
11. Enter a value in the Alternate Namespaces box if necessary.
The Alternate Namespace is the Cognos framework namespaces to which the
computation will be added during reporting framework generation.
164
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
Note: See “Using Computed Fields with Multiple Namespaces” for an
explanation of why a computed field might need alternate namespaces.
12. Enter a value in the Object Id Column box. The Object ID Column is a
reference to a Cognos framework query item that contains the Resource ID of
the computed field’s object type. This value must be the same for all
computed fields in a given namespace for an object type.
Example: [DEFAULT].[SOXRISK].[RI_RISK_ID]
13. Enter a value in the Reporting Period Id Column box. The Reporting Period
ID Column is the Cognos framework query item that contains the Reporting
Period Id of the computed field’s object type. This value must be the same for
all computed fields in a given namespace for an object type.
Important: The Resource ID and Reporting Period ID must match within the
field group and object type. If these values do not match, the validation will
fail.
For example, [DEFAULT].[SOXRISK].[REPORTING_PERIOD_ID]
14. Click Create. IBM OpenPages will then validate the equation against the
primary and alternate namespaces.
15. Regenerate the reporting framework to make the computed field available to
report authors. For details, see “Updating the Reporting Framework” on page
89.
Importing and Exporting Computed Field Definitions
If you want to import (load) and export (dump) computed field definitions, you
must use the ObjectManager tool.
For details, see “Importing and Exporting Computed Field Definitions” on page
659.
Using Computed Fields with Multiple Namespaces
The IBM OpenPages GRC Platform application allows multiple parent object types
for a given child object type.
The Cognos reporting engine cannot support objects with multiple parent’s object
types.
For example, in the DEFAULT namespace the only path to a Loss Event is through a
Business Entity. This means that if a Loss Event is associated to a parent Risk but
not a parent Business Entity, that Loss Event will not be displayed as a result in
queries against that namespace. Each parent-child object type relationship that is
not contained in DEFAULT is contained in its own namespace.
In order to make the calculation available in multiple namespaces for report
writers, you can use the 'Additional Namespaces' attribute. This is a
comma-delimited list of alternate namespaces for which a 'Calculation' object
should be created during the framework generation process. During this process, a
calculation object is first created for the primary namespace using the value from
the 'Equation' attribute. Then it creates other calculation objects in other
namespaces by taking the equation and substituting the alternate namespaces for
the primary namespace.
Chapter 8. Configuring Fields and Field Groups
165
Note: While an equation may be valid in one namespace, it may not be valid in
others. While in most cases this is not a problem, if the query subject name or
query item name varies across namespaces you may need to create separate
computed field instances with different equations.
Nesting Computed Fields
Computed fields can sometimes act as building blocks for other computed fields.
These are referred to as intermediate computations. Currently the IBM OpenPages
GRC Platform application does not support intermediate calculation definitions
through the IBM OpenPages GRC Platform user interface. If you want to reference
another computed field, you must replicate the equation used in that computed
field inside the equation for the current field.
For example, if we have a computed field "A" and define it as "A = B × C" and we
also know
"C = D + E", we would only create one computed field "A" in the application
where the equation would be "B × (D + E)".
While this approach can be verbose, it is sometimes the simplest.
Troubleshooting Computed Fields
Validation
Computed fields validation is complex since they are only valid in relation to the
IBM OpenPages GRC Platform reporting framework, which may change in
response to a change in the IBM OpenPages object model.
Therefore, we provide several forms of validation.
When creating or editing a computed field, it is validated against the primary
namespace as well as all alternate namespaces. If any of the validation checks fail,
then the IBM OpenPages GRC Platform application will not allow you to save the
computed field until corrected. The IBM OpenPages GRC Platform application
maintains strict validation checks in this area because a slight error here can have
an extensive ripple effect that is hard to identify and correct.
Also, due to the complexity of the computation engine there are certain cases
where two computed fields will be valid by themselves but invalid together. A
common example is where two computed fields reference different Object ID
columns. In order for the computations to be grouped correctly they must all have
the same Object ID column value. Therefore, we provide validation functionality
across both an entire Field Group definition as well as an Object Type definition.
Equation Length Limitation
Currently there is a limitation on the size of the computation attribute value that
can be stored by the application.
The main attribute of concern is 'Equation' where a complex equation could be
very lengthy. There is a 20,000 byte limit on the size of the entered text. Note that
IBM OpenPages supports multibyte characters and so this may not be the
equivalent of 20,000 characters if you are using a multibyte language.
166
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
Using Computed Fields with Cross Products
A cross product normally occurs when a table of data is joined with itself resulting
in redundant data.
In the case of computed fields as they relate to Cognos we encounter a slightly
more complex version.
For example, in the out-of-the-box ORM schema we have computed fields on the
Loss Event object type that aggregate associated Loss Impacts and Loss Recoveries.
In effect we are joining the Loss Event data with itself because we have two
associations (joins) from the same object type and this causes a cross product.
Say you have the following associations between Loss Event and Loss Impact:
v LE - LI1
v LE - LI2
v LE - LI3
And the following associations between Loss Event and Loss Recovery:
v LE - LR1
v LE - LR2
When a query is written to access all three object types the following data is
returned:
v LE, LI1, LR1
v LE, LI2, LR1
v LE, LI3, LR1
v LE, LI1, LR2
v LE, LI2, LR2
v LE, LI3, LR2
In the case where we are aggregating values on the Loss Impact we end up with
twice the desired value and on the Loss Recovery three times the value. One way
to work around this is as follows:
Instead of:
total (Loss Impacts for Loss Events)
Use:
average (Loss Impacts for Loss Events) * count (distinct Loss Impacts for
Loss Events)
Mathematically, we can say that average x distinct_count = total/count x distinct_count
= total x distinct_count/count.
So if we are trying to total the Loss Impacts for a Loss Event in the previous
example we would be performing a total on the cross product result and then
multiplying by 1/2 to factor out the cross product. If we are trying to total the
Loss Recoveries for a Loss Event in the previous example we would be performing
a total on the cross product result and then multiplying by 1/3 to factor out the
cross product.
Chapter 8. Configuring Fields and Field Groups
167
Optimizing Report Request Performance
With the addition of computed fields there is a large increase in the number of
report requests and so it is important to make sure Cognos is set up correctly.
One common pitfall is the number of processes configured for the ‘ReportService’.
This can be configured as follows.
Procedure
1. From a browser window, log on to the IBM Cognos 10 portal as a user with
administrative privileges.
By default, the URL is:
http://<hostname>/ibmcognos (if you are using port 80 for Cognos)
Where: <hostname> is the name of the Web server machine that contains the
ibmcognos virtual directory.
2. On the main page under the Administration heading, click the Administrate
IBM Cognos content link.
3. On the Status tab, click the System link in the left pane.
4. In the Scorecard pane, do the following:
a. Under All servers, click the name of the reporting server you want to tune.
b. Under the reporting server, click the name of the dispatcher. For example,
http://<server_name>:9300/p2pd
Note: The dispatcher has the following icon preceding its URI.
c. In the list of services for the dispatcher, click ReportService.
5. In the Metrics - ReportService pane, do the following:
Note: For information on performance metrics and additional settings that are
not listed here, see the IBM Cognos 10 online Help.
a. Expand Process.
b. View and, if wanted, edit the settings for the Number of processes high
watermark and Number of processes low watermark performance metrics.
These metrics monitor the maximum and minimum number of active user
sessions since the last reset.
c. Expand Queue.
d. View and, if wanted, edit the setting for the Latency performance metric.
This metric specifies the average amount of wait time requests spend in the
queue.
e. Expand Request.
f. View and, if wanted, edit the settings for the Seconds per successful request
and Successful requests per minute performance metrics. These metrics
specify the average number of seconds it takes to process a successful
request and the average number of successful requests that can be processed
in a minute.
6. In the Settings - ReportService pane, do the following:
Note: For information on performance tuning and additional settings that are
not listed here, see the IBM Cognos 10 online Help.
a. Expand Tuning.
b. Change the value of the Maximum number of processes for the report
service during peak period and Maximum number of processes for the
report service during non-peak period settings. These settings specify the
168
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
maximum number of child report service processes that can be started
during peak demand and "off-peak" hours.
As a starting point, you should configure the value of these settings to be
twice the number of CPUs on the Cognos server. For example, if your
environment is always at peak and Cognos is running on a quad-CPU box,
then you would set the maximum number of processes to 8 for each setting.
If slow computed fields performance is observed, you can visit the
administration page again to observe the number of available processes as
well as the latency. Note that these values are only meaningful on a system
under load. If all the processes are consistently busy and there is a large
latency to service a request, consider changing the number of processes.
Query Direction Performance
While in Cognos it is possible to query up the relationship tree (i.e. compute
values based on ancestors), it is strongly discouraged.
When exploring all the computation possibilities there is one large distinction in
what can/should be done. The automatic framework generation is set up in such a
way as to create joins that are conducive to better performance querying down the
relationship tree. A query up the tree will result in bad computed field
performance as well as place a large strain on the Database that can result in the
entire application slowing down.
Modifying Enumerated String Values
For object fields with enumerated strings, you can add new values, delete (if not in
use), hide or unhide, and update the order of the values in the list.
The modifications you make to values in a list are globally applied to all instances
wherever that field group is in use.
Adding New Enumerated String Values
You can add new values to an existing list of enumerated string values at any
time.
For example, let’s say you created an object field called "Rating" that was an
Enumerated String data type. When the field was initially created, it was given the
following values: High, Medium, and Low. Because of changing business needs,
you want to add a new value of "Unknown" to the list. You could add this new
value at any time and have it immediately displayed to users as a selection in the
list of values.
When you add a new string value to an existing list of values:
v The value is immediately displayed to users for selection in the list of values
v The new value is added to the end of the value list
Procedure
1. Access the Field Groups page (see “Accessing the Field Groups Page” on page
142).
2. On the Field Groups table, click the name of the field group in the list that
contains the field you want to modify.
Chapter 8. Configuring Fields and Field Groups
169
3. On the Field Definitions table of the selected field group details page, click the
name of the field that contains the enumerated string that you want to modify.
4. On the Enumerated String Values table of the field definition details page:
a. Click Add.
b. In the Name box, type a value for the new string.
c. Click Create.
5. To change the order number of the string values, see “Changing the Order of
Enumerated String Values.”
Changing the Order of Enumerated String Values
For object fields with an Enumerated String data type, you can modify the order in
which string values are displayed to users.
When you change the order number of a string value, all the string values
following the changed order number are dynamically updated by the system.
For example, let’s say that the display order of string values in a list is: High 1,
Medium 2, Low 3, Unknown 4. If you want Unknown to be displayed first in the
list, you would change the order number of Unknown from 4 to 1. The system will
automatically re-order the other string values. The new order of the string values
in the list displays as: Unknown 1, High 2, Medium 3, Low 4.
Procedure
1. From the menu bar, select Administration and click Field Groups.
2. On the Field Groups table, click the name of the field group in the list that
contains the field you want to modify.
3. On the Field Definitions table of the selected field group details page, click the
name of the field that contains the enumerated string that you want to modify.
4. On the Enumerated String Values table of the field definition details page:
a. Find the rows containing the string value whose list order you want to
change.
b. In the Order boxes, type a new order number for the values.
c. Click Update Order.
Hiding Enumerated String Values
You can hide obsolete or unwanted string values from a list of enumerated string
values.
When you hide a string value from a list:
v For new instances of an object, the value or values are immediately hidden from
selection by users on the list of values.
v For existing instances of an object, if the value or values were previously
selected by users (that is, before the value was hidden), the value or values are
still displayed in the list and are available during editing for selection by users.
v The "Hidden" column on the Enumerated String Values table changes from
"false" to "true".
170
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
Procedure
1. Access the Field Groups page (see “Accessing the Field Groups Page” on page
142).
2. On the Field Groups table, click the name of the field group in the list that
contains the field you want to modify.
3. On the Field Definitions table of the selected field group details page, click the
name of the field that contains the enumerated string that you want to modify.
4. On the Enumerated String Values table of the field definition details page:
a. Select the box next to the value or values you want to hide from the list.
The "Hidden" column for the value will be set to "false".
b. Click Hide/Unhide. The "Hidden" column for the value changes to "true".
Note: The Hide/Unhide button toggles between Hide and Unhide
depending on the current setting.
Unhiding Enumerated String Values
If an enumerated string value was previously hidden from visibility by users, you
can "unhide" the hidden value and make it again visible to users in the list.
When you unhide a string value from a list, the following occurs:
v The value is immediately displayed for selection by users on the list of values.
v The "Hidden" column on the Enumerated String Values table changes from
"true" to "false".
Procedure
1. Access the Field Groups page (see “Accessing the Field Groups Page” on page
142).
2. On the Field Groups table, click the name of the field group in the list that
contains the field you want to modify.
3. On the Field Definitions table of the selected field group details page, click the
name of the field that contains the enumerated string that you want to modify.
4. On the Enumerated String Values table of the field definition details page:
a. Select the box next to the hidden value or values you want to display from
the list. The "Hidden" column for the value will be set to "true".
b. Click Hide/Unhide. The "Hidden" column for the value changes to "false".
Note: The Hide/Unhide button toggles between Hide and Unhide
depending on the current setting.
Deleting Enumerated String Values
You can only delete an enumerated string value from a field definition if the field
group containing the field is not in use.
A deleted string value is permanently removed from the list and cannot be
retrieved. If the field group is in use, Delete remains disabled and you can only
hide any obsolete or unwanted string values from view. For details see, “Hiding
Enumerated String Values” on page 170.
Chapter 8. Configuring Fields and Field Groups
171
Procedure
1. Access the Field Groups page (see “Accessing the Field Groups Page” on page
142).
2. On the Field Groups table, click the name of the field group in the list that
contains the field you want to modify.
3. On the Field Definitions table of the selected field group details page, click the
name of the field that contains the enumerated string that you want to modify.
4. On the Enumerated String Values table of the field definition details page:
a. Select the box next to the name of the value you want to remove - Delete
becomes enabled.
Note: If Delete remains disabled, the field group to which this field
definition belongs is in use and you cannot delete the value.
b. Click Delete.
c. At the prompt, click OK to remove the value from the list.
Configuring Reporting Fragment Fields
About Reporting Fragment Fields
Reporting fragment fields are always read-only fields that typically display a
component (such as a chart or table) from a larger Cognos report.
Once fragment fields are configured, these fields — like other fields in the IBM
OpenPages GRC Platform application — can be:
v Associated with an object type
v Added to various object view pages
v Configured as dependent fields
v Have their display type modified
By default, fragment fields have a display type of ‘Automatic’ for Detail and
Activity View pages and the report component is embedded directly on the page.
If the display type is changed to ‘On Demand’, the report component is displayed
in a pop-up window. Pop-up windows can be autosized through settings in the
application or manually overriden when the fragment field is defined.
Limitations
Reporting fragment fields have the following limitations:
v You cannot use elements from JSP reports in reporting fragment fields; only
components from Cognos reports are supported.
v Page breaks in reporting fragment fields are not supported.
v Tooltips in reporting fragment fields are not supported.
v A report that has required prompts other than Object ID and Reporting Period
ID cannot be used as a reporting fragment field.
Note: See the IBM OpenPages Cognos Report Author’s Guide on your documentation
media for designing reports that can be used in fragment fields.
172
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
Planning Considerations for Reporting Fragment Fields
Before you add a fragment field, you need to identify the report with the
component you want, and which object types, profiles, and object views will be
associated with the fragment field.
Planning your changes ahead of time helps to minimize the necessary work and
prevents duplication of effort.
The following list will help you identify some of the questions you need to
consider before you create a new fragment field:
v Report component — What report component data does the user need to see to
accomplish their task? Which Cognos report contains the component?
v Field group — Will new fragment fields reside in new or existing field groups?
v Object type — Which object type will use the fragment field or fields?
v Views — Which view pages in a profile will use the fragment fields (such as
Filtered List View, Detail View, Activity View, My Work tab)?
v Display — How many fragment fields will be included in a Detail or Activity
View page? Will a fragment field be embedded (Automatic) on the page or
displayed as a pop-up window (On Demand)?
Overview of Configuring Reporting Fragment Fields
The following table provides an overview of the configuration tasks for setting up
new fragment fields and a reference to the related information.
Table 31. Tasks for Configuring Reporting Fragment Fields
Task Description
Related Topic
Identify the:
“Planning Considerations for Reporting Fragment
Fields”
v
Cognos report and report
component you want to use.
v The field group you want to use.
From Cognos, obtain the parameter
information for the fragment field.
“Fields Requiring Parameter Information”
In the IBM OpenPages GRC Platform
application, define the fragment field.
“Defining a Reporting Fragment Field” on page
174
Add the field group to an object type if “Including Field Groups for an Object Type” on
it is not already included.
page 186
Select a profile and add the fragment
field to an object type in that profile.
“Configuring Fields for Object Types” on page
223
Select an object view in that profile and “Views for objects” on page 238
add the fragment field to that view
page.
Optionally, change the display type and “Configuring the Display Type for Reporting
display characteristics.
Fragment Fields” on page 265
Fields Requiring Parameter Information
The process of creating a new fragment field for use in the IBM OpenPages GRC
Platform application involves copying parameter information from Cognos and
either pasting or entering it into fields on the Reporting Fragment data type field
definition page in the IBM OpenPages GRC Platform application.
Chapter 8. Configuring Fields and Field Groups
173
Note: You must have administrative privileges set on your account so you can
access:
v The Cognos portal and Report Studio for obtaining parameter information
v The IBM OpenPages GRC Platform application for defining the new fragment
field
Table 32 lists the various fields on the Reporting Fragment data type field
definition page that require specific parameter information.
Table 32. Required Parameter Information
Fields
Field description
Report
Path
Required. The file path of the selected Cognos report
that contains the component you want to use.
“Define the Report Path” on page 175
Fragment
Name
Where to find the
parameter information
IBM Cognos
Connection, Public
Folders tab.
Required. The unique name of the particular report
Report Studio, Report
component (such as a ’Pie Chart’, ‘List’, ‘Combination Page
Chart’, and so forth).
“Define the Fragment Name” on page 176
Object ID
Prompt
Required only if the report prompts users to select a
resource (such as ‘Entity’, ‘Process’, and so forth)
before running the report.
Report Studio, Prompt
Page
Otherwise, leave this field blank.
“Define the Object ID Prompt” on page 177
Reporting Required only if the report prompts users to select a
Period ID reporting period before running the report.
Prompt
Otherwise, leave this field blank.
Report Studio, Prompt
Page
“Define the Reporting Period ID Prompt” on page 178
Defining a Reporting Fragment Field
For purposes of illustration, the following tasks use examples from a sample
Assessment Status report to configure a fragment field that will display the chart
component of this report as an embedded report on a Risk Assessment Detail View
page.
Find or Add a Field Group for the New Reporting Fragment Field
You can use either an existing field group or create a new field group for the new
fragment field.
About this task
Note: This task is required.
Procedure
1. In IBM OpenPages , access the Field Groups page (see “Accessing the Field
Groups Page” on page 142).
2. Do one of the following:
v To include the fragment field in an existing field group, click the name of the
field group to open its detail page.
174
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
v To include the fragment field in a new field group, see “Adding New Field
Groups” on page 149.
3. On the detail page of the selected field group, navigate to the Field Definitions
table and click Add.
4. On the field definitions detail page:
a. In the Name box, type the name of the new object field.
b. In the Description box, optionally type some brief descriptive text.
c. Click the Data Type arrow and select Reporting Fragment from the list.
button next to the data type selector to
d. Click the double arrow
display additional parameters this data type.
Note: Keep the IBM OpenPages GRC Platform application browser window
open as you will need to return to it.
Define the Report Path
To define the report path, the steps in this task require going back and forth
between the Cognos portal and the IBM OpenPages GRC Platform application user
interface to obtain the path information to the report containing the component.
About this task
Note: This task is required.
Procedure
In the Cognos Portal
1. Open another browser window and log on to IBM Cognos Connection as a
user with administrative privileges.
By default, the URL is http://<servername>/ibmcognos
Where: <servername> is the name of the reporting server.
2. On the Public Folders tab, navigate through the folder hierarchy to where the
report you want is saved.
Example
Public Folders > OPENPAGES_REPORTS_V6 > Risk Assessment Reports >
Risk Assessment Status
3. Under the Actions column for the report you want, click the Set Properties
. Hover text for the icon will display ‘Set properties - <report name>'.
icon
Example
The hover text for the Risk Assessment Status report Set properties icon would
say:
‘Set properties - Risk Assessment Status’
4. On the Set Properties page of the selected report:
a. Select the General tab if it is not already selected.
b. Click the ‘View the search path, ID and URL’ link (found in the upper right
section of the page).
5. In the View the search path, ID and URL window, copy the text in the ‘Search
path’ box.
The following example shows sample search path text for the Risk Assessment
Status report.
Chapter 8. Configuring Fields and Field Groups
175
Sample Search Path Text
/content/folder[@name=’OPENPAGES_PLATFORM’]/folder[@name=’Risk
Assessment Reports’]/report[@name=’Risk Assessment Status’]
In IBM OpenPages
6. On the Reporting Fragment field definitions detail page, paste the search path
text into the Report Path box.
In the Cognos Portal
7. Close the View the search path, ID and URL window and exit the ‘Set
properties’ page (do not exit Cognos).
Define the Fragment Name
To define the fragment name, the steps in this task require going back and forth
between the Cognos portal and the IBM OpenPages GRC Platform application user
interface to obtain the name of the report component within the selected report.
About this task
Note: This task is required.
Procedure
In Report Studio
1. Open the report containing the component you want in Report Studio:
a. On the Public Folders tab, navigate through the folder hierarchy to where
the report you want is saved.
Example
Public Folders > OPENPAGES_PLATFORM > Risk Assessment Reports >
Risk Assessment Status
b. Under the Actions column for the report you want, click the Open with
icon. Hover text for the icon will display ‘Open with
Report Studio
Report Studio - <report name>'.
Example
The hover text for the Risk Assessment Status report Set properties icon
would say:
‘Open with Report Studio - Risk Assessment Status
2. In Report Studio (in Page Design mode), select the component you want to use
for the Reporting Fragment field (such as a List, a Chart, a Crosstab, and so
forth.)
3. Verify that the entire component is selected:
a. In the Properties pane (on the left), look at the title bar. It should display
the name of the selected component, such as ‘Pie Chart’, ‘List’,
‘Combination Chart’, and so forth.
b. If the Properties title bar displays the name of a subcomponent (for example
‘List Column Body’ or ‘List Column Title’), then click the Properties up
arrow icon on the Properties title bar and select the entire component (for
example, ‘List’).
4. Once the entire component is selected, do the following:
a. In the Properties pane, scroll to the Miscellaneous heading.
b. Under the Miscellaneous heading, copy the value in the Name property.
176
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
Example
The Name property value for the Combination Chart component of the
sample Risk Assessment Status report is Combination Chart1.
In IBM OpenPages
5. On the Reporting Fragment field definitions detail page, paste or type the value
into the Fragment Name box.
Example
For the sample Risk Assessment Status report, you would paste or type
Combination Chart1.
Note: If the report prompts for an object or reporting period ID, keep the
report open in Report Studio.
Define the Object ID Prompt
To define the Object ID Prompt, the steps in this task require going back and forth
between the Cognos portal and the IBM OpenPages GRC Platform application user
interface.
About this task
Note: This task is required only if a report prompts users to select a resource (such
as ‘Entity’, ‘Process’, and so forth) before running the report. Otherwise, skip this
task and leave the field blank.
Procedure
In Report Studio
1. In Report Studio for the selected report:
a. Click the Page Explorer.
b. Navigate to the prompt page of your report.
2. On the prompt page:
a. Click the prompt for the object identifier (such as Entity, Process, and so
forth).
b. In the Properties pane (on the left), scroll to the General heading.
c. Under the General heading, click the Parameter property icon and copy the
value in the box (for example, Entity).
Example
The sample Risk Assessment Status report prompts users to select a
Business Entity before running the report. On the sample Risk Assessment
Status report ‘PromptPage,’ you would select the ‘Value Prompt’ object for
Business Entity. The value in the ‘Properties - Value Prompt’ for the
‘Parameter’ field is Entity.
In IBM OpenPages
3. On the Reporting Fragment field definitions detail page, paste or type the value
into the Object ID Prompt box.
Example
For the sample Risk Assessment Status report, you would paste or type
Entity in the ‘Object ID Prompt’ box.
Chapter 8. Configuring Fields and Field Groups
177
Define the Reporting Period ID Prompt
To define the Reporting Period ID Prompt, the steps in this task require going back
and forth between the Cognos portal and the IBM OpenPages GRC Platform
application user interface.
About this task
Note: This task is required only if a report prompts users to select a reporting
period before running the report. Otherwise, skip this task and leave the field
blank.
Procedure
In Report Studio
1. In Report Studio for the selected report:
a. Click the Page Explorer.
b. Navigate to the prompt page of your report.
2. On the prompt page:
a. Click the prompt for the reporting period identifier.
b. In the Properties pane (on the left), scroll to the General heading.
c. Under the General heading, click the Parameter property icon and copy the
value in the box.
In IBM OpenPages
3. On the Reporting Fragment field definitions detail page, paste or type the value
into the Reporting Period ID Prompt box.
Define the Reporting Fragment Size
When defining the reporting fragment size, if you leave the pixel values for height
and width blank (this is the default), the pop-up window will be sized
automatically.
About this task
Note: This task is optional. Use if you want to manually control the height and
width of the pop-up window for a fragment field.
Procedure
1. In IBM OpenPages , on the Reporting Fragment field definitions detail page:
a. In the Height box, type a numeric value for the pixel height of the
fragment.
b. In the Width box, type a numeric value for the pixel width of the fragment.
2. When finished, click Create.
Configuring Save As Draft Fields
Configure the Save As Draft feature to display a Save As Draft button when
editing or creating objects so users can save object data without filling in all of an
object’s required fields.
The Save As Draft button is displayed next to the Save button on the Detail View
page of an object type when the object is in edit mode.
178
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
The Save As Draft configuration process requires the creation of a field group and
an enumerated string field. Once the group and field are created, these values can
be used in settings to enable the Save As Draft button. The group and field can
then be associated to various object types in a profile. The field does not have to be
associated with a particular view in a profile for the Save As Draft button to be
displayed.
See the following topics for details on the Save As Draft configuration process:
v “Create a new field group and field”
v “Configure settings”
v “Add the field to the object type and profile” on page 180
For purposes of illustration, the field group in the “Create a new field group and
field” procedure is called "DraftGroup" and the enumerated field is called "Draft
Status" with values of "Draft" and "Published".
When the user clicks the Save As Draft button, the value of the "Draft Status" field
is automatically set by the system to "Draft". When the user clicks the Save button,
the required fields are automatically validated and the value of the "Draft Status"
field is set to "Published". We recommend that the "Draft Status" field is hidden
from object views in a profile. However, if you choose to make the "Draft Status"
field visible in a profile’s object view, it should be configured as Read only.
Using the Save As Draft Feature with Activity View Pages
If you plan to use the Save As Draft feature with Activity View pages, the Save As
Draft button must be configured on the root or parent object type (this is the first
object type listed in the Activity View).
If a child object type has the Save As Draft button configured but the parent object
type does not have the button configured, the Save As Draft button will not be
visible on the Activity View page.
The required field validation is skipped on child objects if they have the draft field
in the profile. The required field validation on the child objects will NOT be
skipped if the child object does not have the draft field in the profile, even though
the user clicked the Save as Draft button.
Create a new field group and field
Procedure
1. Create a new field group and name it, for example, DraftGroup (see “Adding
New Field Groups” on page 149).
2. Add a field definition to the new field group and name it, for example, Draft
Status.
a. Select the Enumerated String data type.
b. Add a value for Draft and a value for Published (see “Adding Field
Definitions to a Field Group” on page 149).
Configure settings
Procedure
1. Access the Settings page (see “Accessing the Settings Page” on page 313).
Chapter 8. Configuring Fields and Field Groups
179
2. Set the value in the Show Hidden Settings setting to true (for details, see
“Showing Hidden Settings” on page 318).
3. Expand the OpenPages | Applications | Common | Configuration |
Required Field Validation folder hierarchy
4. Click the Draft Status Field setting to open its detail page.
a. In the Value box, type the name of the field group and field. The format is
<field group>.<field name>.
For example: DraftGroup.Draft Status
b. Click Save.
5. Click the Draft Status Value setting to open its detail page.
a. In the Value box, type the system name of the draft value.
For example: Draft
b. Click Save.
6. Click the Publish Status Value setting to open its detail page.
a. In the Value box, type the system name of the draft value.
For example: Publish
b. Click Save.
Add the field to the object type and profile
Procedure
1. Enable System Admin Mode (see “Enabling and Disabling System Admin
Mode” on page 82).
2. For each object type that you want to have a Save As Draft button, include the
new field group, for example DraftGroup (see “Including Field Groups for an
Object Type” on page 186).
3. Disable System Admin Mode.
4. Include the new field, for example Draft Status, in a profile (see “Including
Fields in an Object Type” on page 223).
Note: Unless you want the field to be visible to users, the field does not have
to be included on a View page for the Save As Draft button to be displayed.
Deleting Field Groups and Definitions
Deleting Field Groups
If a field group has never been associated with an object type (that is, it has never
been used), you can then delete it.
When you delete a field group, the field group is removed from the list of
available field groups on the Field Groups page and cannot be restored to the list.
Procedure
1. Access the Field Groups page (see “Accessing the Field Groups Page” on page
142).
2. Select the box next to the name of the field group that you want to delete.
3. Click Delete on the Field Groups table.
180
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
Deleting an Object Field Definition
When you delete a field, the definition of the field is removed from the field group
to which it belongs.
You can only delete field definitions from a field group that are not in use. Once a
field definition is deleted, it cannot be restored.
Procedure
1. Access the Field Groups page (see “Accessing the Field Groups Page” on page
142).
2. Click the name of the field group you want to modify to open its details page.
3. Click the box next to the name of each field definition you want to delete.
4. When finished, click Delete.
Working with Long String Fields
Long string fields (data type is long string) are considered to be any text of length
more than 4000 bytes. Long string fields allow users to enter more than 4000 bytes
in a single field.
There are two sub types of long text fields: medium and large. The size of medium
long string fields is fixed to 32KB. The size of the large long string fields is set by
default to 256KB, but that can be increased by changing the OpenPages | Platform
| Repository | Resource | Large Text | Maximum Size setting.
Note:
v For more information on long string data types, see “Data Types” on page 150.
v For information on setting display types for long string fields, see “Configuring
Display Types for Long String Fields” on page 274.
v For information on filtering on long string fields, see “Utilities for Filtering on
Long String Field Content” on page 460.
v For information on concatenating simple string fields into a long string field, see
“String Concatenation Utility” on page 466
Chapter 8. Configuring Fields and Field Groups
181
182
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
Chapter 9. Managing Object Types
About Object Types
An object type is a container with metadata about a specific category of object,
such as a Risk or Process object, or a custom form.
From an Object Type page, you can view and access:
v Property information about the object type (such as name, labels, description)
v Field groups (with their field definitions) that are included in this object type
v
v
v
v
v
Allowed parent and child relationships (associations) to other object types
Filters used to narrow the scope of data for this object type
Dependent fields and picklists that have been defined for this object type
Fields for this object type that have been excluded from one or more subsystems
Facts and dimensions configured for this object type that can be generated by
the reporting framework
. Each
An object type is identified in the application by the Object Type icon
object type can include one or more field groups and associations to other objects.
For custom forms, such as surveys, you must add an object type for each custom
form that you create. For more details, see “Setting Up Custom Forms” on page
196.
For additional information about:
v Configuring groups and fields for an object type, see Chapter 8, “Configuring
Fields and Field Groups,” on page 141.
v Customizing the display text labels for object types, see Chapter 12, “Localizing
Text,” on page 279.
v Configuring facts and dimensions in the reporting framework, see “Configuring
Facts and Dimensions” on page 91.
Note: If the same management operation is being concurrently modified by
another administrator, an error message is displayed requesting that you try again
at a later time.
About Platform Object Types
The IBM OpenPages object model is highly configurable and, depending on your
particular business needs, can contain numerous object types.
Because the object types and schema vary widely from customer to customer,
Table 33 lists only the Platform object types that are installed, by default, on all
systems.
Table 33. Platform Object Types
Icon
Object Name
Singular Label
SOXBusEntity
Business Entity
183
Table 33. Platform Object Types (continued)
Icon
---
Object Name
Singular Label
SOXIssue
Issue
SOXTask
Issue Action Item
SOXDocument
File
SOXExternalDocument
Link
SOXSignature
Signature
SOXMilestone
Milestone
ProjectActionItem
Milestone Action Item
SOXProject
Project
Note: The SOXProject object type is for system use only; it is the "master" parent
object type for all top level Business Entities and top level Milestones.
About Property Rendering JSP Files
Every object type requires a property rendering JSP file. The JSP file controls the
format of the various elements that comprise the layout of a form on a Web page.
Note: For AIX environments, see your IBM representative for assistance.
Note: The information in this topic applies only to Windows environments.
The IBM OpenPages application supplies a generic property rendering JSP file,
called properties.jsp, that is used by the various object types and cannot be
changed. This file is located in the <OP_Home>|applications|opapps|sosa|activityview folder.
Where <OP_Home> is the installation location of the OpenPages application. By
default, this is c:\OpenPages.
Note: For backward compatibility with upgraded systems prior to the IBM
OpenPages 5.5 release, the existing JSP file, called renderProperties.jsp, is still used
by the standard objects’ definitions. This existing file, however, maps to the
properties.jsp file.
For custom forms, you can either create your own custom property rendering JSP
file or use the supplied properties.jsp file. If you choose to use the supplied JSP file
for a custom form or survey, when the form or survey displays on a page, it will
have the standard look and feel of an object page.
If you choose to create custom property rendering JSP files to use with your
custom forms or surveys, it is recommended that you create a "survey" folder
under the \sosa folder path in which to store your custom JSP file or files. For
example:
<OP_Home>\applications\op-apps\sosa\survey
184
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
For assistance in creating custom property rendering JSP files, see your OpenPages
Managing Consultant.
When you create a new object type for a custom form, the path you provide for
the JSP file will be relative to the ...\applications\op-apps\sosa folder.
Accessing Object Types
From the detail page of an object type, you can configure properties, such as which
field groups should be included or excluded, associate parent and/or child object
types, manage filters, dependent fields, and so forth.
Note: To access the Object Types menu item, you must have the Object Types
application permission set on your account (for details, see “Configuring
Application Permissions” on page 21).
Procedure
1.
Log on to the IBM OpenPages application as a user with the Object Types
application permission set.
2. From the menu bar, select Administration and click Object Types.
3. To go to the detail page of an object type, click the name of the object type in
the list (for example, SOXControl).
Configuring Object Type Properties
From the detail page of an object type, you can configure field groups, associate
objects, and edit object type properties.
Editing Object Type Properties
You can edit the description of an object type and set whether or not you want to
keep older versions of instances for that object type. The JSP Path can only be
edited for custom forms.
Note: Do not use characters defined in CJK Unified Ideographs EXTENSION-B on
Unicode in the description field of an object type.
Procedure
Access the Object Types page (see “Accessing Object Types”).
From the list, click the name of the object type you want to modify.
On the Object Type Information tab, click Edit.
On the edit page, make the necessary changes.
If you want to save an older version of this object type, select the Save older
versions of this object type? check box.
6. When finished, click Save.
1.
2.
3.
4.
5.
Note: To change label text for an object type, see Chapter 12, “Localizing
Text,” on page 279.
Chapter 9. Managing Object Types
185
Including Field Groups for an Object Type
A field group (either new or existing) must be added to an object type before any
of the fields within the field group can be selected for display on an object’s view
page.
To create a new field group, see “Adding New Field Groups” on page 149.
The object type can be a predefined object type (see the topic, “About Platform
Object Types” on page 183, for a list of object types) or a custom form object type.
Note:
v Before you can add a field group to a custom form or survey, you must first
create an object type for that custom form or survey and then add field groups
to it (see the topic, “Adding an Object Type for a Custom Form” on page 196,
for details).
v To perform these steps, System Administration Mode must be enabled in the
application interface (see “Enabling and Disabling System Admin Mode” on
page 82).
When you include a field group for an object type, the field group displays in the
list on the Included Field Groups tab of the selected object. Once the field group
has been included, you can then select which fields you want to make visible to
users. For details, see “Adding Field Definitions to a Field Group” on page 149.
Procedure
1. Access the Object Types page (see “Accessing Object Types” on page 185).
2. From the list, click the name of the object type you want.
3. On the Included Field Groups table, click Include.
4. On the Select Field Group Information page, select the check box next to the
field group you want to include. If wanted, you can select multiple boxes.
5. When finished, click Add.
6. To make the individual fields within the field group visible to users in an object
view, see “Views for objects” on page 238.
Disabling Associations Between Object Types
If an association between a parent or child object type is no longer wanted, you
can disable the relationship between these object types.
Note: You must be in System Administration Mode (SAM) to perform this
operation (see Chapter 4, “Using System Admin Mode,” on page 81).
For example, if a survey becomes obsolete and you no longer want it associated
with a specific object type (such as a Risk object), you can disable the association
between the survey object and the parent object type (SOXRisk).
For example, if you do not want users to associate certain object types together,
such as Accounts with Business Entities, you can disable the association between
the child object type (SOXAccount) and the parent object type (SOXBusEntity).
When you disable an association between object types, the following occurs:
v For objects:
186
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
v
v
v
v
v
– The entry for the child object type on the navigation pane is removed from
the Detail View page of the parent object type.
– The entry for the parent object type on the navigation pane is removed from
the Detail View page of the child object type.
For a custom form or survey, the custom form or survey is removed from the list
of available form types that can be added from the Associated Files and Forms
tab of a parent object.
The Disable button on the Association Detail Info page for the child object type
changes to Enable.
The value of the Enabled property changes from "true" to "false".
The object type is removed from the Audit Trail page and Audit reports, even if
the object type is a child for a different parent.
The value of the setting is displayed as Read-only on the Child Association
Detail Info page.
Procedure
1. Access the Object Types page (see “Accessing Object Types” on page 185).
2. From the list, click the name of the object type you want to modify.
3. Depending on the association you want to disable, navigate to either the Child
Associations tab or Parent Associations tab on the Object Type Information
detail page of the selected object type.
4. From the list of associated object types, click the name of the object type that
you want to disable.
5. On the Association Detail Info page, click Disable. The button changes to
Enable.
6. To propagate the object relationship changes to reports, do the following:
a. Update the Reporting Schema. For details, see “Creating or Re-creating the
Reporting Schema” on page 84.
b. Regenerate the reporting framework. For details, see “Updating the
Reporting Framework” on page 89.
Enabling Associations Between Object Types
If you want to allow an association between a parent or child object type that was,
for example, previously disabled, you can enable the association between these
object types.
Note: You must be in System Administration Mode (SAM) to perform this
operation (see Chapter 4, “Using System Admin Mode,” on page 81).
When you enable an association between object types, the following occurs:
v The enabled child object type displays on the detail page of the parent object
type.
v The Enable button changes to Disable on the Association Detail Info page.
v The value of the Enabled property changes from "false" to "true" on the Child or
Parent Associations tab.
v The object type is included in the Audit Trail page and Audit reports
v The value of the setting is displayed as Read-only on the Child Association
Detail Info page.
Chapter 9. Managing Object Types
187
Procedure
1. Access the Object Types page (see “Accessing Object Types” on page 185).
2. From the list, click the name of the object type you want to modify.
3. Depending on the association you want to enable, navigate to either the Child
Associations tab or Parent Associations tab on the detail page of the selected
object type.
4. From the list of associated object types, click the name of the object type that
you want to enable.
5. On the Association Detail Info page, click Enable. The button changes to
Disable.
6. To propagate the object relationship changes to reports, do the following:
a. Update the Reporting Schema. For details, see “Creating or Re-creating the
Reporting Schema” on page 84.
b. Regenerate the reporting framework. For details, see “Updating the
Reporting Framework” on page 89.
About Object Relationship Types
Within the IBM OpenPages application, a relationship type can be defined as either
‘Association’ or ‘Reference’ between objects in the object model.
The IBM OpenPages application requires that an object model must not contain
relationship definitions that result in a loop (a cyclic relationship) when the object
hierarchy is traversed.
The ‘Association’ type relationship is the typical relationship that exists between
parent and child objects in the object hierarchy. The ‘Reference’ type relationship is
a non-parent-child relationship that can exist between objects.
For customers doing a first-time ("fresh") installation, the IBM OpenPages
application will not allow loops to be created in the new model.
However, for customers that are upgrading from a version prior to IBM
OpenPages 5.5, the object model may contain relationship definitions that create a
loop or cyclic relationship between objects. If the IBM OpenPages application
encounters such a loop between objects in the hierarchy, some pages may return
incomplete results. For details about running a script to analyze your object model
for unused and/or cyclic relationships, see "Correcting Cyclic Relationships" in the
IBM OpenPages Upgrade Guide.
Figure 7 on page 189 demonstrates how a path from SubAccount to Process in an
object model can create a loop or cyclic relationship. That is, starting at Entity, as
you traverse the hierarchy through the parent-child relationships, you enter a loop
between SubAccount and Process. This is an invalid configuration.
188
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
Figure 7. Sample Invalid Cyclic Relationship
To resolve a loop or cyclic relationship between objects in the hierarchy, upgrade
customers can:
v Disable the relationship that creates the loop. For example, if the relationship
defined in the object model is superfluous and is not being used (that is, there
exists no instance data in your database that has these relationships), then you
should disable the relationship. For details, see “Disabling Associations Between
Object Types” on page 186.
v Leave the relationship that creates the loop, but change its type. For example, if
you need to retain the relationship that creates a loop because the object model
accurately describes your business, you can leave it and change its type from
‘Association’ to ‘Reference’ (see Figure 8 on page 190). For details on changing
the reference type, see “Setting the Relationship Type” on page 190.
Figure 8 on page 190 illustrates how a valid relationship between SubAccount and
Process can be maintained without a loop by changing the Relationship Type
between these objects from ‘Associative’ to ‘Reference’.
Chapter 9. Managing Object Types
189
Figure 8. Sample Reference Relationship
Related tasks:
“Eliminate unused object type relationships” on page 783
If the business only requires a subset of the available enabled relationships, those
unneeded relationships should be disabled.
Setting the Relationship Type
You can set the relationship type of objects.
Note: You must be in System Administration Mode (SAM) to perform this
operation (see Chapter 4, “Using System Admin Mode,” on page 81).
Procedure
1. Access the Object Types page (see “Accessing Object Types” on page 185).
2. From the list, click the name of the parent object type with the child
relationship you want to modify.
3. On the Child Associations tab, select the child object whose relationship you
want to modify.
4. On the Association Detail Info tab, click Edit.
5. Click the Relationship Type arrow and select a value from the list. If the
selected value results in a loop, an error message is displayed.
6. When finished, click Save.
190
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
Modifying Cardinality Settings
Cardinality settings within the IBM OpenPages application are used to determine if
a given object can be created as a standalone object and whether or not it can be
shared by (associated to) more than one parent object.
Important: The setting values are used to control the presence of specific buttons
on the user interface that allow users to create objects as either standalone or
shared. The setting values are NOT currently used to enforce the number of
associations between object instances.
In new IBM OpenPages installations, the default values for the minimum (Min
Children = 0) and maximum (Max Children = 2147483647) number of children
should not be modified.
Displaying the Add New Button for Standalone Objects
When you add a new child object type from the detail page of a parent object type,
the child object type is created and automatically associated with that parent object
type. A "standalone" object instance is a child object that is not associated with any
parent object.
For example, if you select the Risks menu item on the Assessments menu, and
then click the ‘Add New’ button on the Risk Folder View page to create a new
child Risk object, that child object is created in the top-level Risk object type folder
but would not be associated with any parent object.
You can control the ability of users to create standalone instances of an object type
by configuring the value of the minimum parents cardinality setting.
If the value of the minimum parents cardinality setting, Min Parents, is set to:
0 -- the Add New button displays on the object’s Folder View page and users
are able to create standalone instances of a child object type. If a child object
type has multiple parent relationships, the value of Min Parents must be set to
zero for every relationship in which that object type is a child. You cannot create
standalone objects from a Detail View or Activity View page.
v 1 -- the Add New button is removed from the object’s Folder View page and
users will not be able to create standalone instances of a child object type. This is
the default value in new product installations.
v
Note: For data consistency, the minimum parent setting should always be set to
either 0 or 1. A minimum parent setting greater than 1 is effectively the same as
setting it to 1.
Procedure
1. Access the Object Types page (see “Accessing Object Types” on page 185).
2. From the list, click the name of the object type whose cardinality you want to
modify.
3. On the Parent Associations tab, click the name of a parent object type.
4. On the Association Detail Info tab, click Edit.
5. In the Min Parents box, enter 0 (for standalone) or 1 (for not standalone).
6. When finished, click Save.
Note: To return to the object type detail page, click the name of the object type
in the breadcrumbs at the top of the page.
Chapter 9. Managing Object Types
191
7. If there are multiple parent objects, repeat Steps 3 - 6 for each parent object.
For example, a company does not want users to create standalone Processes.
You could remove the Add New button from the Processes Folder View page
for all relationships that specify the Process child object type by doing the
following.
a. From the menu bar, select Administration and click Object Types.
b. From the list, click SOXProcess.
c. For each parent object listed under the Parent Associations tab, set the
minimum number of parents to 1 in all the relationships that specify the
Process child object type as follows:
1) Click the name of a parent object to open its detail page.
2) Click Edit and set Min Parents to 1.
3) Click Save to save the modified setting.
Displaying the Associate/Disassociate Buttons for Shared
Objects
For object type relationships that contain a child object type, you can control the
ability of users to associate instances of a child object type by configuring the value
of the maximum parents cardinality setting.
If the value of the maximum parents cardinality setting, Max Parents, is set to:
v 2147483647 (infinity) -- the Associate and Disassociate menu items are
displayed on the Action Menu of the object type on a detail page, and users will
be able to associate that object to more than one parent object. The default value
is 2147483647 in new product installations.
v 1 -- the Associate and Disassociate menu items are removed from the Action
Menu of the object type on a detail page, and users will not be able to create
shared instances of a child object type.
Note: There is currently no enforcement of the maximum parents setting on the
number of parent associations that a given child object can have. For instance, if
the maximum parents setting is 2, the application will still allow a given child
object to be shared among 3 or more parent objects of the same type. A maximum
parent setting of greater than 2 is effectively the same as setting it to infinity.
Procedure
1. Access the Object Types page (see “Accessing Object Types” on page 185).
2. From the list, click the name of the parent object type whose child relationships
you want to modify.
3. On the Child Associations tab, click the name of the child object type you
want to modify.
4. On the Association Detail Info tab, click Edit.
5. In the Max Parents box, enter 2147483647 (for shared) or 1 (for not shared).
6. When finished, click Save.
Note: To return to the object type detail page, click the name of the object type
in the breadcrumbs at the top of the page.
7. If there are multiple child objects for which you want to restrict the parent
object relationship, repeat Steps 3 - 6 for each child object.
Example
192
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
Let’s say a company does not want users to associate and share Processes
among Business Entities. You could remove the Associate and Disassociate
menu items from the Process Action Menu on the detail page by doing the
following.
a. From the menu bar, select Administration and click Object Types.
b. From the list, click SOXBusEntity.
c. Navigate to the Child Associations tab.
d. Click SOXProcess to open its detail page.
e. Click Edit and set Max Parents to 1.
f. Click Save to save the modified setting.
Configuring File Type Information
A file type describes the structure or format of a file and is typically reflected in
the file name extension.
Some common examples of file name extensions include .RTF (Rich Text Format),
.TXT (ASCII text), .DOC (Microsoft Word), .PDF (Portable Document Format), .XLS
(Microsoft Excel), .HTM (Hypertext Markup Language), and .JSP (Java Server
Page).
Note: Only the SOXDocument object type supports file types.
Each file type has a corresponding MIME (Multipurpose Internet Mail Extension)
type associated with it, which is a standardized data exchange method used by
Web browsers to associate files with helper applications that display files of that
type. For example, a MIME type of image/gif, informs the browser to handle the
data as an image. The IBM OpenPages application supplies a number of
predefined MIME types.
Adding a New File Type
Before you add a new file type to the application, verify that the file type does not
already exist.
To view a list of supplied file types, click Include on the File Types Information
tab of the SOXDocument object type. If the file type that you want to add is:
v Displayed in the list - go to “Associating a File Type with an Object Type” on
page 194.
v Not displayed in the list - click Cancel and proceed with the instructions in this
section.
When you add a new file type to the application, it is automatically added to the
File Type Information selection list.
Procedure
1. Access the Object Types page (see “Accessing Object Types” on page 185).
2. From the list, click the SOXDocument object type.
3. On the File Types Information tab, click Add New.
4. On the add page:
a. In the MIME Type box, enter a MIME content type and subtype. For
example, image/cgm.
Chapter 9. Managing Object Types
193
b. In the File Extension box, type a file extension that corresponds to the
MIME Type. For example, cgm.
c. When finished, click Create.
5. To associate the new file type with the SOXDocument object type, see
“Associating a File Type with an Object Type.”
Associating a File Type with an Object Type
You can associate various file types with the SOXDocument object type. If you
have added a new file type, you will need to associate it with the object type
before it can be used.
Note: When you attach a file to an object, the file extension is case sensitive and
must match the extension specified in the File Types Information section of the
SOXDocument object type.
Procedure
1. Access the Object Types page (see “Accessing Object Types” on page 185).
2. From the list, click the SOXDocument object type.
3. On the File Types Information tab, click Include.
4. From the list on the Select File Type Information page:
a. Select the check box next to the name and MIME type you want to add. If
wanted, you can select multiple boxes.
b. When finished, scroll to the bottom of the page and click Add.
The newly associated file type is listed on the File Types Information tab of
the SOXDocument object type.
Removing a File Type From an Object Type
You can remove a file type from the SOXDocument object type if file type is not in
use. Removing a file type from an object type does not remove the file type from
the File Type Information selection list.
Procedure
1. Access the Object Types page (see “Accessing Object Types” on page 185).
2. From the list, click the SOXDocument object type.
3. On the File Types Information tab:
a. Select the check box next to the name and MIME type you want to remove.
b. Click Exclude.
c. At the prompt, click OK to remove the file type.
Results
The associated file type is removed from the list on the File Types Information tab
of the SOXDocument object type.
Configuring Large Files for Upload
By default, the IBM OpenPages GRC Platform has a maximum file upload size of
250 MB. If you have files larger than the 250-MB limit, you can optionally
configure the system to upload larger files.
194
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
In addition to file size, file uploads are constrained by a fixed 5-minute timeout
period on data transfer. For example, a large 2-GB file could timeout on a system
with a slow connection after transfer of only 1 GB or less of data.
Note: Files greater than 2 GB are not supported.
About this task
To configure a larger file size, you must edit the struts-config.xml in the WEB-INF
directory on all application servers in your environment.
Procedure
1. Log on to the application server as a user with administrative privileges.
2. Stop all services, including the OpenPages application and workflow services.
For details on starting services, see “Starting and Stopping OpenPages
Application Servers” on page 613.
3. Open a command or shell window and navigate to the WEB-INF directory as
follows.
v For Oracle WebLogic Server:
<OP_Home>\applications\op-apps\sosa\WEB-INF
v For IBM WebSphere Application Server:
<OP_Home>/profiles/OpenPagesDmgr/config/cells/OpenPagesCell/
applications/op-apps.ear/deployments/op-apps/sosa.war/WEB-INF
Where <OP_Home> represents the installation location of the IBM OpenPages
GRC Platform application.
By default, this is:
Windows - C:\OpenPages
AIX and Linux - /opt/OpenPages
4. Open the struts-config.xml file in a text editor of your choice and change the
following code in the file.
From this:
<controller
processorClass="com.openpages.apps.common.util.OPRequestProcessor"/>
To this:
<controller
processorClass="com.openpages.apps.common.util.OPRequestProcessor"
maxFileSize="n"/>
Where n represents the expected maximum size of an upload file. The size is
expressed as a number followed by a K (for kilobytes), M (for megabytes), or G
(for gigabytes). For example, 500M.
Note: The maximum upload size is 2G, the default size is 250M.
5. Save the file and exit the text editor.
6. Repeat Steps 1-5 on each application server.
7. Start all services, including the OpenPages application and workflow services.
For details on starting services, see “Starting and Stopping OpenPages
Application Servers” on page 613.
Chapter 9. Managing Object Types
195
Setting Up Custom Forms
Process Overview
The following table outlines the tasks you need to follow for setting up a new
custom form, such as a survey, for use by object types in the application.
Note: If you imported a custom form, such as a survey, through the
ObjectManager, then you only need to perform Task 6.
Table 34. Tasks for Adding Custom Forms
Task
Task Description
Related Topic
1
Create an object type for the custom
form.
See “Adding an Object Type for a
Custom Form” for step-by-step
instructions on how to create an object
type for a custom form.
2
Add a field group for the custom form
object fields.
See “Adding New Field Groups” on
page 149 for step-by-step instructions
on how to create one or more field
groups that will contain the fields for
the custom form.
3
Add one or more field definitions to
the new field group.
See “Adding Field Definitions to a
Field Group” on page 149 for
instructions on how to add new field
definitions to a new field group.
4
Add the new field group to the custom See “Including Field Groups for an
form object type.
Object Type” on page 186 for
information about how to add the new
field group to a custom form object
type so the fields can be available for
display.
5
Associate the custom form object type
with a parent object type.
See “Associating a Custom Form to an
Object Type” on page 197 for
information about how to associate a
child object type (custom form) with a
parent object type.
6
Include the new custom form object
type in a profile.
See “Including Object Types in a
Profile” on page 222 for information
about how to include the custom form
object type on an object’s view page.
7
(optional) If you want to run reports
against a custom object type, specify a
custom prefix for the real-time
reporting schema tables
See “Enabling Reporting for Custom
Forms” on page 350 for information
about adding a custom prefix.
Adding an Object Type for a Custom Form
If you want to add a custom form, such as a survey, to an object, you must first
create an object type for that custom form. Once the object type is created, you can
include field groups and associate parent objects to it.
Note: To perform these steps, System Administration Mode must be enabled in the
application interface (see “Enabling and Disabling System Admin Mode” on page
82).
196
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
Procedure
1. Access the Object Types page (see “Accessing Object Types” on page 185).
2. On the Object Types tab, click Add.
3. On the add page, do the following:
a. In the Name box, type a name for the new object type.
The name must start with a letter, and can only contain letters, numbers,
and the underscore (_) character. The name is also used as the initial label
for the object type and cannot be modified after it is created.
Examples include:
RiskSurvey, survey1, Survey1_Risk
b. In the Description box, optionally type a description.
Note: Do not use characters defined in CJK Unified Ideographs
EXTENSION-B on Unicode in the description field of an object type.
c. In the JSP Path box, type the folder path and name of the .jsp file that will
be used by the object type to render the layout and presentation of the
object on the Web application page. The default path is
/propertyForm/renderProperties.jsp.
Note: The path of the JSP file is relative to the ...\openpagesdomain\
applications\sosa\ folder.
If you are using, for example, a custom JSP file, the folder and file name
might look similar to this: /Survey/MySurvey.jsp.
d. When finished, click Create.
The object type is created, and the Object Type detail page displays where
you can configure properties. For details see, “Configuring Object Type
Properties” on page 185.
4. If you want to run reports against this custom object type, you must configure
a custom prefix for the real-time reporting schema tables. For details, see
“Enabling Reporting for Custom Forms” on page 350.
Deleting a Custom Object Type
You can only delete custom object types that are not in use in the application.
Note: You must be in System Administration Mode (SAM) to perform this
operation (see Chapter 4, “Using System Admin Mode,” on page 81).
Procedure
1. Access the Object Types page (see “Accessing Object Types” on page 185).
2. From the list, select the check box next to the object type you want to delete. If
wanted, you can select multiple boxes.
3. On the Object Types tab, click Delete.
4. At the confirmation prompt, click OK to delete the object type.
Associating a Custom Form to an Object Type
If you want a custom form or survey to be associated with a specific type of object,
you can add this object association from either the detail page of an object type or
the detail page of a custom form or survey.
Chapter 9. Managing Object Types
197
Note: You must be in System Administration Mode (SAM) to perform this
operation (see Chapter 4, “Using System Admin Mode,” on page 81).
From the Details Page of a Parent Object
You can only add child object associations to object types; you cannot add child
associations to custom form or survey object types from the details page of a
parent object.
Procedure
Access the Object Types page (see “Accessing Object Types” on page 185).
From the list, click the name of the object type you want to modify.
On the Child Associations tab, click Add.
On the Available Custom Forms page, select the check box next to each custom
form you want to associate with the selected parent object type.
5. When finished, click Add.
1.
2.
3.
4.
From the Details Page of a Custom Form Object
You can only add parent object associations to custom form or survey object types;
you cannot add new parent object associations to an object type from the details
page of a custom form object.
Procedure
1. Access the Object Types page (see “Accessing Object Types” on page 185).
2. From the list, click the name of the object type you want to modify.
3. On the Parent Associations tab, click Add.
4. On the Available Object Types page, select the check box next to each parent
object to which you want to attach this object type.
5. When finished, click Add.
Managing Filters for an Object Type
Filters are specific to an object type and are typically used to narrow the scope of
data that will be returned in a particular view for that object type.
About this task
When you create a filter for an object type, you can select which fields to use to
search for data. Only the objects that match the specified search criteria will be
returned for that object type.
Filters are used with Filtered List Views, Grid Views, Activity Views, and the
Home page. An object type can have multiple filters.
The following table provides an overview of the flow of tasks for adding filters to
object types and views.
Table 35. Tasks for Configuring Filters and Views
198
Task
Task Description
Related Topic
1
Determine the purpose and
characteristics of the filter.
“Filter Considerations” on page 199
2
Add the filter to an object type.
“Filter Considerations” on page 199
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
Filter Considerations
Before you create a new filter, you need to determine the characteristics of the filter
and identify the object type on which the new filter will be used. Planning your
changes ahead of time helps to minimize the necessary work and prevents
duplication of effort.
For instructions on creating a filter, see “Adding Filters to Object Types” on page
200.
The following list will help you identify some of the information you need to have
before you create a new filter:
v Object type - Which object type will the filter be used with?
v Name - How will the new filter be identified? The name of the filter is
important because it is also the initial label that will appear for the filter in the
application.
v Profiles - Which profile (or profiles) will be associated with the filter?
v Filtering criteria - Which fields should be used in the filter criteria to narrow the
scope of data returned by the search?
v Views - Which type of view page in a profile will use the filter (Grid View,
Filtered List View, Home page, Activity View)?
Example
Let’s say you create a filter for risk assessments called "In Progress" that displays
all risk assessments due within the next three months, and has the following
selected fields and values:
Field
Value
Status
In Progress
Start Date
On this date
End Date
In the next 90 days
If you associate this filter to a Filtered List View in the "Assessors" profile,
application users who are assigned the ‘Assessors’ profile would then be able to
select this filter from the Risk Assessment Filtered List View filter selection list and
from any Risk Assessment Grid View for that profile.
You could also create a personalized "My In-Progress Risk Assessments" filter for
use on the Home page from the "In Progress" filter. You would do this by making
a copy (see “Copying Filters” on page 205) of the "In Progress" filter, renaming it to
"My In-Progress Risk Assessments", and selecting "End User" as the ‘Assessor’.
When you configure the "My In-Progress Risk Assessments" filter for the Home
page, application users who were assigned the "Assessors" profile would only see
their assigned risk assessments that were due within the next 3 months on their
Home page.
Filters that contain unavailable fields
When a filter contains a field that is no longer available (for example, the field was
excluded from a profile), then when that filter is selected, the row with the
unavailable field is replaced by the default filter condition.
Chapter 9. Managing Object Types
199
To resolve this issue, edit the filter to remove the unavailable field.
Adding Filters to Object Types
Filters are specific to an object type and are typically used to narrow the scope of
data that will be returned in a particular view for that object type. When you
create a filter for an object type, you can select which fields to use to search for
data. Only the objects that match the specified search criteria will be returned for
that object type.
For up-to-date results of filters that include long string fields, the text index for the
long string field must have been synchronized with the values in the field.
Synchronization depends on when the index was created or the setting of
scheduled synchronization. For details on the index creation and synchronization
utilities provided for long string filtering, see “Utilities for Filtering on Long String
Field Content” on page 460.
Note: Text that you enter into text boxes is not case sensitive.
Procedure
1. Access the Object Types page (see “Accessing Object Types” on page 185).
2. From the list, click the name of the object type you want to modify.
3. On the Filters tab of the selected object type, click the plus sign icon.
4. On the Add Filter page:
a. Click the Field arrow and select a key field from the list. Common fields are
listed at the top, followed by fields specific to the object type.
b. In the same row as the key field, specify a search condition. The available
search conditions change depending on the selected field. For example, for a
name field, the options are Starts with, Contains, and Equals, with a
following text box in which to enter a value.
Note: Text that you enter into text boxes is not case sensitive.
Table 36. Search Conditions
If a field has a...
You can do this...
Click to select a user from a phonebook. You
can also select multiple users.
Click to select a group from a hierarchical
tree structure. You can also select multiple
groups.
Click to search for a user or group.
End User link
Click to insert "End User" into the value.
The value "End User" will resolve to the
currently logged-on user. For details on the
currently logged in user, see “Filtering on
the Currently Logged On User” on page 204
Select Values link
Select from a list of values.
Text box for alphanumeric values
Select a search condition (such as Starts
with) and then enter a value.
or a text box for date ranges.
200
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
Click the calendar icon to select specific
dates, or select a search condition (such as
Within the last) and then enter a value.
Table 36. Search Conditions (continued)
If a field has a...
You can do this...
Text box for numeric values (used in
computed fields)
Select a search condition (such as =) and
then enter a value.
Click the true or false.
Important: For limitations on the special characters in filters for long string
fields, see “Limitations on Using Special Characters in Filters for Long
String Fields.”
c. To add another row and key field on which to search, click the Add link
and repeat step 4.
By default, all the rows are connected (by their sequential number) with an
AND operator (for example 1 AND 2 AND 3). That is, all of the conditions
specified must be true.
For details on specifying more complex logic for your filters, see “Using
Complex Logic in a Search Filter” on page 203.
d. When finished, click Save.
5. To associated the filter with a view, see “Associating Filters With Views” on
page 204.
6. To create a duplicate filter using the new filter as a template, see “Copying
Filters” on page 205
7. To localize the display name of a filter, see “Modifying Display Text for Public
Filters” on page 283.
Limitations on Using Special Characters in Filters for Long
String Fields
When creating filters for long string fields, there are limitations on some special
characters and how they are used.
Do Not Use as First or Last Character
When you use a filter to search for text in long string fields, the following special
characters and symbols may not return the expected results if these characters are
the first or last character in the text to be searched:
v Characters in languages such as Chinese, Japanese and Thai
v Some three-byte Unicode characters and symbols such as:
Note: When searching for text containing these special characters, you must use
the Contains search condition in the filter.
For example, you want to search for text that has the phrase 'maximum € 120'. For
the selected text field, you would choose the Contains search condition, and in the
Text box, type the words: maximum € 120.
The search results would return the following: "The maximum € 120 is the upper
limit" because the special character appears in the middle of the text and not at
either the beginning or end.
Chapter 9. Managing Object Types
201
The search results would NOT include the following: "€ 120 is the maximum upper
limit" or "The maximum upper limit is 120 €" because the special character is the
first or last character in the text.
Do Not Use
Table 37. Special characters that are not supported in search filters
Special
Character
Description
&
Ampersand
@
At symbol on keyboard
*
Asterisk
!
Exclamation point or bang
\
Backward slash
/
Forward slash
^
Caret or circumflex
:
Colon
;
Semicolon
,
Comma
-
Dash
_
Underscore
>
Greater than sign
<
Less than sign
(
Opening parenthesis
)
Closing parenthesis
=
Equal sign
%
Percent sign
|
Pipe or vertical bar
+
Plus sign
#
Pound or number sign, hash symbol
?
Question mark
~
Tilde or equivalency sign
`
Grave accent
[
Opening bracket
]
Closing bracket
{
Opening brace
}
Closing brace
$
Dollar sign
¥
Yen sign
₩
Won sign
Yi syllable IT
Double vertical lines
202
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
The following reserved words are not supported in the search filter and should not
be used:
ABOUT, ACCUM, AND, BT, BTG, BTI, BT, EQUIV, FUZZY, HASPATH, INPATH,
MDATA, MINUS, NEAR, NOT, NT, NTG, NTI, NTP, OR, PT, RT, SQE, SYN, TR,
TRSYN, TT, WITHIN
Note: Reserved words are not case-sensitive.
Using Complex Logic in a Search Filter
You can add complex logic to filters to help refine searches using logical operators
such as OR, NOT, and parentheses. By default, the system uses only the AND
operator to return results from a filtered search.
When you create a filter (see “Adding Filters to Object Types” on page 200) you
select object fields and define the search criteria for each selected field. These key
fields are then used by the system to search the database for objects that meet the
specified criteria.
Every key field that is selected in a filter is displayed in a row that is sequentially
numbered. This number of the row is its identifier. For example, the first key
search field is displayed in row number 1, the next key search field is in row
number 2, the next one in row number 3, and so forth. You use the row identifier
with a logical operator to create a complex logic search expression. Although row
identifiers are sequential, the identifier can appear in any order within the
expression.
Use the logical operators described in the following table to define filtered
searches. The operators are not case sensitive.
Table 38. Logical Operators for Complex Logic
Operator
Purpose
Example
AND
Narrow the search for objects that
meet all the search criteria. This is the
default operator used to return results
from a search filter.
1 AND 2 AND 3
OR
Broaden the search for objects that
meet one or the other key search
criteria.
1 OR 2 OR 3
NOT
Narrow the search for objects by
excluding the specified key search
criteria.
1 AND NOT 2
()
Group search criteria together to show 1 AND (2 OR 3)
the order in which the query should be
applied.
Procedure
1. In a Filter window (adding or editing a filter), click Use Complex Logic.
2. In the Logic text box, modify the search expression as wanted using the logical
operators. To close the Logic text box and revert to the default search logic,
click Clear Complex Logic.
3. When finished, click Save or select from Actions menu.
Chapter 9. Managing Object Types
203
Examples
v Let's say you have 3 search fields defined in your filter. By default, the system
uses only the AND operator so it would retrieve objects that only matched all 3
fields (1 AND 2 AND 3). If, however, you wanted to broaden the search so it
included field 1 and either fields 2 or 3, use the OR operator to modify the search
to retrieve all objects that matched field 1 and matched either fields 2 or 3.
To do this, create the logical expression: 1 AND (2 OR 3).
v Let's say you want to find open Issue objects that are not assigned to you. To
create such a filter, you would select the "Issue Status" field and choose the
"Open" value (this is field 1). Then select the "Assignee" field and choose your
name from the Select the user window or click the End User link (this is field
2).
To exclude your name from the search results, in the Logic text box, you would
type 1 AND NOT 2.
Note: The NOT operator does not return objects that have an empty, blank, or
null value in the selected field criteria. This means that any unassigned Issue
objects (that is, the "Assignee" field was empty or blank), would be excluded
from the search results.
Associating Filters With Views
Once you create a filter for an object type, you can associate it to a profile and an
object view.
Table 39. Associating Filters
If you want to do this...
Then, go here for details...
Display the filter for selection by application “Associating Filters to Filtered List View and
users in the filters list under ‘Public filters’
Grid View Pages” on page 251
on a Filtered List View page for an object
type.
Use the filter to personalize the Home page
for users who are assigned a particular
profile.
“Configuring Filtered Lists on the My Work
Tab” on page 233
Use the filter in an Activity View page to
limit the scope of listed child objects.
“The Layout of Activity Views” on page 257
or “Modifying an Activity View” on page
260
Use the filter in a Grid View page to limit
the scope of listed child objects.
“Creating a Grid View” on page 252
Filtering on the Currently Logged On User
You can create a filter that scopes the search to the currently logged on user for
specific object type fields, such as "Process Owner" or "Control Owner".
Procedure
Complete one of the following actions:
v Change the display type of the field from "Text" to one of the following display
type options:
– User Selector
– User Dropdown
– User/Group Selector
204
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
– Group Selector
and then click the End User link. The value "End User" that is displayed in
the box will resolve to the currently logged-on user. For details on modifying
a display type for a field, see “Selecting a Display Type for Simple String
Fields” on page 267.
– Multi User Selector
– Multi Group Selector
– Multi User/Group Selector
v Type the following code into the text box of the object-specific field:
##{logged in user}##
Copying Filters
You can save an existing filter with a new name to use as a template. Once the
new filter is created, change the search criteria to suit your needs.
Note: Because filters contain object-specific fields, you can only copy filters within
the same Object type; you cannot copy filters between Object types.
Procedure
1. Access the Object Types page (see “Accessing Object Types” on page 185).
2. From the list, click the name of the Object type you want to modify.
3. On the Filters tab, click the filter you want to copy. The Edit window opens for
the filter.
4. Select Save as from the Actions menu to copy the settings of the selected filter
to a new filter.
5. In the Save As window:
a. Type a unique name (required) and optional description for the new filter.
b. Click Apply.
Results
The new filter is now available in the Filters tab for any changes you want to
make. For instructions on specifying filters and using complex logic in filters, see
“Adding Filters to Object Types” on page 200 and “Using Complex Logic in a
Search Filter” on page 203.
To display the new filter in the list of ‘Saved Filters’ on an object’s Filtered List
View page, add it to a profile. For details, see “Associating Filters to Filtered List
View and Grid View Pages” on page 251.
Modifying Filters
Once you create a filter, you can modify it as necessary. The modifications, once
saved, are immediately effected in the application.
Procedure
1. Access the Object Types page (see “Accessing Object Types” on page 185).
2. From the list, click the name of the Object type you want to modify.
3. On the Filters tab, click the filter you want to edit. The Edit window opens for
the filter.
Chapter 9. Managing Object Types
205
4. In the Edit window, make the required changes.
5. When finished, click Save.
6. To modify a localized display name of a filter, see “Modifying Display Text for
Public Filters” on page 283.
Results
For instructions on specifying filters and using complex logic in filters, see
“Adding Filters to Object Types” on page 200 and “Using Complex Logic in a
Search Filter” on page 203.
To display the filter in the list of ‘Saved Filters’ on an object’s Filtered List View
page, add it to a profile. For details, see “Associating Filters to Filtered List View
and Grid View Pages” on page 251.
Deleting Filters
When you delete a filter for an Object type, it is permanently deleted from the
system and cannot be restored.
If the filter is associated to one or more object views in a profile (such as a Filtered
List View, Grid View, or table on the My Work tab of a Home page), the filter,
when deleted, is immediately removed from the view and is no longer available to
users who are assigned that profile.
Procedure
1. Access the Object Types page (see “Accessing Object Types” on page 185).
2. From the list, click the name of the object type you want to modify.
3. On the Filters tab, select the check box next to the filter or filters you want to
delete.
4. Click Delete.
5. At the prompt, click OK to delete the all the checked filters.
Configuring Dependent Field Behavior
You can configure a field so that its behavior - Visible, Editable, or Required - is
dependent upon some value selected by a user in another field or set of fields.
The dynamic behavior of dependent fields can be used to help guide users during
the creation or editing of an object.
Attention: If you configure a field to be required, it is still required even if it is not
visible. This ability is for cases where the hidden field is updated by a separate
activity, but the field is still required.
Related concepts:
“Limit activity views with field dependencies and dependent picklists” on page
782
In dependent picklists, the more fields in the picklist, the more javascript is
required to display the object to users.
206
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
Example
Let’s say you want to know who will perform a control activity if a user selects
‘No’ to the question ‘Does the Control Owner perform the Control?’.
You could configure the behavior of the field ‘Who Performs the Control?’ to be
dynamic so that the field is both visible and required only if the user selects ‘No’
to the question ‘Does the Control Owner perform the Control?’. If the user selects
‘Yes’, then the ‘Who Performs the Control?’ field would remain hidden from the
user.
The ‘Who Performs the Control?’ field is considered the dependent field as the
behaviors of this field (Required and Visible) depend on the value (No) selected in
the controller field, ‘Does the Control Owner perform the Control?’.
Adding Dependent Fields
A dependent field can have multiple behaviors and multiple controlling fields.
When you add a dependent field, you first configure the field and a behavior, and
then select the field and value (or values) that will control that behavior.
If you want a dependent field to have multiple behaviors, such as Required and
Visible, you must configure the field separately for each behavior. Only behaviors
that have not been previously selected for that dependent field are available for
selection.
If you have multiple controlling fields for a specific behavior, you can configure
whether one or all conditions must be met before the behavior of the dependent
field is triggered.
Note:
v Dependent fields cannot include System Fields.
v Dependent field behavior is not supported for custom forms.
v Controller fields must be enumerated string lists (single or multi-selectable) or
Actor fields (User Selector, Group Selector, User/Group Selector, Multi User
Selector, Multi Group Selector, or Multi User/Group Selector). If you configure a
controller field with multiple values that are combined with an AND, all
controller values or criteria must match. If you configure a controller field with
multiple values that are combined with an OR, only one of the controller values
or criteria must match. When the values or criteria match, the dependent field
behavior is triggered.
v Computed fields and report fragment fields can only have a behavior of
‘Visible’.
Procedure
1.
2.
3.
4.
Access the Object Types page (see “Accessing Object Types” on page 185).
From the list, click the name of the object type you want to modify.
On the Field Dependencies tab, click Add.
On the Select Dependent Field page:
a. Click the Select Dependent Field arrow and choose a field from the list.
b. In Dependent Field Behavior, select one of the following behaviors:
Chapter 9. Managing Object Types
207
Select this value
If you want to
Required
Require the user to enter a value in the dependent field only
if the controlling field is selected. If the user tries to save the
page without entering a required value, a message is
displayed saying the field is required.
Attention: If you configure a field to be required, it is still
required even if it is not visible. This ability is for cases
where the hidden field is updated by a separate activity, but
the field is still required.
Editable
Enable the user to modify this dependent field only if the
controlling field is selected. Otherwise, the dependent field
will be read only.
Visible
Display the dependent field to the user only if the
controlling field is selected. Otherwise, the dependent field
will be hidden from view.
c. When finished, click Next.
5. On the Select Controller(s) page:
a. Click the Controlling Field arrow and choose a field from the list.
In the Controlling Values box, select one or more values from the list.
Note: To select multiple values from the list, press and hold the Ctrl key
while clicking the mouse pointer.
b. When finished, click Add.
c. To select another controller field from the list, repeat Steps a - c.
d. If you have multiple controller fields, click the Operator arrow and choose
one of the following logical operator values:
Select this value...
If you want...
And
all the selected controller fields to be used to
meet the condition.
This is the default operator value.
Or
only one (either/or) of the selected
controllers to be used to meet the condition.
e. When finished, click Finish to save your changes.
6. To create additional dependent fields:
If you want to...
And the Controllers
are...
Add another behavior the same as those
to the same
selected in Step 4
dependent field
Note: Only behaviors that have not been
previously selected for this dependent field
are available.
- OR -
Do one of the following:
Create another
(different) dependent
field
208
Then...
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
v Copy the controller conditions to the new
dependent field (see “Copying Controller
Conditions” on page 209)
v Repeat Steps 3 and 4
If you want to...
And the Controllers
are...
Add another behavior different from those
to the same
selected in Step 4
dependent field
Then...
Repeat Steps 3 and 4
- OR Create another
(different) dependent
field
The newly created dependent fields are listed on the Field Dependencies tab.
Copying Controller Conditions
If you have many field dependencies that use the same controller conditions, you
can use the ‘Copy Controllers to’ function to quickly duplicate existing controller
conditions to the same or different dependent fields within the same object type.
This method will save you time as it is generally faster and easier than
individually adding multiple dependent fields that all have the same controller
fields.
Procedure
1. Access the Object Types page (see “Accessing Object Types” on page 185).
2. From the list, click the name of the object type you want to modify.
3. On the Field Dependencies tab:
a. Select the check box next to the controller field you want to copy.
b. Click the Copy Controllers to button.
4. In the Dependent Field pane of the controller (or controllers) you want to copy,
select one or more behaviors for each dependent field.
5. When finished, click Create.
The newly created dependent fields with the copied controllers are listed on the
Field Dependencies tab.
Modifying Controllers for a Dependent Field
After you create a dependent field, you can add, remove, or modify the fields that
control the behavior of the dependent field.
In the case of multiple controllers, you can also change the operator that
determines whether one or all the controller conditions must be met before the
dependent field behavior is triggered.
Procedure
1. Access the Object Types page (see “Accessing Object Types” on page 185).
2. From the list, click the name of the object type you want to modify.
3. On the Field Dependencies tab:
a. Select the check box next to the dependent field you want to modify.
b. Click Edit.
4. To modify the values of an existing controller field:
Chapter 9. Managing Object Types
209
Click Edit under the Actions column.
In the Edit Controller box, modify the selected values as necessary.
When finished, click Save.
add another controller:
In the Add Controller pane, click the Controlling Field arrow and select a
field from the list.
b. In the Controlling Values box, select one or more values from the list.
c. Click Add.
a.
b.
c.
5. To
a.
6. To remove a controller:
a. Select the check box next to the controller field you want to remove.
Note: To select all the controllers for removal, select the check box next to
the Controlling Field column heading.
b. When finished, click Delete.
7. To change the operator when there are multiple controllers, click the Operator
arrow and select a value from the list.
8. When finished, click Save.
Enabling and Disabling Field Dependency Behavior
Dependent fields can be enabled or disabled. By default, dependent fields are
enabled when created.
When a dependent field is disabled, the following occurs:
v The dependent field remains in the list on the Field Dependencies tab, and the
value in the Enabled column changes from ‘true’ to ‘false’.
v The application does not enforce the conditions that control the behavior of the
dependent field.
If you select multiple dependent fields to enable or disable, the application
switches the values accordingly. For example, if you select two dependent fields the first field is enabled with a value of ‘true’ and the second field is disabled with
a value of ‘false’ - the value of the first dependent field would switch to ‘false’
making it disabled, and the second would switch to ‘true’ making it enabled.
Procedure
1. Access the Object Types page (see “Accessing Object Types” on page 185).
2. From the list, click the name of the object type you want to modify.
3. On the Field Dependencies tab:
a. Select the check box next to the dependent field you want to enable or
disable. If wanted, you can select multiple boxes.
b. When finished, click Enable/Disable.
The value in the Enabled column on the Field Dependencies tab for the
selected dependent field changes as follows:
v If disabled, the value changes from ‘true’ to ‘false’
v If enabled, the value changes from ‘false’ to ‘true’
Deleting Dependent Fields
You can delete a dependent field.
210
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
When you delete a dependent field, it is permanently removed from the list on the
Field Dependencies tab, and all corresponding records for the dependency are
deleted and cannot be restored.
Important: If a dependent field is also used as a controller in other dependencies,
you must first remove the dependencies on that field before deleting it.
If you want to keep a dependent field but do not want its behavior, you can
disable it instead. For details, see “Enabling and Disabling Field Dependency
Behavior” on page 210.
Procedure
1. Access the Object Types page (see “Accessing Object Types” on page 185).
2. From the list, click the name of the object type you want to modify.
3. On the Field Dependencies tab:
a. Select the check box next to the dependent field you want to delete. If
wanted, you can select multiple boxes.
b. When finished, click Delete.
c. If prompted, click OK.
The selected dependent field is removed from the list on the Field
Dependencies tab.
Configuring Dependent Picklists
You can configure a list of items (drop-down or list box) so that the items in the
list are filtered based upon some value selected by a user in another list.
The filtering of lists can be used to help guide users in the selection of relevant
values from lists during the creation or editing of an object.
Related tasks:
“Set a minimal starting group for display types” on page 785
IBM OpenPages administrators can change the starting groups for display types to
minimize the number of users that are initially displayed.
Example
Let’s say that both the ‘Category’ and ‘Subcategory’ fields of a Risk object
(SOXRisk) have many items in their respective lists from which a user can choose,
and you want only the values of ‘Theft and Fraud’ and ‘Security Systems’ to be
displayed in the Subcategory list when a user selects ‘External Fraud’ from the
Category list.
To filter the list, you would map the ‘Subcategory’ values of ‘Theft and Fraud’ and
‘Security Systems’ to the ‘Category’ value of ‘External Fraud’.
The ‘Subcategory’ field with its selected values is considered the dependent picklist
as the behavior of this list depends upon the value selected in the ‘Category’ field
or controller picklist.
Adding Dependent Picklists
When you create a dependent picklist, you map one or more dependent field list
values to one or more controlling field list values.
Chapter 9. Managing Object Types
211
Note: Dependent picklist behavior is not supported for custom forms.
Figure 9 shows a partial Picklist Mapping grid for the ‘Category’ and ‘Subcategory’
drop-down lists - both are Risk object (SOXRisk) type fields.
Each column represents a value in the controlling picklist (‘Category’ in this
example), and each row represents a value in the dependent picklist (‘Subcategory’
in this example).
In Figure 9, the ‘Subcategory’ values of ‘Unauthorised Activity’ and ‘Theft and
Fraud’ are selected for the ‘Internal Fraud’ value, and ‘Theft and Fraud’ and
‘System Security’ are selected for the ‘External Fraud’ value. If a user selects
‘Internal Fraud’ as the category, only the ‘Unauthorised Activity’ and ‘Theft and
Fraud’ values will be displayed on the Subcategory list. Similarly, if a user selects
‘External Fraud’ as the ‘Category’, only the ‘Theft and Fraud’ and ‘Systems
Security’ values will be displayed on the Subcategory list.
Figure 9. Sample Picklist Mapping Grid
Procedure
1.
2.
3.
4.
Access the Object Types page (see “Accessing Object Types” on page 185).
From the list, click the name of the object type you want to modify.
On the Dependent Picklists tab, click Add.
On the Add Dependent Picklist page:
a. Click the Select Controlling Picklist arrow and choose a controlling field
from the list.
b. Click the Select Dependent Picklist arrow and choose a dependent field
from the list.
5. On the Picklist Mapping page, for each controlling value in a column heading
for which you want to create a filtered list, select one or more dependent field
values in the corresponding column row.
Note: To select or clear a value from a row, click the name of the value.
6. When finished, click Finish to save your changes.
The newly created dependent picklists are listed on the Dependent Picklists
tab.
212
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
Modifying Picklist Dependency Behavior
After you create a dependent picklist, you can modify the values that are
displayed in the dependent picklist.
Procedure
1. Access the Object Types page (see “Accessing Object Types” on page 185).
2. From the list, click the name of the object type you want to modify.
3. On the Dependent Picklists tab:
a. Select the check box next to the dependent picklist you want to modify.
b. Click Edit.
4. To modify the values that are displayed in a dependent picklist by a controlling
value:
a. Navigate to the column heading with the controlling value.
b. Click a value in the column row to either select or clear a value.
5. When finished, click Save.
Enabling and Disabling Picklist Dependency
Dependent picklists can be enabled or disabled. By default, dependent picklists are
enabled when created.
When a dependent picklist is disabled, the following occurs:
v The dependent picklist remains in the list on the Field Dependencies tab, and
the value in the Enabled column changes from ‘true’ to ‘false’.
v The application does not enforce the conditions that control the behavior of the
dependent picklist.
If you select multiple dependent picklists to enable or disable, the application
switches the values accordingly. For example, if you select two dependent picklists
- the first picklist is enabled with a value of ‘true’ and the second picklist is
disabled with a value of ‘false’ - the value of the first dependent picklist would
switch to ‘false’ making it disabled, and the second would switch to ‘true’ making
it enabled.
Procedure
1. Access the Object Types page (see “Accessing Object Types” on page 185).
2. From the list, click the name of the object type you want to modify.
3. On the Dependent Picklists tab:
a. Select the check box next to the dependent picklist you want to enable or
disable.
b. When finished, click Enable/Disable.
The value in the Enabled column on the Dependent Picklists table changes
as follows for the selected dependent picklist:
v If disabled, the value changes from ‘true’ to ‘false’
v If enabled, the value changes from ‘false’ to ‘true’
Deleting a Dependent Picklist
You can delete a dependent picklist.
Chapter 9. Managing Object Types
213
When you delete a dependent picklist, it is permanently removed from the list on
the Dependent Picklists tab and cannot be restored.
Note: If you want to keep a dependent picklist but do not want its behavior, you
can disable it instead. For details, see “Enabling and Disabling Picklist
Dependency” on page 213.
Procedure
1. Access the Object Types page (see “Accessing Object Types” on page 185).
2. From the list, click the name of the object type you want to modify.
3. On the Dependent Picklists tab:
a. Select the check box next to the dependent picklist you want to delete. If
wanted, you can select multiple boxes.
b. When finished, click Delete.
c. If prompted, click OK.
The selected dependent picklist is removed from the list on the Dependent
Picklists tab.
Excluding Fields from a Subsystem
The IBM OpenPages product contains multiple subsystems or components that
comprise a larger software system.
These subsystems (for example, Workflow and Reporting Framework), typically
use field definitions. In some situations, a field that is applicable to one subsystem
may not be applicable to another.
For example, you want to streamline the number of fields that are used for
generating Test (SOXTest) object reports. You are not required, for example, to
produce a report on ‘Testing Steps’ a field that is part of the Text object. You could
exclude the ‘Testing Steps’ field from the Reporting Framework subsystem. When
you regenerate the reporting framework, the Framework Generator will ignore the
‘Testing Steps’ field and will be excluded from the generated framework.
Adding Fields for Exclusion
When you exclude a field from a subsystem, the subsystem ignores the excluded
field.
If fields are excluded from this
subsystem...
Reporting Framework
214
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
Then...
Any reports (existing or future) that
reference these fields will fail unless the
excluded field is also removed from the
report.
If fields are excluded from this
subsystem...
Workflow
Then...
Existing job type templates that reference
these fields will continue to work as is (the
excluded field will continued to be present
in the UDA map).
To remove the excluded field from a job
type template, you need to refresh the UDA
map as follows:
v Open the existing job type in edit mode.
v Click Save. This will result in an
automatic refresh of the UDA map.
Procedure
1. Access the Object Types page (see “Accessing Object Types” on page 185).
2. From the list, click the name of the object type you want to modify.
3. On the Field Exclusions tab for the selected object type, click Exclude.
4. On the Exclude Fields page:
a. In the Select Field box, select one or more fields from the list. The fields
you select will be excluded from the subsystem.
Note: To select multiple values from the list, press and hold the Ctrl key
while clicking the mouse pointer.
b. In the Select Subsystem box, select one or more subsystems from the list.
5. When finished, click Exclude.
The newly excluded fields are listed on the Field Exclusions tab.
6. To exclude fields from a different object type, repeat Steps 1 - 4.
7. If you excluded fields from the Reporting Framework subsystem, update the
reporting framework to propagate the changes to Cognos For details, see
“Updating the Reporting Framework” on page 89.
Changing the Subsystem for an Excluded Field
If wanted, you can change the subsystem for individual fields that have been
excluded from a subsystem.
Procedure
1. Access the Object Types page (see “Accessing Object Types” on page 185).
2. Select the name of the object type you want to modify.
3. On the Field Exclusions tab:
a. Select the check box next to the excluded field you want to modify.
b. Click Edit.
4. In the Select Subsystem box, modify the subsystem as wanted.
5. When finished, click Save.
Deleting Excluded Fields
You can delete an excluded field.
Chapter 9. Managing Object Types
215
When you delete an excluded field, it is permanently removed from the list on the
Field Exclusions tab and cannot be restored.
Procedure
1. Access the Object Types page (see “Accessing Object Types” on page 185).
2. From the list, click the name of the object type you want to modify.
3. On the Field Exclusions tab:
a. Select the check box next to the excluded field you want to delete. If
wanted, you can select multiple boxes.
b. When finished, click Delete.
c. If prompted, click OK.
The selected excluded field is removed from the list on the Field Exclusions
tab.
4. If you deleted fields that were excluded from the Reporting Framework
subsystem, update the reporting framework to propagate the changes to
Cognos. For details, see “Updating the Reporting Framework” on page 89.
216
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
Chapter 10. Managing Profiles
About Profiles
Profiles provide end users with a localized view of information that is directly
related to their responsibilities.
You can use profiles to configure the use of objects, custom forms, fields, and
object views throughout the IBM OpenPages application. When you change a
setting in a profile, the change is dynamic and the effect of the change is
immediate.
You can restrict individual users to view a specific set of object types and the fields
in each object that are visible to them. If an object type is absent from a profile,
that object type is hidden from users of that profile.
You create new profiles by cloning them from existing profiles, then modifying the
new profile as desired. OpenPages supplies a standard profile, called ‘Default’, that
you can use as a template for creating other profiles. The profiles that you create
and assign to users are standalone, that is, there is no inheritance from one profile
to any other profile, including the ‘Default’ profile.
Each user can have one and only one profile actively in use for a given logon
session. You can change a user’s profile during that user’s logon session.
You can also designate any profile as the:
v Default profile (see “About the Default Profile” on page 219)
v Fallback profile (see “About the Fallback Profile” on page 219)
Important:
v If you assign a user to a different profile, the change becomes effective
immediately with no action required on the part of the user.
v You should not create or edit profiles while the Framework Model is being
generated.
You can associate available objects with any profile and disassociate them later.
However, each profile contains a group of required objects that you cannot
disassociate from the profile. The following table lists these required object types.
Table 40. Required Object Types
Object Type
Label
SOXBusEntity
Business Entity
SOXSignature
Signature
SOXDocument
File
SOXExternalDocument
Link (this is an external URL link)
217
Accessing Profiles
From the detail page of a profile, you can modify profile information, associate
users, groups, and reports, access the detail page of an object type where you can
configure views and the display order of fields for the selected object type, and so
forth.
Note: To access the Profiles menu item, you must have the Profiles application
permission set on your account (for details, see “Configuring Application
Permissions” on page 21).
Procedure
1. Log on to the IBM OpenPages application as a user with the Profiles
application permission set.
2. From the menu bar, select Administration and click Profiles.
3. To display the detail page of a profile, click the name of the profile you want
from the list.
Creating and Managing Profiles
This section describes how to work with profiles.
Creating a New Profile
You can create a new profile based on any existing profile, including the
OpenPages supplied ‘Default’ profile.
After you create the new profile you can modify it the same way you modify
existing profiles.
Procedure
1. Access the Profiles page (see “Accessing Profiles”).
2. On the Profiles table, click Add.
3. On the Add Profile page:
a. In the Name box, type a name for the new profile.
b. In the Description box, optionally type a brief description of this new
profile.
4. Click the Based on Profile arrow and select the profile that you want to use as
a template for the new profile.
5. If you want the new profile to be the Default Profile, select the Default box
(see “About the Default Profile” on page 219).
Important: Creating a new Default Profile may affect the way in which the
IBM OpenPages application handles objects and profiles.
6. If you want the new profile to be the Fallback Profile, select the Fallback box
(see “About the Fallback Profile” on page 219).
7. Click Create to create the new profile.
8. To configure the profile, do any of the following:
218
If you want to do this...
Then see this topic for details...
associate users
“Setting Up Users or Groups with a Profile”
on page 221
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
If you want to do this...
Then see this topic for details...
configure object types
“Configuring Object Types in Profiles” on
page 222
set up a Home page
“Home Page” on page 227
configure views for an object type
“Views for objects” on page 238
Designating a Default or Fallback Profile
The IBM OpenPages application uses the Default Profile as the initial profile
attribute setting unless a profile is already set for the user being edited.
About the Default Profile
There can only be one profile designated as the Default profile, and you can
designate any profile as the Default profile.
Any previously designated profile loses this default designation when another
profile is selected as the Default profile.
When you create new users and add new (clone) profiles, the Default profile serves
as the profile that will be used if no other profile is selected. If no profile is
specifically designated as the Default profile, the supplied OpenPages ‘Default’
profile is used.
Note: In an application upgrade, the Default profile includes all the object
properties of the previous version of the application. All profiles are standalone;
there is no inheritance from the Default profile.
About the Fallback Profile
You can designate any profile as the Fallback profile.
The Fallback profile allows a user who is either not associated with any profile, or
whose profile has been disabled or deleted, to log on to the IBM OpenPages
application. If no Fallback profile is defined, these users cannot log on.
The Fallback profile is optional. There can only be one Fallback profile. If you
choose to designate a profile as the Fallback profile, the existing Fallback profile (if
there is one) loses this designation.
Setting a Default or Fallback Profile
You can set a default or fallback profile.
Procedure
1. Access the Profiles page (see “Accessing Profiles” on page 218).
2. From the list, click the name of a profile to open its detail page.
3. On the Profile Information table, click Edit.
4. On the Edit Profile page:
a. Select one of the following options:
v Default - to make this profile the Default profile
v Fallback - to make this profile the Fallback profile
b. Optionally, enter or change the description of the profile.
c. When finished, click Save.
Chapter 10. Managing Profiles
219
Editing a Profile
You can modify the description of a profile or designate the profile as the Default
Profile or Fallback profile.
Procedure
1. Access the Profiles page (see “Accessing Profiles” on page 218).
2. From the list, click the name of a profile to open its detail page.
3. On the Profile Information table, click Edit.
4. Make your edits.
5. When finished, click Save.
Deleting a Profile
You can delete a profile.
Important: If you delete a profile it immediately disappears from the system and
is not available to either currently logged in users or to users who subsequently
log in. You cannot retrieve it. If you are not sure if you will need the profile again,
disable it instead. See also “About the Fallback Profile” on page 219.
Procedure
1. Access the Profiles page (see “Accessing Profiles” on page 218).
2. Select the box next to each profile you want to delete.
3. On the Profiles table, click Delete.
4. At the confirmation prompt, click OK to delete the profile.
Disabling or Enabling a Profile
Disabling a Profile
You can disable a profile.
When you disable a profile:
v The profile remains in the system (it is not deleted), and the status of the profile
changes from ‘Active’ to ‘Inactive’.
v It immediately becomes unavailable to users who are assigned that profile either currently logged on users or to users who subsequently log on.
Procedure
1. Access the Profiles page (see “Accessing Profiles” on page 218).
2. From the list, click the name of a profile to open its detail page.
3. On the Profile Information table, click Disable.
The Disable button changes to Enable.
Enabling a Profile
You can enable a profile.
When you enable a profile:
v The status of the profile changes from ‘Inactive’ to ‘Active’.
220
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
v It immediately becomes available to users who are assigned that profile - either
currently logged on users or to users who subsequently log on.
Procedure
1. Access the Profiles page (see “Accessing Profiles” on page 218).
2. From the list, click the name of a profile to open its detail page.
3. On the Profile Information table, click Enable.
The Enable button changes to Disable.
Setting Up Users or Groups with a Profile
A specific profile can be associated with one or more users or groups.
However, a user can be associated with zero or one profile. When you associate a
profile with a user, the object types in that profile are available to that user.
Additionally, you can select the fields within each object type that users of this
profile can view.
Associating Users and Groups to a Profile
You can associate users and groups with a profile.
Table 41. Associating Users and Groups
If you select a...
Then this occurs...
user who has no profile
the currently selected profile is assigned to that user.
user who already has a profile
assigned
the former profile setting is overwritten with the new
setting when you associate the user to the selected
profile.
group
all the members of that group are selected and each
member is individually assigned the selected profile
and listed on the Associated Users tab.
Procedure
1.
Access the Profiles page (see “Accessing Profiles” on page 218).
2. From the list, click the name of a profile to open its detail page.
3. On the Associated Users table, click Associate.
4. In the Associate users/groups with profile box:
a. Select the users or user groups you want to associate with the profile. You
can view individual users within a group by clicking the + box to the left of
the group.
b. When finished, click Associate.
Disassociating Users or Groups from a Profile
When you disassociate a user from a profile, that profile becomes immediately
unavailable to that user.
If no Fallback profile has been assigned to the user, the user will not be able to log
on to the application.
Chapter 10. Managing Profiles
221
Procedure
1. Access the Profiles page (see “Accessing Profiles” on page 218).
2. From the list, click the name of a profile to open its detail page.
3. From the Associated Users table listing:
a. Select the box next to each user you want to disassociate from this profile.
b. Click Disassociate.
c. At the prompt, click OK.
Configuring Object Types in Profiles
You can include or exclude certain object types from individual profiles.
When you exclude an object type from a profile, it is not visible to any user
associated with that profile. There is no provision for including or excluding an
object type from all profiles simultaneously.
Note: Certain object types are required. You get an error message if you try to
exclude them.
Including Object Types in a Profile
When you include an object type in a profile, that object type is immediately
visible to users who are assigned the selected profile.
Procedure
1. Access the Profiles page (see “Accessing Profiles” on page 218).
2. From the list, click the name of a profile to open its detail page.
3. On the Object Types table, click Include.
4. On the Available Object Types page:
a. Select the box next to each object type you want to include in this profile.
b. When finished, click Include.
5. To configure views for an object type, see “Views for objects” on page 238.
Results
The selected object types appear on the list of object types.
Excluding Object Types From a Profile
When you exclude an object type from a profile, that object type is removed from
the views in which it is used and is no longer available to users who are assigned
that profile.
Procedure
1.
Access the Profiles page (see “Accessing Profiles” on page 218).
2. From the list, click the name of a profile to open its detail page.
3. From the Object Types table:
a. Select the box next to each object type that you want to exclude from the
profile.
b. Click Exclude.
c. At the prompt, click OK to remove the object type from view.
222
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
Results
The selected object type is removed from the list of object types for this profile.
The IBM OpenPages application stores an excluded object, along with any
associated data, in the repository. You can view it through reports.
Configuring Fields for Object Types
The availability of a field for configuration within any view depends on whether
or not that field is included or excluded in the object type for that profile.
Including and Excluding Fields in an Object Type
Including or excluding fields for object types in one profile does not affect
object-type fields in other profiles.
Including Fields in an Object Type
Including object fields for an object type in a profile makes those object fields
available for selection within the various views.
Procedure
1. Access the Profiles page (see “Accessing Profiles” on page 218).
2. From the list, click the name of a profile to open its detail page.
3. From the Object Types table listing, click the name of the object type whose
fields you want to modify (for example, SOXIssue).
4. On the Object Fields table, click Include.
5. On the Available Object Fields page:
a. Select the box next to the name of each object field you want to include.
b. When finished, click Include.
The included object field now appears in the list of available fields for this
object type in this profile.
6. If wanted, configure the object field in a view. Depending on the view, see
either “Configuring Views for Objects” on page 248 or “Configuring Fields in
Detail and Activity Views” on page 261.
Excluding Fields From an Object Type
Excluding an object field from an object type in a profile immediately removes that
object field from the views in which it is used, and that field is no longer available
for configuration in a view or to users who are assigned that profile.
Procedure
1. Access the Profiles page (see “Accessing Profiles” on page 218).
2. From the list, click the name of a profile to open its detail page.
3. From the Object Types table listing, click the name of the object type whose
fields you want to modify (for example, SOXIssue).
4. From the Object Fields table:
a. Select the box next to the name of each object field you want to exclude.
b. Click Exclude.
c. At the confirmation prompt, click OK to remove the fields from the selected
object type.
Chapter 10. Managing Profiles
223
Results
The excluded object fields are now absent from the list of available fields for this
object type in this profile.
Setting the Global Display Order of Object Types
With the exception of the Business Entity object type, you can modify the order in
which object types are globally displayed in a profile.
When you change the number of the list order of an object type, the system
dynamically updates all the object types (except Business Entity).
Example
Let’s suppose that the current display order for the following object types is:
Business Entity 1, Process 2, Sub-Process 3, and Account 4.
However, you want to globally display Account (instead of Process and
Sub-Process) after Business Entity, you could set the order number of Account to 2.
When you click ‘Update Order’, the system automatically re-orders the Process
number to 3 and Sub-Process to 4.
Now, wherever these object types are found together in the application, they
would appear in the following order: Business Entity 1, Account 2, Process 3, and
Sub-Process 4.
Procedure
1. Access the Profiles page (see “Accessing Profiles” on page 218).
2. From the list, click the name of a profile to open its detail page.
3. From the Object Types table:
a. In the box under the Order column, change the order value of the object
types as wanted.
Note: The maximum value allowed in the Order field is 999.
b. When finished, click Update Order.
The object types in this profile now appear in the new order.
Setting a Field in a Profile to Required or Optional
You can set a specific field to required or optional for a particular profile and
object type by following the instructions in this section.
Setting a field to required in a profile affects only the users who are assigned that
profile.
Note: If a field is not listed in the Object Fields table, you must include it before
you can modify it (see “Including Fields in an Object Type” on page 223).
Procedure
1. Access the Profiles page (see “Accessing Profiles” on page 218).
2. From the list, click the name of a profile to open its detail page.
3. In the Object Types table for the selected profile, click the name of the object
type that has the field you want to modify.
224
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
4. In the Object Fields table, click the name of the field you want to modify (for
example, ‘Description’).
5. On the Object Field Information table for the selected field, click Edit.
6. In the Required box on the edit page, do one the following:
v Select the box if you want the field to be required.
v Clear the box if you want the field to be optional.
7. When finished, click Save.
Chapter 10. Managing Profiles
225
226
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
Chapter 11. Managing the Home Page and Views for Objects
You can manage the display of the Home page, which is the initial page for your
users, and the views for each object type that is included in a profile.
Home Page
The Home page is the initial page that users see when they log on to the IBM
OpenPages application.
The Home page supports a tabbed interface for displaying selected reports and
information. For each profile, you can configure one or more tabs to personalize
the information on the page for users who are assigned that profile.
Typically, the number and types of tabs you configure on a Home page will vary
by profile and depends on the business needs of users. If the number of tabs on a
Home page extend beyond the size of the current browser window, right and left
arrows are automatically displayed so users can scroll horizontally through the
tabs.
Except for the My Work tab, a tab on a Home page displays the name of the
configured report.
The type of tabs that can be configured on the Home page include:
v Cognos reports
v Cognos Workspace reports
v JSP Reports
v The My Work tab, a default Home page tab provided by IBM OpenPages , Inc.,
that contains configured panes (sections of a page) for predefined lists, filtered
lists, and embedded reports.
You can control the order in which tabs (including the My Work tab) are displayed
on the Home page.
For example, a ‘Testers’ profile might have the following tabs configured: ‘My Tests
- Performer’ (report) as tab 1, the My Work tab as tab 2, ‘Test Notifications’ (report)
as tab 3, and the ‘FCM Dashboard’ (report) as tab 4.
Additionally, you can hide, show, add, or delete tabs from the Home page quickly
and easily without interruption to users who are assigned that particular profile.
Note:
v In a first-time installation, by default, the My Work tab is enabled.
v A report (or report fragment) that is embedded in a tab on the Home page
executes when a user:
– First clicks the tab containing the report
– Navigates away from the Home page to other menus and then returns to that
report tab on the Home page
– Logs off and then logs on to the application again
227
v Switching between multiple tabs on the Home page and then returning to the
original report tab does not rerun the report. To refresh report data, you must
click the Refresh button on the report tab.
v If the My Work tab is empty of content (no panes are configured) but other tabs
are configured for display on the Home page, then a message, similar to the
following, is displayed on the My Work tab to users who are assigned that
profile:
OP-50544: There is no information configured for display on this Home
page tab. Please contact your System Administrator.
v If the My Work tab is empty of content (no panes are configured) and no other
tabs are configured for display on the Home page, then a message, similar to the
following, is displayed on the Home page to users who are assigned that profile:
OP-50536: There is no information configured for display on your home
page. Please contact your System Administrator.
The Layout of Tabs on a Home Page
The number of tabs displayed on a Home Page for a given profile has no set limit
and will vary according to your users business needs.
Figure 10 shows the basic layout of tabs on a Home page.
Figure 10. Layout of Tabs on a Home Page
Table 42 contains a key to the above illustration with a brief description of the
various Home page elements.
Table 42. Description of Home Page Elements
228
Key
Description
1
Left horizontal scroll arrow. If the number of tabs that are
configured for a Home page do not fit in the browser window, an
arrow is automatically displayed so users can scroll horizontally
through the tabs.
2
Active tab. When multiple tabs are configured, only the currently
selected tab is highlighted and becomes the active tab.
3
Refresh button. When clicked, refreshes the data on the selected
tab.
4
Inactive tabs. Except for the My Work tab, a tab typically displays
the name of the configured report or dashboard.
5
‘n’ represents a number. There is no limit to the number of tabs
that can be configured on a Home page.
6
Right horizontal scroll arrow. If the number of tabs that are
configured for a Home page do not fit in the browser window, an
arrow is automatically displayed so users can scroll horizontally
through the tabs.
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
Guidelines for Selecting Reports to Run in Tabs
To avoid performance issues and cluttering the Home page with too many tabbed
reports, consideration should be given to determining:
v Which reports or dashboards are best related to the type of tasks or activities a
particular group of users have to accomplish
v Which profile (or profiles) should contain these reports or dashboards
v If any of the selected reports or dashboards already configured for display on
the My Work tab. If so, should these be removed?
Related tasks:
“Display Cognos reports on home page tabs” on page 784
IBM OpenPages administrators can configure Cognos reports to display on the
homepage tabs instead of on the My Work homepage.
Configuring Tabs on the Home Page
To configure tabs on the Home page, you use the Home Page Tab Configuration
table on the detail page of the selected profile.
Table 43 describes the type of information displayed on the Home Page Tab
Configuration Table.
Table 43. Columns on the Home Page Tab Configuration Table
This column...
Displays this...
Name
The name of each configured tab. Typically, the name reflects the name
of the selected report or dashboard. My Work is the default Home page
tab provided by IBM OpenPages , Inc. and is always displayed in the
list.
Description
A brief description of the report, if available.
Status
The status of the tab. If the status is:
v Visible - the tab is displayed on the Home page
v Hidden - the tab is hidden from the Home page
Order
The position of the tab as it is displayed on the Home page.
By default, the My Work tab is in position 1.
Note: Tabs that are disabled or hidden cannot be ordered and the box
is not displayed.
Actions
The type of actions that can be used on a tab. The actions are:
v Hide - hides the tab from display on the Home page
v Show - unhides the tab and displays it on the Home page
v Delete - permanently removes the tab from the list and Home page.
Note: The My Work tab cannot be deleted.
For information on localizing display text, see “Localizing Application Text” on
page 284.
Adding New Tabs for Reports or Dashboards
When you select one or more reports or dashboards for display in a tabbed format
on the Home page, each selected report or dashboard is immediately:
v Displayed in a tab on the Home page of users who are assigned that profile.
Chapter 11. Managing the Home Page and Views for Objects
229
v Listed under the Home Page Tab Configuration table on the Profile detail page.
Note: For details about configuring the My Work tab, see “Configuring the My
Work Tab” on page 231.
Procedure
1. Access the Profiles page (see “Accessing Profiles” on page 218).
2. From the list, click the name of a profile to open its detail page.
3. On the Home Page Tab Configuration table, click Add.
4. From the list of reports and/or dashboards:
a. Expand a report folder to display a list of available reports.
b. Select the check box next to each report you want displayed in a tab on the
Home page.
Note: Selecting multiple reports results in multiple tabs (one tab for each
selected report).
c. When finished, click Associate.
5. If wanted, change the order in which tabs are displayed on the Home page (see
“Setting the Display Order of Tabs”).
Related tasks:
“Display Cognos reports on home page tabs” on page 784
IBM OpenPages administrators can configure Cognos reports to display on the
homepage tabs instead of on the My Work homepage.
Setting the Display Order of Tabs
By default, the My Work tab is in position 1 on the Home page, and each tabbed
report or dashboard that you add is displayed in the order in which it was added.
If wanted, you can change the order in which tabs (including the My Work tab) are
displayed on the Home page. When you change the position of tabs on a Home
page, the change is immediately reflected in the application user interface.
Procedure
1. Access the Profiles page (see “Accessing Profiles” on page 218).
2. From the list, click the name of a profile to open its detail page.
3. On the Home Page Tab Configuration table, under the Order column, type
over the existing number with the new number you want for positioning each
tab on the Home page.
4. When finished, click Update Order.
Hiding and Unhiding Tabs
You can control whether or not configured tabs are displayed or hidden from users
in a profile. A tab that is disabled is hidden from users with the selected profile
and can be unhidden by enabling it at a future time.
By default, newly added tabs are enabled and displayed to users who have the
selected profile.
When you hide or unhide a tab, the following occurs:
v The value of the Status column changes for that tab.
230
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
v The value of the link toggles between Hide and Show depending on the
selection.
v The tab is immediately hidden or unhidden from users on the Home page of the
selected profile.
Procedure
1. Access the Profiles page (see “Accessing Profiles” on page 218).
2. From the list, click the name of a profile to open its detail page.
3. On the Home Page Tab Configuration table, under the Actions column do one
of the following:
To do this...
Click this link...
Hide a tab on the Home page for users of
the selected profile
Hide in the row of the tab you want to hide.
Show a previously hidden tab
Show in the row of the tab you want to
unhide.
Deleting Tabs
When you delete a tab for a report or dashboard from a profile, the tab is
immediately removed from the Home page of that profile, and from the list of tabs
on the Home Page Tab Configuration table.
Note: You cannot delete the My Work tab from the Home Page Tab
Configuration table; you can only hide it.
Procedure
1. Access the Profiles page (see “Accessing Profiles” on page 218).
2. From the list, click the name of a profile to open its detail page.
3. On the Home Page Tab Configuration table, under the Actions column, click
the Delete link for the tab you want to permanently remove.
Configuring the My Work Tab
The My Work tab is a default tab provided by IBM OpenPages , and contains the
following panes (sections of a page) that can be configured in a profile for display
to users:
v Predefined Lists - these panes display a list of predefined items that are tailored
to the logged on user, such as My Checked-Out Files or My Tasks. Predefined
lists also includes the My Reports pane, which can be configured with links to
reports. For details, see “Configuring Predefined Lists” on page 232.
v Filtered Lists - these panes display a list of items based on a filter that you
define for the selected object type. In addition, you can select object and/or
report fragment fields (the data is displayed in columns), and set the order in
which columns are displayed in the pane. For details, see “Filtered lists on the
My Work tab” on page 232.
v Embedded Reports - each embedded report is displayed in a separate pane on
the My Work tab. For details, see “Configuring Reports” on page 235.
Note: The My Work tab can be enabled or disabled for a profile but cannot be
deleted.
Chapter 11. Managing the Home Page and Views for Objects
231
In a first-time installation, the My Work tab, by default, is enabled but empty of
content (no panes are configured), and a message, similar to the following, is
displayed to users who are assigned that profile:
OP-50536: There is no information configured for display on your home page.
Please contact your System Administrator.
Configuring Predefined Lists
The following table lists the predefined lists that are available for display on the
My Work tab.
Table 44. Available Predefined Lists
This predefined list...
Displays this on the Home page...
My Tasks
a My Tasks pane that includes a list of tasks assigned to the
logged on user. The table includes such information as the
status, name, and description of the task, and any
attachments associated with each task.
My Checked-Out Files
a My Checked-Out Files pane that includes a list of files
that were checked out by the logged on user.
My Jobs
a My Jobs pane that includes any jobs owned by the logged
on user. The table includes such information as the name
and description of the job, and attachments associated with
each job.
Report Listing
a My Reports pane on the Home page for which you can
configure links to reports. For embedded reports, see
“Working With Embedded Reports” on page 236 for details.
Procedure
1. Access the Profiles page (see “Accessing Profiles” on page 218).
2. From the list, click the name of a profile to open its detail page.
3. On the My Work Tab Configuration table, click Add Predefined Lists.
4. On the Available Predefined Lists page:
a. Select the box next to each predefined list you want to display on the My
Work tab.
b. When finished, click Include. The included items are listed in the My Work
Tab Configuration table.
5. If you selected ‘Report Listing’ and want to populate the My Reports pane with
a list of links to reports, see “Configuring a My Reports Listing” on page 235
for details.
Filtered lists on the My Work tab
Filtered lists contain selected object type information based on the filter you
defined for that object type.
Each filtered list that you configure is displayed in a table format within a pane on
the My Work tab. For example, if you configured three filtered lists for the My
Work tab, that tab would contain three separate panes - one for each filtered list.
Filtered lists can include one or more:
v Object fields
232
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
v Report fragment fields
Each field that you include in a filtered list is displayed as a column in that table.
For example, if you defined a filtered list for ineffective controls, and included (in
addition to ‘Name’ and ‘Description’) an object field for ‘Classification’ and a
report fragment field containing a ‘Control Analysis bar chart’, the table would
display four columns (one for each field).
Note: By default, filtered lists on the My Work tab:
v Automatically include the ‘Name’ and ‘Description’ object fields.
v Use ‘Reports’ as the name of the column heading for report fragment fields, and
a clickable icon is displayed under the column for opening a single report
fragment field. If multiple report fragment fields are configured for an object
type, the icon displays a clickable down arrow with a selection list.
v Support only one column layout per object type. When multiple filtered lists are
configured for the same object type, you cannot define different columns for
display per filtered list on the My Work tab.
Example
For example, the Risk object type has filtered lists ‘A’, ‘B’, and ‘C’ configured for
display on the My Work tab. If the ‘Name’ and ‘Description’ fields were defined
for filtered lists ‘A’ and ‘B’, and an additional field, ‘Domain’, was the last field
defined for filtered list ‘C’, then all the filtered lists, including ‘A’ and ‘B’ would
include ‘Domain’ for display on the My Work tab.
For each filtered list that you configure on the My Work tab for an object type, you
can include or exclude fields, and set the order of columns in the table. If report
fragment fields are configured, these are always the last column of the table.
When you configure a filtered list for display on the My Work tab, all filters that
are defined for an object type are displayed in a selection list. Once you select a
filter, it no longer appears in the list of available filters.
The My Work tab supports only one column layout per object type. When multiple
filtered lists are configured for the same object type, you cannot define different
columns for display per filtered list on the My Work tab.
Before You Begin
Before you can configure a filtered list, you must have the following already
defined for an object type:
v One or more filters for the selected object type. See “Managing Filters for an
Object Type” on page 198.
v Any report fragment fields and/or object fields that are in addition to the
predefined standard IBM OpenPages object fields for that object type. See
Chapter 8, “Configuring Fields and Field Groups,” on page 141.
Configuring Filtered Lists on the My Work Tab
You can configure filtered lists on the My Work tab for object fields or report
fragment fields or both.
Note:
v A clickable icon is displayed for opening a single report fragment field under the
‘Reports’ column. If multiple report fragment fields are configured for an object
type, the icon displays a clickable down arrow with a selection list.
Chapter 11. Managing the Home Page and Views for Objects
233
v If report fragment fields are configured, the ‘Reports’ column, by default, is
always the last table column and its column position cannot be changed.
Procedure
1.
2.
3.
4.
5.
Access the Profiles page (see “Accessing Profiles” on page 218).
From the list, click the name of a profile to open its detail page.
On the My Work Tab Configuration table, click Configure Filtered List.
On the Select a Filter page, select a filter from the list and click Next.
On the Select Fields page, do any of the following:
Table 45. Summary of Filter Actions
Goal
Action
Include a field as a column in the
filtered list
On either the Included Object Fields or Included
Reporting Fragment Fields table, complete the
following steps:
1. Click Include. This opens a field selection page.
2. Select the box next to each field you want to
display as a column.
3. When finished, click Include.
Exclude a field as a column
On the Included Object Fields or Included
Reporting Fragment Fields table, complete the
following steps:
1. Select the box next to each field you want to
remove as either a column or report.
2. Click Exclude.
3. At the confirmation prompt, click OK.
Change the order in which object
fields are displayed as columns
On the Included Object Fields table, complete the
following steps:
1. In the Order column, change the order number of
the field you want.
2. Click Update Order.
When you change the number of a field, the system
dynamically updates all the other numbers.
Include a field as a column that
displays a report fragment
On the Include Reporting Fragment Fields table,
complete the following steps:
1. Click Include. This opens a field selection page.
2. Select the box next to each report fragment field
that you want to display.
3. When finished, click Include.
6. Click Finish.
Editing Filtered Lists on the My Work Tab
You can modify the fields in a filtered list and the order in which they are
displayed.
Procedure
1. Access the Profiles page (see “Accessing Profiles” on page 218).
2. From the list, click the name of a profile to open its detail page.
234
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
3. On the My Work Tab Configuration table, click the name of the filtered list
table you want to modify.
4. On the table for included objects or report fragment fields, modify the
information as necessary (for details, refer to Step 5 in “Configuring Filtered
Lists on the My Work Tab” on page 233).
5. When finished, click Finish.
Configuring Reports
You can use the following methods to configure reports on the My Work tab:
v Report Listing - this method creates a My Reports pane in which a list of
selected reports can be displayed. Each listed report name is a link that, when
clicked, opens the report in a separate window. For details, see “Configuring a
My Reports Listing.”
v Embedded reports - this method embeds each specified report in a separate
pane on the My Work tab. For details, see “Working With Embedded Reports”
on page 236.
Note:
v Only published reports are displayed in the list of available reports (under the
Cognos folder) for association on a My Work tab (either as a link in a list or as
an embedded report). If you want to add a new report, you must first publish
that report. For details, see “Adding Reports” on page 125.
v Although JSP reports are available for selection as embedded reports on the My
Work tab, only Cognos reports can be embedded (JSP reports cannot be
embedded) on the My Work tab. A JSP report that is selected as an embedded
report will result in a reporting error on the My Work tab.
Configuring a My Reports Listing
You can configure links to reports in the My Reports pane on the My Work tab by
either clicking the ‘Add Predefined List’ button or through the wizard by clicking
the ‘Configure Reports’ button.
You can globally control the maximum number of reports that are listed on the My
Work tab through the Maximum Reports Listing setting (for details, see “Setting
the Number of Report Listings” on page 341).
Procedure
1.
Access the Profiles page (see “Accessing Profiles” on page 218).
2. From the list, click the name of a profile to open its detail page.
3. On the My Work Tab Configuration table, do one of the following:
Chapter 11. Managing the Home Page and Views for Objects
235
Click this button...
Then...
Add Predefined Lists
On the Available Predefined Lists page:
1. Select the box next to Report Listing.
2. Click Include.
3. On the My Work Tab Configuration
table, click the Report Listing link.
4. Continue to Step 4.
Note: If you already added a My Reports
pane on the My Work tab but need to
populate the list with reports, do not click
the button and skip directly to Step c.
Configure Reports
In the Configure Home Page Reports
wizard:
1. In the Select Report Type step, select
Report Listing as the report type.
2. Click Next.
3. Continue to Step 4.
4. Click Associate to open the Reports list page.
5. On the Reports list page:
a. Select the box next to each report you want to include as a link in the My
Reports pane.
b. When finished, click Associate.
6. Click Finish.
Working With Embedded Reports
When you embed a report on the My Work tab, the report is displayed in a pane
on the My Work tab of users who have the selected profile.
You can globally control the maximum number of embedded reports to show on
the My Work tab through the Maximum Embedded Reports setting (for details,
see “Defining the Number of Embedded Reports” on page 341).
Performance Considerations:
Although embedded My Work tab reports provide a convenient mechanism to
present users with useful Cognos report data upon logon to the IBM OpenPages
application, report execution times can vary depending on the report.
When configuring embedded reports, administrators should be careful not to
configure the My Work tab with large or resource-intensive reports, as this will
contribute to the overall load on Cognos resources. Some factors that can affect
utilization of Cognos system resources include:
v The number of concurrent users logged on to the system
v The percentage of users executing reports or viewing computed fields
v The frequency with which users return to their respective Home pages
The following are some guidelines for configuring reports on the My Work tab:
v Only embed reports that are well-scoped and execute in less than <10 seconds
for the typical application user.
236
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
v Configure no more than one (1) embedded report on the My Work tab for the
majority of application users.
Related tasks:
“Display Cognos reports on home page tabs” on page 784
IBM OpenPages administrators can configure Cognos reports to display on the
homepage tabs instead of on the My Work homepage.
Configuring Embedded Reports:
Use the following steps to embed one or more reports on the My Work tab.
Note: You may need to modify the report to accommodate differences in the My
Work tab display area and page targets. We recommend that you make a copy of
the desired report before you update the display details and targets to suit
rendering within the My Work tab display area.
Procedure
1. Access the Profiles page (see “Accessing Profiles” on page 218).
2. From the list, click the name of a profile to open its detail page.
3. On the My Work Tab Configuration table, click Configure Reports.
4. In the Configure Home Page Reports wizard:
a. In the Select Report Type step, select Embedded Reports as the report
type.
b. Click Next.
5. On the Choose Reports step, click Associate to add reports to the list.
6. On the Reports page:
a. Select the box next to each report you want to embed in a pane on the My
Work tab.
b. When finished, click Associate (you may need to scroll to the bottom of the
page to see the button).
The selected reports are listed in the Associated Embedded Reports pane of
the wizard.
7. If you want to remove any of the newly associated reports from the list (for
example, a report was accidentally added), you can:
a. Select the box next to each report you want to remove.
b. When finished, click Disassociate
8. To exit the wizard, click Finish.
Modifying Configured Reports
You can use the Configure Reports wizard to add or remove reports (both
embedded reports and My Report links) from the My Work tab.
Note: You can also remove embedded reports directly from the My Work Tab
Configuration table (without using the wizard). For details, see “Removing items
from the My Work tab” on page 238.
Procedure
1. Access the Profiles page (see “Accessing Profiles” on page 218).
2. From the list, click the name of a profile to open its detail page.
Chapter 11. Managing the Home Page and Views for Objects
237
3. On the My Work Tab Configuration table, click Configure Reports to open the
wizard.
4. In the Select Report Type step, select the report type you want to modify.
5. On the Associated Reports page:
To do this...
Then click this button...
add more reports
1. Click Associate.
2. On the Reports list page, select the box
next to each report you want to include.
3. When finished, click Associate.
remove existing reports
1. Select the box next to each report you
want to remove.
2. When finished, click Disassociate.
6. Click Finish.
Removing items from the My Work tab
You can remove previously configured tables (including embedded reports) from
the My Work tab.
When a user with the modified profile either logs on to the application, refreshes
or returns to the My Work tab on the Home page, the removed items may no
longer be displayed.
Note: To remove links from the My Reports pane, see “Modifying Configured
Reports” on page 237.
Procedure
1. Access the Profiles page (see “Accessing Profiles” on page 218).
2. From the list, click the name of a profile to open its detail page.
3. On the My Work Configuration table listing:
a. Select the box next to each item you want to remove from the My Work tab.
b. When finished, click Disassociate.
c. At the confirmation prompt, click OK.
Views for objects
For each object type that you include in a profile, you can configure various views
of data for that object. A view displays information about an object type in
different formats and provides a means for customizing and filtering information
on a page for objects and custom form objects.
The following list summarizes the standard (out-of-the-box) views that you can
configure to meet your business needs. The IBM OpenPages application categorizes
views as follows:
Navigational Views
v Overview Pages
v Folder
v Filtered List
v Grid View
238
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
Object Views
v Detail
v Activity View
Association Views
v List
v Context
Fields that you configure for a specific object type and view page are displayed to
users who have that profile, and fields that you exclude from that object type and
view are hidden from users.
Fields can be object fields, computed fields, and report fragment fields.
When you modify an object view for a particular object type (including custom
forms), the change is immediate and displays everywhere the object type appears
in a table within the IBM OpenPages application. Changes that you effect for one
profile do not result in changes to other profiles.
For example, you create two new fields for the Risk object type and want to
display these fields to users with the ‘Manager’ profile on the detail page of Risk
objects. You open the ‘Manager’ profile, select the Risk object type from the list,
select the Detail view page, and then choose the new fields to include on the Detail
view page. When users with the ‘Manager’ profile view, create or modify a risk,
the two new fields will be displayed on a Risk Detail view page. For users who
have a different profile (not ‘Manager’), the new Risk fields are hidden unless you
also include these fields in that profile.
Related tasks:
“Limit the number of objects in views” on page 781
The OpenPages application allows end users to access data in various views (such
as the Overview, Folder Views, Filtered List View, Detail View, Activity Views, and
so on). Limiting the number of objects that are displayed in a view improves
performance.
Navigational views
Navigational Views assist users in finding instances of specific objects.
Navigational Views include the following view types:
v Overview
v Folder
v Filtered List
v Grid
When you add, remove, or modify Navigational Views in a profile for a specific
object type, consider the following items:
v
v
v
v
Views can be enabled or disabled.
Some views can be deleted.
Most views, except Overview pages, can be reordered.
The Bulk Update feature can be used with grid views because grid views
contain editable fields.
Chapter 11. Managing the Home Page and Views for Objects
239
v Users with the assigned profile who are already logged on to the application
must log out and log in to see the changes.
v Users can change the sort order and field order in Filtered List Views and Grid
Views.
Users may become confused if they are presented with both Filtered List Views,
which cannot be edited, and Grid Views, which can be edited. It is preferable to
disable Filtered List Views and to configure Grid Views for your users. Grid Views
provide similar functionality to Filtered List Views and allow the user to edit the
information. If you configure Filtered List Views, the tooltip for the row of a
Filtered List View displays the information that the row cannot be edited.
Overview pages
An Overview page displays a hierarchical object-tree view of an object type. For
example, if you wanted to include an Overview page for Control Objectives, you
could do so through a profile.
As an administrator, you can:
v Control which object types are included or excluded in the object-tree hierarchy
on an Overview page (see “Including and Excluding Object Types on Overview
Pages” on page 250 for details)
v Enable or disable an Overview page for an object type (see “Managing Views for
Objects” on page 244 for details)
An Overview page is not supported for the following object types: SOXProject,
SOXDocument, SOXExternalDocument, SOXMilestone, SOXIssue, SOXTask,
SOXSignature, and ProjectActionItem.
Folder views and Filtered List views
A Folder View displays a page view of folders (including sub-folders) containing
the selected object type. The information is displayed in columns on the page.
A Filtered List View displays a page with search filter options that you can use to
display objects of the same type that match your search criteria. First, select the
object type to view. Then, select the Filtered List View from the Filter selector. The
view is then populated with objects that match the filter criteria. Use this view to
display filter objects of the same type that match the search criteria in the filter the
user selects. The user can personalize the display of a Filtered List view and limit
what fields of information are displayed.
The Filtered List View cannot be edited by the user. Because the Filtered List
Views do not contain editable fields, you cannot use the Bulk Update feature with
Filtered List views. To allow the user to edit a view, define a Grid View.
For Filtered List and Folder views:
v When you configure either a Folder or Filtered List view for Business Entities
(SOXBusEntity), the List view for this object type is not available.
v The Name field is required. Always configure it in the first column.
v If report fragment fields are configured, the ‘Reports’ column is always the last
column in the table. The position of the ‘Reports’ column can be changed in
Grid View.
240
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
Example
If you previously disabled the Folder View and Filtered List view pages for
Control Objectives in a profile, and you want to make that object type and its
children directly accessible again through the ‘Assessments’ menu to users who are
assigned that profile. You could enable the Folder View and/or Filtered List View
for the Control Objective object type. Enabling either view page would cause the
‘Control Objectives’ menu item to be dynamically displayed on the ‘Assessments’
menu. However, only the view page that was enabled would be displayed when
the menu item was selected. If you enabled both view pages, you could set, for
example, the Filtered List view page to be displayed first to users.
As an administrator, you can perform the following functions:
v Control which fields are displayed as table column headings in a Folder or
Filtered List view (see “Configuring Fields in Navigational and Association
Views” on page 248)
v Set the order in which table column headings appear (see “Setting the Display
Order of Fields in a View” on page 247)
v Enable or disable a Folder or Filter List view page for an object type (see
“Managing Views for Objects” on page 244 for details)
v Control which view page (Folder or Filter List View) is displayed first to users
when both views are configured (see “Setting a Default View” on page 246 for
details)
Grid views
The grid view allows you to select how information about an object is displayed
by selecting an option from the View selector.
A grid view allows users to view, compare, and edit fields from up to three
different object types in one location. A grid view allows users to perform
operations on multiple objects at the same time. Additionally, users can personalize
the information by modifying the fields that are displayed, field order, sort criteria,
and column widths.
The grid view allows users to move between the display of objects fields in full
mode and compact mode. This ability allows the user to show all configured fields
for an object or display only the subset that you select. You define the objects that
are displayed on a grid view. Users can then select a grid view and edit the fields
in the view, including reordering columns of information.
Use the Grid Actions menu to create an item, update multiple items (bulk update),
export information, delete, submit to workflow, lock, and unlock.
The grid view provides access to an Info Card. The card displays the values for all
configured fields for an object type.
If users are allowed to edit fields in an object, define a grid view. Because grid
views have editable fields, you can use the Bulk Update feature.
Object views
Object Views provide detail instance data for an object.
Object Views include the following view types:
v Detail
Chapter 11. Managing the Home Page and Views for Objects
241
v Activity
When you add, remove, or modify Object Views in a profile for a specific object
type, users with the assigned profile who are already logged on to the application
may have to refresh the page to see the changes. Object views can be enabled or
disabled. Some object views can be deleted.
Detail Views
A Detail View displays data on the same page for the selected object including
fields and any associations it has to other objects.
From an object’s Detail page, application users can edit and/or view object-specific
fields for the selected object, and add or associate other objects to it. You can
configure the Detail View or any Activity View to be the page that users see by
default when they click the linked name of an object from an Overview, Folder,
Filtered List, or List View page.
Fields can be object fields, computed fields, and report fragment fields.
Note:
v The Detail view is required for objects and custom forms and can be disabled
but not removed. When you add a new object type to the Default profile, a
Detail view is automatically configured for that object type.
v When users export data from a Filtered List View to a spreadsheet, the data that
is directly exported corresponds to the fields that are configured in a Detail view
for the selected object type with the exception of Long String fields that have a
large sub type. Fields with a large sub type are ignored by Export and FastMap
as these fields might be too large to be stored in a cell (the maximum storage for
a cell is 32 KB).
As an administrator, you can:
v Control which fields are displayed in the table rows of a Detail view (see
“Configuring Fields in Detail and Activity Views” on page 261)
v Set the display order of the fields (see “Setting the Display Order of Fields in a
View” on page 247)
v Set specific fields to be view only or editable (see “Setting Object Fields as
Read-Only or Editable” on page 264)
v Set specific fields to span the 2-column table layout of the Detail page (see
“Spanning Table Columns” on page 265)
v Insert section headings on a page to delineate a set of fields (see “Using Section
Headings” on page 263)
v Configure how report fragment fields are displayed to users (see “Configuring
the Display Type for Reporting Fragment Fields” on page 265)
v Configure how string data is displayed to users (see “Configuring Display Types
for Simple String Fields” on page 266)
Activity Views
Activity Views are multi-object views focused on performing a specific task, such
as control assessments. An Activity View page provides a way for users to
concurrently view and edit specific fields for an object, including any child objects
that have been defined for this view, with minimal navigation.
An Activity View can display up to three levels of objects (the current object, list
and detail panes for child objects, and objects under a selected child object).
242
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
You can create your own Activity View pages for an object type in which users can
edit, view, and manage multiple associated objects on the same page. Depending
on the view type, information is displayed as either a page (such as a Folder View
or Detail view page) or in a section of a page (such as a Context pane). By default,
an Activity View is enabled and is automatically added to the list of views that can
be selected from the Current View selection on the object’s detail page. Users who
are assigned the selected profile have immediate access to the new Activity View.
In an Activity View, you can choose child object types at any level in the hierarchy
for display in an Activity View. For example, if users need to determine the
effectiveness of a particular control, you could select Control and Test Result
(skipping the Test object) under a Risk object so only objects relevant to
performing the task are displayed in an Activity View. You can also sort how object
types are displayed and select paths to scope or limit the objects that are returned.
For more details on using Activity Views, see “Creating Activity Views” on page
254.
As an administrator, you can:
v Create, modify, or delete Activity Views (see “Creating Activity Views” on page
254)
v Control which fields are displayed in the table rows of an Activity View (see
“Configuring Fields in Detail and Activity Views” on page 261)
v Set the display order of the table rows containing the fields (see “Setting the
Display Order of Fields in a View” on page 247)
v Set specific fields to be view only or editable (see “Setting Object Fields as
Read-Only or Editable” on page 264)
v Set specific fields to span the 2-column table layout of the activity page (see
“Spanning Table Columns” on page 265)
v Insert section headings on a page to delineate a set of fields (see “Using Section
Headings” on page 263)
Association Views
Association Views display parts of pages in a separate page for users with the
assigned profile.
Association Views include the following view types:
v List
v Context
When you add, remove, or modify Association Views in a profile for a specific
object type, users with the assigned profile who are already logged on to the
application may have to refresh the page to see the changes.
List Views
A List View displays objects of the same type in a list format, with objects
generally listed in ascending order. Depending on the object type, List Views may
be displayed as either a page or pane.
By default, List Views are displayed as pages for the following object types:
Business Entities (SOXBusEntity), Milestones (SOXMilestone), and Tasks (SOXTask),
and as panes on a Detail view page for listing associated parent or child objects.
Chapter 11. Managing the Home Page and Views for Objects
243
When you configure either a Folder or Filtered List view for Business Entities
(SOXBusEntity), the default List view for this object type is not used.
For List and views:
v You cannot add a List view to a custom form object or remove a List view from
an object.
v The Name field is always displayed in column 1 and its position cannot be
changed.
v If report fragment fields are configured, the ‘Reports’ column is always the last
column in the table and its position cannot be changed.
As an administrator, you can:
v Control which fields are displayed as table column headings in a List View (see
“Configuring Fields in Navigational and Association Views” on page 248)
v Set the display order of the table column headings (see “Setting the Display
Order of Fields in a View” on page 247)
Context Panes
A Context pane appears in the Detail page for an object and provides information
about the object that is the focus of the Detail page. When you are looking at the
details of associated objects, use the Context pane to remind you of the key
information about the object that is the focus of the Detail page.
For example, you could use a Context pane to include System Fields such as,
‘Business Entity Structure’ and ‘Primary Association Path’, or a report fragment
field that displayed a line chart showing trends.
As an administrator, you can:
v Control which fields are displayed in a Context pane (see “Configuring Fields in
Navigational and Association Views” on page 248)
v Set the display order of the fields (see “Setting the Display Order of Fields in a
View” on page 247)
Managing Views for Objects
You can enable, disable, and set a default view for certain object types that are
configured in a profile. You can also set the display order of fields in a view.
Note:
As an administrator, if you enable a navigational view for the Process Diagram,
Data Input, or Data Output object type, it is not available as a menu item in the
appropriate menu on the menu bar for users who are associated with that profile.
These objects are available only in the context of a Process.
For information about configuring specific object types in a profile, see
“Configuring Object Types in Profiles” on page 222.
Enabling a View
The process of enabling a view for an object type in a profile is the same for
Navigational and Object Views. It does not apply to Association Views.
244
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
Procedure
1. Access the Profiles page (see “Accessing Profiles” on page 218).
2. From the list, click the name of a profile to open its detail page.
3. From the Object Types table listing, click the name of the object type (for
example, SOXControl) for which you want to enable a view.
4. Navigate to the type of view you want (such as Navigational Views or Object
Views).
5. Click the Enable link under the Actions column in the row containing the
particular view you want to enable.
Note:
v The link changes from Enable to Disable.
v The value in the ‘Enabled’ column changes from ‘false’ to ‘true’.
6. If wanted, configure the selected view:
v To add or remove object types for display in an object-tree hierarchy on an
Overview page, see “Configuring Object Types in Profiles” on page 222 for
details.
v To add or remove fields for a specific view, see “Configuring Views for
Objects” on page 248.
v To control which view is displayed first to users when multiple views for a
page are configured, see “Setting a Default View” on page 246 for details.
v To associate a filter that will narrow the scope of data that is returned from a
Filtered List view page, see “Associating Filters to Filtered List View and
Grid View Pages” on page 251 for details.
Disabling a View
The process of disabling a view for an object type in a profile is the same for
Navigational and Object Views. It does not apply to Association Views.
About this task
v For Overview views - when you disable an Overview for an object type, the
‘Overview’ menu item that corresponds to that object type is dynamically
removed from the menu list.
For example, if you enabled a ‘Control Objectives Overview’ page and then
decided you no longer wanted it, you could remove the Overview page for that
object through the profile. When you disable the Overview view, the ‘Control
Objectives Overview’ menu item would be dynamically removed from the
‘Assessments’ menu list for all users who are assigned that profile.
v For Folder View, Filtered List View, and Grid View - when you disable these
views, the corresponding menu item with the name of the object type, is
dynamically removed from the menu list for all users who are assigned that
profile. Although the object type and its children are still accessible from other
view pages, the object type would no longer be directly accessible to users from
a menu.
For example, if you disabled both the Folder View and Filtered List view pages
in a profile for the Process object type, application users who were assigned that
profile would still be able to access Process objects from a Process Overview
page, a Business Entity Overview page, or the detail page of a parent or child
object. However, the ‘Processes’ menu item would be removed from the
‘Organization’ menu.
Chapter 11. Managing the Home Page and Views for Objects
245
Procedure
1. Access the Profiles page (see “Accessing Profiles” on page 218).
2. From the list, click the name of a profile to open its detail page.
3. From the Object Types table listing, click the name of the object type (for
example, SOXControl) for which you want to disable a view.
4. Navigate to the type of view you want (such as Navigational Views or Object
Views).
5. Click the Disable link under the Actions column in the row containing the
particular view you want to disable.
Results
Note:
v The link changes from Disable to Enable.
v The value in the ‘Enabled’ column changes from ‘true’ to ‘false’.
Setting a Default View
On pages where multiple views are enabled for an object type, you can select
which view you want as the default view for that page. The process of setting a
default view for an object type in a profile is the same for Navigational and Object
Views that contain a ‘Make Default’ link. It does not apply to an Overview view or
Association Views.
For example, if you have a Grid View, Folder View, and Filtered List View enabled
for Control object types, you could set the Grid View page to display first when
users select Control from the Assessments menu.
Procedure
1. Access the Profiles page (see “Accessing Profiles” on page 218).
2. From the list, click the name of a profile to open its detail page.
3. From the Object Types table listing, click the name of the object type (for
example, SOXControl) for which you want to set a default view.
4. Navigate to the type of view you want (such as Navigational Views or Object
Views).
5. Click the Make Default link under the Actions column in the row containing
the particular view you want to display as the default view.
Note:
v The Make Default link is removed from the selected view.
v The value in the ‘Default’ column changes from ‘false’ to ‘true’.
6. To view the changes to the default view, users must log out and log back in to
the application.
Results
If you later decide to change the default view to another view, click the Make
Default link in the row containing the view you want to display as the default
view.
246
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
Setting the Display Order of Fields in a View
You can dynamically change the order in which fields are displayed for object
types in a view.
Fields can be object fields, computed fields, and report fragment fields.
Note: The following applies only to Filtered List, Folder, and List views:
v The Name field is always displayed in column 1 and its position cannot be
changed.
v If report fragment fields are configured, the ‘Reports’ column is always the last
column in the table and its position cannot be changed.
When you re-order fields in a view, the change is visible immediately to all users.
The process of setting the display order of fields for an object type in a profile is
the same for all views.
Procedure
1. Access the Profiles page (see “Accessing Profiles” on page 218).
2. From the list, click the name of a profile to open its detail page.
3. From the Object Types table listing, click the name of the object type you want
to modify (for example, SOXControlObjective).
4. Select the view you want:
Navigate to this tab...
To select a link for this view...
Navigational Views
Folder, Filtered List, or Grid
If Grid Views are defined, click the name of a grid view link,
and then click Next until the ‘Specify Field Settings’ screen is
displayed in the Grid View wizard.
Association Views
List or Context
Object Views
Detail or Activity.
If Activity Views are defined, click the name of an activity view
link, and then click Next until the ‘Specify Field Settings’ screen
is displayed in the Activity View wizard.
5. On the Included Object Fields table, locate the field whose order you want to
change:
a. In the Order box in the row of the selected field, type the new display order
number for that field.
b. Click Update Order.
c. For Detail Views only - click Save to save your changes and return to the
object type detail page.
d. For Activity Views, click Next and Save to save your changes and exit the
wizard.
The fields are automatically re-ordered as specified.
e. For Grid Views - click Save to save your changes and exit the wizard.
The fields are automatically re-ordered as specified.
Chapter 11. Managing the Home Page and Views for Objects
247
Example
If the "Classification" object field on the property table of a Risk object Detail View
page is in position 9 on the list and you wanted it to precede the "Location" object
field, which is in position 3, you would change the display order number for the
"Classification" field from 9 to 3. All the other object fields after position 3 are
automatically re-ordered - so the display order for the "Location" field would
become 4, the next field that followed would become 5, and so forth.
Configuring Views for Objects
Configuring Fields in Navigational and Association Views
For each Folder, Filtered List, List View, Grid View, and Context pane that you
configure for an object type within a profile, you can include, exclude, and set the
order of fields.
Fields can be object fields, computed fields, and report fragment fields.
For information and examples about these views, see the following topics:
v Filtered List and Folder Views - see “Folder views and Filtered List views” on
page 240
v List Views - see “List Views” on page 243
v Context Panes - see “Context Panes” on page 244
v Grid Views - see “Folder views and Filtered List views” on page 240
Including and Excluding Fields in Navigation and Association
Views
When you include or exclude object fields in a Folder, Filtered List, List, Context,
Activity, or Grid view, the change immediately affects all users who are assigned
that profile.
Fields can be object fields, computed fields, and report fragment fields.
Each object type has a set of predefined object fields that consist of both shared
and object-specific fields. The shared object fields (such as Name, Description,
Created By, and so forth) are common to all object types and belong to the ‘System
Field’ field group. With the exception of the Name field, which is required and
always in position 1, you can choose which system and object-specific fields to
include or exclude from an object view. In addition to object fields, you can also
include report fragment fields that you define. In this way, you can tailor each
view to accommodate changing business needs.
Note:
v For Overview pages, see “Including and Excluding Object Types on Overview
Pages” on page 250 for details.
v For Detail and Activity view pages, see “Configuring Fields in Detail and
Activity Views” on page 261 for details.
Including Fields:
Before you can include an object field or report fragment field in a Navigational or
Association view, the field must be visible in the object field or report fragment
248
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
table listing for the selected object type or custom form. If the field is part of a
field group, make sure you include the field group for the selected object type.
For details, see “Configuring Fields for Object Types” on page 223.
When you include object fields or report fragment fields in a Navigational or
Association view for the selected object type, the fields are displayed as table
column headings in that view. By default, the column heading for report fragment
fields is called ‘Reports’.
About this task
For List and Folder views, the user cannot adjust the column width or configure
which columns will appear. It is a good practice to limit the number of columns
you configure for those views.
For Grid and Filtered List views, the user can adjust the column width and can
configure which columns are visible.
Procedure
1. Access the Profiles page (see “Accessing Profiles” on page 218).
2. From the list, click the name of a profile to open its detail page.
3. From the Object Types table listing, click the name of the object type you want
to modify (for example, SOXControlObjective).
4. Select the view that you want.
5. To add field columns to the selected view:
a. On either the Included Object Fields or Included Reporting Fragment
Fields table, click Include. The available fields selection page is displayed.
b. Select the box next to each field you want to display.
c. When finished, click Include.
6. To modify the order in which the fields are displayed in columns in a
Navigation or Association View, see “Setting the Display Order of Fields in a
View” on page 247.
Excluding Fields from Views:
When you exclude object fields or report fragment fields from either a
Navigational or Association View for the selected object type, the fields are
removed from the table column headings in that view page.
With the exception of the required Name field, you can exclude any field from an
object view. For example, if you exclude the ‘Description’ object field from a
Filtered List View for an object type, the ‘Description’ table column and its
associated data are dynamically removed from the Filtered List view page and the
change is immediately visible to all users.
Note: If you exclude object fields that are referenced by JSP reports, the report
may fail or return unexpected results.
Procedure
1. Access the Profiles page (see “Accessing Profiles” on page 218).
2. From the list, click the name of a profile to open its detail page.
Chapter 11. Managing the Home Page and Views for Objects
249
3. From the Object Types table listing, click the name of the object type you want
to modify (for example, SOXControlObjective).
4. Select the view that you want.
5. To remove object field columns from the selected view:
a. From either the Included Object Fields or Included Reporting Fragment
Fields table, select the box next to each object field you want to remove.
b. When finished, click Exclude.
c. At the confirmation prompt, click OK.
Including and Excluding Object Types on Overview Pages
For each Overview page that you configure for an object type within a profile, you
can select which object types you want to include or exclude in the object-tree
hierarchy for the selected object type.
Related tasks:
“Limit the number of associations in the Overview” on page 782
Limit the number of child associations for objects in the Overview screen to
improve load time for this view.
Including Object Types on an Overview Page
When you include an object type for display in the object-tree hierarchy on an
Overview page, the following occurs:
v The object type and any associated child object types are dynamically displayed
to users (who are assigned that profile) in the object-tree hierarchy.
v The modification is effective immediately and there is no need to restart any
IBM OpenPages services.
You can optionally display the ‘Description’ column on an object’s Overview page
by modifying its object view information. The ‘Name’ column is required and
cannot be hidden.
Procedure
1. Access the Profiles page (see “Accessing Profiles” on page 218).
2. From the list, click the name of a profile to open its detail page.
3. From the Object Types table listing, click the name of the object type you want
to modify (for example, SOXControlObjective).
4. On the Navigational Views table of the selected object type, click the Overview
link.
5. On the Included Object Types tab, click Include.
6. On the Available Object Types page:
a. Select the box next to each object type you want to include in the object-tree
hierarchy.
b. When finished, click Include.
7. To show or hide the ‘Description’ column on the Overview page:
a. On the Object View Information tab, click Edit.
b. Click the Show Description arrow and select either:
v True - to display the ‘Description’ column.
v False - to hide the ‘Description’ column.
c. When finished, click Save.
250
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
Excluding Object Types From an Overview Page
When you exclude an object type from display in the object-tree hierarchy on an
Overview page, the following occurs:
v The object type and any associated child object types are dynamically removed
from users (who are assigned that profile) in the object-tree hierarchy - think
carefully before removing an object type from an Overview page.
v The modification is effective immediately and there is no need to restart any
IBM OpenPages services.
For example, if you exclude Controls from the Business Entity Overview page, the
Control object - including any associated object types - will no longer be displayed
when you expand the object-tree hierarchy on the Business Entity Overview page.
The IBM OpenPages structure will appear to stop at the Risk level. In addition,
Tests and Test Results will no longer be displayed, since the Controls they are
associated with are hidden and not visible on the Business Entity Overview page.
Procedure
1. Access the Profiles page (see “Accessing Profiles” on page 218).
2. From the list, click the name of a profile to open its detail page.
3. From the Object Types tab:
a. Select the box next to each object type you want to exclude from the
Overview page object-tree hierarchy.
Note: Remember that excluding an object type also hides its children. For
example, if you exclude Risks from the Overview page, Controls, Tests, and
Test Results will also be hidden from view. You do not need to select each
type - only the parent object type.
b. When finished, click Exclude.
c. At the confirmation prompt, click OK to effect the change.
Filtered List View and Grid View Pages
By using a filter, you can narrow the scope of data that is returned in a Filtered
List View or a Grid View for users who are assigned a specific profile.
Important: Before you can associate an object-specific filter to a Filtered List view
or Grid View page, you must have created a public filter for that object type by
following the instructions in “Managing Filters for an Object Type” on page 198.
Associating Filters to Filtered List View and Grid View Pages
When you associate a filter to a Filtered List View or a Grid View, the filter is
displayed in the filter selector for that object type.
Procedure
1. Access the Profiles page (see “Accessing Profiles” on page 218).
2. From the list, click the name of a profile to open its detail page.
3. From the Object Types table listing, click the name of the object type you want
to modify (for example, SOXControlObjective).
4. Under the Navigational Views table of the selected object type, click the
Filtered List link.
5. Complete the following actions:
Chapter 11. Managing the Home Page and Views for Objects
251
a. On the Associated Filters tab, click Associate. The filters selection page is
displayed.
b. Select the box next to each filter that you want to include.
c. When finished, click Include.
Disassociating Filters From Filtered List View and Grid View
Pages
If you have a filter that is no longer appropriate for display in the filter selector on
a Filtered List view page or a Grid view page for an object type, you can remove it
from the list.
Procedure
1. Access the Profiles page (see “Accessing Profiles” on page 218).
2. From the list, click the name of a profile to open its detail page.
3. From the Object Types table listing, click the name of the object type (for
example, SOXControlObjective) that has the filter you want to remove.
4. From the Associated Filters table listing, select the box next to each filter you
want to disassociate from this view.
5. When finished, click Disassociate.
Creating a Grid View
In IBM OpenPages GRC Platform, you can create a grid view of an object for the
users who are assigned to a profile. You specify the fields that are editable so that
users can perform a certain task, such as entering KRI values or performing a
self-assessment update. Additionally, you can provide guidance in the grid view to
these users.
About this task
The process of creating a grid view includes the following steps:
v Provide details about the grid view.
v Optionally, select the related objects that contain fields of information that the
user will require to perform the task.
v Specify the settings for the object types.
v Configure fields for the grid view.
Procedure
1.
2.
3.
4.
Click Administration > Profiles and select a profile.
Select the object that will be at the root of the grid view.
Under Navigational Views, click Add New.
To provide details about the new grid view, complete the following actions:
a. Add a name and description. Optionally, enter the translations for the
name. The description is for administrators only.
b. Add guidance to the users who are assigned to the profile, such as the
methodology that the users should follow in performing the task. You can
format the text.
c. If the grid view is not ready for users to access now, clear the Enabled
check box. The new grid view is enabled by default.
d. Click Next.
5. If you want to select the related objects that contain fields of information that
the user will require to perform the task, complete the following actions:
252
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
a.
b.
c.
d.
e.
Click Choose Object Type.
Select an object type for the selected object.
Click Apply.
Repeat these steps for each object that you want to add.
When you have added all the related objects, click Next.
The related objects do not have to be direct child objects. You can skip levels.
For example, the object model may be Process --> Risk --> Control --> Test
Plan --> Test Result. You create a grid view that is Process --> Control --> Test
Result.
If you do not want to include related objects, just click Next.
6. If there are at least two paths between the selected objects, select one or more
paths that you want to use.
7. To
a.
b.
c.
specify the sort criteria for the object, complete the following actions:
Click Specify Sort Criteria.
Click or Ctrl+click the fields and click the double arrow (>>).
To change the order in which the fields appear, select the field and use the
up arrow or the down arrow.
d. To change how the fields are sorted, select each field and click the up
triangle or the down triangle.
e. Click Apply.
8. To apply a filter to the objects, complete the following actions:
a. Click Choose Filter.
b. Select a filter that was created for this object.
c. Click Apply.
9. Click Next.
10. To configure fields for the grid view, complete the following actions:
a. To select the fields that will be displayed, click Choose Fields, select the
fields, and click Apply.
b. To allow your users to control which fields are available in the grid view,
select Full Mode or Compact Mode or both for each field.
Compact Mode is a subset of the fields that appear in Full Mode. For
example, your users want to hide the Description field in Compact Mode.
All included fields will appear in the Info Card. A field with neither Full
Mode nor Compact Mode selected will not appear in the grid view but it
will be available for the user to make visible.
c. To change the order in which the fields appear, drag the fields to a new
location or change the sequence of numbers in the Order fields and click
Update Order.
d. Specify whether each field is Read-Only.
e. To change the default column width for the fields, change the numbers in
the Column Width fields.
f. To delineate a set of fields on the Info Card, click Insert Section and enter
a name for the section heading. In the Insert before field, select the field
that the section heading will appear before. If you have translated text for
the section heading, add it to each language as required. Click Apply.
g. Repeat these steps for each additional object type that you have included.
11. Click Finish.
Chapter 11. Managing the Home Page and Views for Objects
253
Results
The grid view is added to the list of navigational views, where you can make it the
default navigational view, have it appear higher in the list of navigational views,
disable or enable it, or delete it.
Creating Activity Views
For each Detail View and Activity View for an object type within a profile, you
can choose object fields and/or report fragment fields and set their order, insert
section dividers, set fields to editable or read-only, and specify the number of
columns each field will span (either one or two).
For Activity Views, you can also select up to three levels of object types, choose
which paths to use to traverse the hierarchy for each level, select object-type filters
to narrow the scope of returned search data, and determine the order of objects in
a list or child hierarchy.
Before You Begin - Activity View Considerations
Before you create an Activity View, you need to determine the purpose of the view
and identify the parent and child object types that will be included in the view.
Planning your changes ahead of time helps to minimize the necessary work and
prevents duplication of effort.
The following list will help you identify some of the questions you need to
consider before you create a new Activity View:
v What task or activity does the user need to accomplish?
v What data does the user need displayed in this view to accomplish the task or
activity?
v What are the object types that should be included in this view? Will levels be
"skipped" in the object hierarchy?
v What field or fields does the user need to view or update?
v Are there constraints (such as a filter) that you need to put on the data in this
view?
v If you plan to use a filter to remove extraneous objects that are not directly
related to the current activity or to reduce the number of objects returned to a
reasonable size, is the filter already configured for the selected object type? (For
filter details, see “Managing Filters for an Object Type” on page 198.)
Scenario
The following scenario describes how you might use the Activity View Wizard to
create an Activity View called "Control Assessment by Risk Activity" for users who
are "Control Assessors". Although the scenario does not include all the
configuration features available in the Activity View Wizard, it does highlight
many of the basic features.
Let’s say your organization created a profile called "Control Assessor" for users
who have the responsibility to determine the effectiveness of controls.
To facilitate the work of a Control Assessor, you want to create a "Control
Assessment by Risk Activity" view that would allow a Control Assessor to quickly
analyze test results related to a particular control and then update the ‘Operating
Effectiveness’ field of a Control object accordingly.
254
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
In addition, you want the users to be able to perform their work with minimal
navigation and provide only data relevant to accomplishing the task. If multiple
test results are displayed, the data should be sorted according to the ‘Date
Performed’ field in ascending order.
To start, you would select the "Control Assessor" profile from the Profiles page and
then select ‘SOXRisk’ from the list of Object Types as this is the parent object type.
You would then navigate to the ‘Object View’ table and click the ‘Add New’
button to start the Activity View Wizard.
Table 46 highlights the tasks you would perform on each screen in the Activity
View Wizard to create a basic Activity View called "Control Assessment by Risk
Activity". The table also includes a reference for each screen in the Wizard where
you can find more details about that task.
Table 46. Configuring a Sample "Control Assessment by Risk Activity" View
On this screen in the Activity
View Wizard...
Do this...
1. Specify View Details
(for details, see “Task 1: Specify
View Details” on page 258)
2. Select Object Types
In the Name field, type the name: Control Assessment
by Risk Activity.
(For layout refer to pane "3" in Figure 11 on page
257.)
1. In the same row as ‘Risk’, click the Choose Object
Types link and select ‘Control’. (For layout refer
to panes "4" for Risk, and "5" and "6" for Control
in Figure 11 on page 257.)
(for details, see “Task 2: Select
Object Types” on page 258)
2. In the same row as ‘Control’, click the Choose
Object Types link and select ‘Test Result’. (For
layout refer to pane "7" in Figure 11 on page 257.)
Note: Child object types can be at any level in the
object hierarchy. In this example, we are "skipping"
the ‘Test’ object type between ‘Control’ and ‘Test
Result’.
3. Specify Object Type Settings
(for details, see “Task 3: Specify
Object Type Settings” on page 259)
In the same row as ‘Test Result’, click the Select Sort
Criteria link and do the following:
1. Select the ‘Date Performed’ field from the list.
2. Set the selected field to ‘Ascending’.
(For layout refer to pane "7" in Figure 11 on page
257.)
Chapter 11. Managing the Home Page and Views for Objects
255
Table 46. Configuring a Sample "Control Assessment by Risk Activity" View (continued)
On this screen in the Activity
View Wizard...
4. Specify Field Settings
(for details, see “Task 4: Specify
Field Settings” on page 260)
Do this...
For each object type, click Choose Fields and select
the following fields (if necessary, clear the ‘Name’
field box as the name of the object is automatically
displayed in the pane title).
When finished with selecting fields, set the display
order of each field as shown and click Update Order.
v
Risks (all Read-only fields. For layout refer to
pane "4" in Figure 11 on page 257.)
– 1 Description
– 2 Inherent Risk Rating
– 3 Category
– 4 Subcategory
v
Control (mostly Read-only fields. For layout refer
to pane "6" in Figure 11 on page 257.)
– 1 Description
– 2 Domain
– 3 Control Type
– 4 Control Method
– 5 Design Effectiveness
– 6 Operating Effectiveness (writable)
v
Test Result (all Read-only fields. For layout refer
to pane "7" in Figure 11 on page 257.)
– 1 Description
– 2 Performed By
– 3 Reviewed By
– 4 Reviewer Conclusion
– 5 Date Performed
– 6 Test Result
– 7 Exceptions
– 8 Exception Description
5. Define Listing Columns
(for details, see “Task 5: Define
Listing Columns” on page 260)
Click Choose Fields and add the ‘Description’ field
to the listing pane for child Control objects.
Click Finish when done.
(For layout refer to pane "5" in Figure 11 on page
257.)
Once the "Control Assessment by Risk Activity" view is saved, it becomes available
as a selection in the Current View selection list at the top of a Risk object’s detail
page for that object type.
When a "Control Assessor" selects a particular risk for analysis and navigates to
the detail page of that Risk object, that user can then click the Current View arrow
and select the "Control Assessment by Risk Activity" view from the list of views.
When the "Control Assessment by Risk Activity" view is displayed on the page, the
"Control Assessor" could then view the child controls and test results associated
256
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
with that selected risk, discuss the test results (sorted by ‘Date Performed’ in
ascending order), and then update the ‘Operating Effectiveness’ field of that
Control object accordingly.
Related concepts:
“Limit activity views with field dependencies and dependent picklists” on page
782
In dependent picklists, the more fields in the picklist, the more javascript is
required to display the object to users.
The Layout of Activity Views
The layout of an Activity View page contains panes that are common to all views
and panes that are unique to Activity Views.
Figure 11 shows the basic layout of an Activity View page.
The panes labeled "1" and "2" in Figure 11 contain data common to all views, with
pane "3" containing a combination of common and unique view elements.
The panes labeled "4" through "7" in Figure 11 are unique to Activity Views. The
pane labeled "4" contains the fields (configured in the Activity View Wizard) for
the top-level object. Pane "5" displays the list of first-level child objects for the
selected top-level object. Data displayed in the listing pane is not editable.
When an object in the listing pane is selected, that object and its children are
displayed in hierarchical panes (panes "6" and "7" in Figure 11). Depending on the
configuration, fields in the top-level object pane and in the hierarchical panes can
be Read-only and/or editable.
Figure 11. Layout of an Activity View Page
The following numbered list describes the panes of an Activity View Page as they
are labelled in Figure eleven.
1. Header pane - contains common elements such as a logo, logon user name,
logout link, and the Reporting Period selector.
Chapter 11. Managing the Home Page and Views for Objects
257
2. Menu bar - a common element used as the main navigation tool for accessing
objects.
3. Navigation pane - contains breadcrumb links (common element) and the
Current View selector, which is displayed when multiple Object Views are
available.
4. Top-level Object Field pane - unique to Activity Views - contains fields
configured for the selected top-level object.
5. First-level Child Object Listing pane - unique to Activity Views - contains a list
of first-level child objects configured for the top-level object. If multiple
first-level child object types are configured, a selector box is displayed that
allows users to switch between object types.
6. Child Hierarchy pane for the selected first-level child object - unique to Activity
Views - contains fields configured for this object type.
7. Child Hierarchy pane for children of the selected child object - unique to
Activity Views - contains fields configured for this object type.
Task 1: Specify View Details
The text you enter in the Name field for this View is also the initial label text for
this view. If you want different label text to be displayed as the ‘name’ of this
Activity or Grid View to application users for selection in ‘Current View’ selection
list, make sure to enter text in the appropriate language translation field.
Procedure
1. In the Name field, type a name for this Activity or Grid View.
2. Click the Translate link and type the label text you want to be displayed to
users in the appropriate language field, and then click Apply.
Note: If you do not enter translated label text for the Name field, the text you
entered in Step 1 will be displayed to application users in the ‘Current View’
selection list.
3. When finished, click Next.
Task 2: Select Object Types
Activity or Grid Views will display up to three levels of objects (the top-level
object, list and detail panes for child objects, and objects under a selected child
object). You can choose child object types at any level in the hierarchy for display
in an Activity View.
Procedure
1. In the Actions column, click the Choose Object Types link in the row
containing the selected object type (for example, RiskAssessment) to which you
want to add child objects.
2. In the Choose Object Types box, select the box next to each child object type
you want to display (for example, Risk) under that object type. When finished,
click Apply.
3. If wanted, click the Choose Object Types link next to an associated object type
(from Step 2), and select any object types you want to display (for example,
Control) under that object type. When finished, click Apply.
4. When finished, click Next to continue.
258
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
Task 3: Specify Object Type Settings
A path is a specific branch of objects through the hierarchy. For associated objects
that have multiple paths, you can choose which object paths you want to use to
return data for that object type.
When a single path exists between one object level and the next, you do not have
to select a path. Paths that loop back to the top-level object type are excluded from
the selection list.
Procedure
1. For associated objects that have multiple paths, do the following to specify the
paths through the object hierarchy by which associated data is retrieved:
a. Click the Choose Paths link under the Actions column in the row
containing the object type you selected in Task 1 (you may have to scroll
down the page to see it).
b. In the Choose Paths box, select or clear the box next to each object path
that you want the application to use or ignore for retrieving associated
object data.
c. When finished, click Apply.
The selected paths are listed under the Paths column.
2. To specify how the objects of a given type are sorted in a listing or child
hierarchy pane, click the Select Sort Criteria link under the Actions column in
the row of the object type that you want.
3. In the Specify Sort Criteria box:
a. In the Available Fields pane, select each object field that you want to sort
by.
Note: A sort field does not have to be displayed on a page in order to sort
a list or child hierarchy pane within the view.
b. Click the double arrows to move object fields forward (>>) and backward
(<<) between the Available Fields and the Selected Fields panes.
c. In the Selected Fields pane, select a sort field and do any of the following:
Click this icon...
(triangle up)
(triangle down)
If you want to...
Sort objects according to this field in
ascending order. This is the default setting.
Sort objects according to this field in
descending order.
(up arrow)
Move the field up in the list.
(down arrow)
Move the field down in the list.
d. When finished, click Apply.
The selected fields with their corresponding sort order are listed under the
Sort Criteria column.
4. To specify a filter for an object type, click the Choose Filter link under the
Actions column in the row of the object type that you want.
5. In the Choose Filter box:
a. Select the filter you want to use.
b. When finished, click Apply.
The selected filter is listed under the Filter column.
Chapter 11. Managing the Home Page and Views for Objects
259
6. When finished, click Next to continue.
Task 4: Specify Field Settings
You can choose the fields you want displayed in top-level and child hierarchy
panes.
Fields can be object fields, computed fields, and report fragment fields.
Procedure
1. To specify the display fields for an object type, click Choose Fields under the
object type.
a. In the Choose Fields selection box, select the box next to each field you
want to include.
b. When finished, click Apply.
2. Optionally, insert a section. For details, see “Using Section Headings” on page
263.
3. Optionally, change the display order of the fields. For details, see “Setting the
Display Order of Fields in a View” on page 247.
4. When finished, click Next to continue.
Task 5: Define Listing Columns
You can choose the fields you want displayed for table columns in a first-level
child listing pane.
Procedure
1. To specify the table columns for the pane in which associated objects are listed:
a. In the Choose Fields selection box, select the box next to each object field
you want to include as a table column. By default, the Name field is
selected.
b. When finished, click Apply.
2. Optionally, change the display order of the fields. For details, see “Setting the
Display Order of Fields in a View” on page 247.
3. When finished, click Finish.
Modifying an Activity View
When you modify an Activity View, you use the Activity View wizard to make
the required changes. Each step in the wizard becomes an active link so you can
go directly to that step and make the required changes.
Procedure
1.
Access the Profiles page (see “Accessing Profiles” on page 218).
2. From the list, click the name of a profile to open its detail page.
3. From the Object Types table listing, click the name of the object type (for
example, RiskAssessment) you want to modify.
4. From the Object Views table listing, click the name of an Activity View you
want to modify to open the Activity View wizard.
5. Click a link in the left pane of the wizard that corresponds with the type of
change you want to make. Refer to “Creating Activity Views” on page 254 for
an overview of tasks.
6. When finished, click Save.
260
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
Configuring Fields in Detail and Activity Views
For each Detail and Activity view that you configure for an object type within a
profile, you can select which fields you want to include or exclude in that view.
Fields can be object fields, computed fields, and report fragment fields.
When you include fields in a Detail or particular Activity view, the additional
fields are immediately visible to all users and are displayed in table rows on that
view page.
For Detail views, only the object fields that you configure are used by the Export
function (in .xls format) on a Filtered List View page (report fragment fields are
ignored).
Each object type has a set of predefined object fields that consist of both shared
and object-specific fields. The shared object fields (such as Name, Description,
Created By, and so forth) are common to all object types and belong to the ‘System
Field’ field group. With the exception of the Name field, which is required and
always in position 1, you can choose which system and object-specific fields to
include or exclude from an object view. In this way, you can tailor each view to
accommodate changing business needs
Including Fields in Detail and Activity Views
Before you can include a field in a Detail or specific Activity view, the field must
be visible in the object field list for selection.
Fields can be object fields, computed fields, and report fragment fields.
If the field is part of a field group, make sure you include the field group for the
selected object type. For details, see “Configuring Fields for Object Types” on page
223.
Note: When using dependent fields in a Detail or specific Activity view, make
sure to include both the controlling field and any required dependent fields. If the
controlling field that requires a user to select or enter a value in a dependent field
is included in a view and the required dependent field is excluded, the user will
not be able to complete the operation and the following error message will be
displayed, "A field not available to you has been made required by a field
dependency so you will be unable to continue with this operation."
When you include object fields in a Detail or Activity view for the selected object
type, the object fields are displayed as table rows in that view.
Although you cannot modify the parameters of the table itself, you can set a field
to span table columns.
Procedure
1. Access the Profiles page (see “Accessing Profiles” on page 218).
2. From the list, click the name of a profile to open its detail page.
3. From the Object Types table listing, click the name of the object type you want
to modify (for example, SOXControlObjective).
4. From the Object Views tab listing, select the view you want:
Chapter 11. Managing the Home Page and Views for Objects
261
For this type of view...
Do this...
Detail View
Click the Detail link.
Activity View
1. Click the name of the Activity view you
want.
2. In the left pane of the Activity View
wizard, click the Specify Field Settings
link.
5. To add fields to an object type:
a. Click Choose Fields for the object type you want.
b. In the Choose Fields selection box, select the box next to each field you
want to include.
c. When finished, click Apply or Save.
6. To modify the order in which the fields are displayed in the table rows on a
Detail or Activity view, see “Setting the Display Order of Fields in a View” on
page 247.
7. To format the field so it spans table columns, see “Spanning Table Columns” on
page 265.
Excluding Fields from Detail and Activity Views
When you exclude fields from either a Detail or specific Activity view for the
selected object type, the fields are removed from the table rows on that view page.
Fields can be object fields, computed fields, and report fragment fields.
With the exception of the required Name field, you can exclude any field from an
object view. For example, if you exclude the ‘Description’ object field from a
Filtered List View for an object type, the ‘Description’ table column and its
associated data are dynamically removed from the Filtered List view page and the
change is immediately visible to all users.
Note: If you exclude object fields that are referenced by JSP reports, the report
may fail or return unexpected results.
Procedure
1. Access the Profiles page (see “Accessing Profiles” on page 218).
2. From the list, click the name of a profile to open its detail page.
3. From the Object Types table listing, click the name of the object type you want
to modify (for example, SOXControlObjective).
4. From the Object Views tab listing, select the view you want:
For this type of view...
Do this...
Detail View
Click the Detail link.
Activity View
1. Click the name of the Activity view you
want.
2. In the left pane of the Activity View
wizard, click the Specify Field Settings
link.
5. To remove fields from an object type:
a. Click Choose Fields for the object type you want.
262
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
b. In the Choose Fields selection box, clear the box next to each field you
want to remove from this view.
c. When finished, click Apply or Save to effect the change.
Using Section Headings
Section headings are an optional formatting feature. You can use section headings
to delineate a set of fields on a page. Once a section heading is created, it can be
modified or deleted.
Inserting Section Headings
Before you create a section heading, you should identify where you want to insert
it on a Detail or Activity view page. A section heading is displayed on the view
page above whichever field you specify.
Fields can be object fields, computed fields, and report fragment fields.
Procedure
1. Access the Profiles page (see “Accessing Profiles” on page 218).
2. From the list, click the name of a profile to open its detail page.
3. From the Object Types table listing, click the name of the object type you want
to modify (for example, SOXControlObjective).
4. From the Object Views table listing:
v For the Detail view - click the Detail link.
v For an Activity view:
a. Click the name of the Activity view you want.
b. In the left pane of the Activity View wizard, click the Specify Field
Settings link.
5. To insert a section heading in the selected view:
a. Click Insert Section for the object type you want.
b. In the Section Information box:
In this field...
Do this...
Name
Required. Type a name for this section
heading.
Insert before field
Click the arrow and select a field from the
list. The section heading will be displayed
above the selected field.
language-specific (for example, Japanese)
Type a text string that will be used as the
translated display text label for this section
heading.
By default, if no translation text is entered,
the entry in the ‘Name’ field is displayed.
6. When finished, click Apply or Save to effect the change.
Modifying Section Headings
After you create a section heading, you can modify the label text used for
translation.
Chapter 11. Managing the Home Page and Views for Objects
263
Procedure
1. Access the Profiles page (see “Accessing Profiles” on page 218).
2. From the list, click the name of a profile to open its detail page.
3. From the Object Types table listing, click the name of the object type you want
to modify (for example, SOXControlObjective).
4. From the Object Views table listing:
v For the Detail view - click the Detail link.
v For an Activity view:
a. Click the name of the Activity view you want.
b. In the left pane of the Activity View wizard, click the Specify Field
Settings link.
5. To modify a section heading in the selected view:
a. Click Insert Section for the object type you want.
b. On the object type tab, click the Edit link under the Actions column in the
row containing the section that you want to modify.
c. In the Section Information box, make the changes as wanted.
d. When finished, click Apply or Save to effect the change.
Deleting Section Headings
You can remove section heading that are no longer wanted. Once a section is
deleted, it is permanently removed from the system and cannot be restored.
Procedure
1. Access the Profiles page (see “Accessing Profiles” on page 218).
2. From the list, click the name of a profile to open its detail page.
3. From the Object Types table listing, click the name of the object type you want
to modify (for example, SOXControlObjective).
4. From the Object Views table listing:
v For the Detail view - click the Detail link.
v For an Activity view:
a. Click the name of the Activity view you want.
b. In the left pane of the Activity View wizard, click the Specify Field
Settings link.
5. To delete a section heading in the selected view:
a. On the object type tab, click the Delete link under the Actions column in
the row containing the section that you want to remove.
b. If prompted, click OK to effect the change.
c. For an Activity view, click Save to exit the wizard.
Setting Object Fields as Read-Only or Editable
You can configure object fields on an Object View page within a profile to be view
only or editable to users assigned that profile by either selecting or clearing the
Read-Only box for a field.
Note: Report fragment fields, computed fields, and certain system fields (such as
"Last Modified By," "Created By," "Creation Date" and so forth) are set, by default,
to Read-Only and cannot be changed.
264
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
Procedure
1. Access the Profiles page (see “Accessing Profiles” on page 218).
2. From the list, click the name of a profile to open its detail page.
3. From the Object Types table listing, click the name of the object type you want
to modify (for example, SOXControlObjective).
4. Select a ‘Views’ tab, and click the name of the view link you want to modify
(for example, Detail) to open its detail page.
5. On the edit page for the selected object type, do the following in the row for
each object field you want to modify:
v To make a field non-editable - select the Read-Only box.
v To make a field editable - clear the Read-Only box.
6. When finished, click Save.
Spanning Table Columns
In Detail Views, Activity Views, and Context Views, fields are typically displayed
on the page in rows within a two-column table format. You can make a row
containing a field span table columns by configuring the Span Columns setting.
Note:
v For object fields with a ‘Text Area’ display type, you can configure the text box
size by setting the number of rows and columns. By default, the rows are set to
5, and the columns are set to 60.
v For report fragment fields with an ‘Automatic’ display type, you can configure
the cell height of the report element. By default, this is set to 235 pixels.
The Span Columns setting is displayed for all field display types and the process
of setting it is the same.
Procedure
1. Access the Profiles page (see “Accessing Profiles” on page 218).
2. From the list, click the name of a profile to open its detail page.
3. From the Object Types table listing, click the name of the object type
containing the object field you want to modify (for example, SOXControl).
4. On the Object Fields table for the selected object, click the name of the field to
open its detail page (for example, Who Performs Control?).
5. On the Display Type Information table, click Edit.
6. On the edit page, click the Span Columns arrow and select a value from the
list:
v Select False if you want the row containing the field to be displayed within a
table column and not span the columns of the table.
v Select True if you want the row containing the field to span the columns of
the table.
7. When finished, click Save.
Configuring the Display Type for Reporting Fragment Fields
You can configure how report fragment fields are displayed to application users on
Detail and Activity View pages. Report fragment fields are always read-only fields.
Report fragment fields can be displayed as follows:
Chapter 11. Managing the Home Page and Views for Objects
265
v
Automatic - this setting embeds the report element directly into the cell for the
field and displays it as a view-only field on the page.
If wanted, you can also configure the cell height of the field. By default, it is set
to 235 pixels.
v
in the field that
On Demand - this setting displays a clickable icon
opens the report element in a pop-up window. For information on automatically
sizing pop-up windows, see “Setting Limits for Automatically Sized Reporting
Fragment Pop-up Windows” on page 336.
Note: Changing the display type setting will affect the display of this field in all
profiles.
Procedure
1. Access the Profiles page (see “Accessing Profiles” on page 218).
2. From the list, click the name of a profile to open its detail page.
3. From the Object Types table listing, click the name of the object type
containing the report fragment field you want to modify (for example,
SOXControl).
4. On the Object Fields table for the selected object type, click the name of a
report fragment field to open its detail page.
5. On the Object Field Information table:
a. Click Edit.
b. On the edit page, click the Display Type arrow and select a value from the
list.
c. When finished, click Save.
6. For Automatic display types only. If the display type is On Demand, skip this
step.
Optionally, modify the cell height of the report fragment field:
a. On the Display Type Information table, click Edit.
b. On the edit page, modify the number of pixels in the Cell Height box.
c. When finished, click Save.
7. To make the row with the report fragment field span table columns, see
“Spanning Table Columns” on page 265.
Related tasks:
“Display reporting fragments only on demand” on page 784
These reporting fragments can be displayed automatically when an end user views
the page or on-demand when a user explicitly would like to see the reporting
fragment. Set reporting fragments to display only on demand to improve
performance of the Cognos server and database instance.
Configuring Display Types for Simple String Fields
For object fields that have a Simple String data type, you can configure how string
data displays to users on an object’s details page. The display types for Simple
String data fall into two basic categories: selector types for displaying users and/or
groups, and text area display types for displaying text and URL information.
Note: Changing the display type setting will affect the display of this field in all
profiles.
266
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
Selecting a Display Type for Simple String Fields
This is the procedure to select a display type for object fields that have a Simple
String data type.
Procedure
1. Access the Profiles page (see “Accessing Profiles” on page 218).
2. From the list, click the name of a profile to open its detail page.
3. From the Object Types table listing, click the name of the object type
containing the object field you want to modify (for example, SOXControl).
4. On the Object Fields table for the selected object type, click the name of the
object field to open its detail page.
5. On the Object Field Information table, click Edit.
6. On the edit page:
a. To make the field required, select the Required box.
b. To select a different display type, click the Display Type arrow and select a
value from the list:
v For user or group selector display types, see “Configuring User and
Group Selector Display Types for Simple Strings” on page 269.
v For a rich text display type, see “Configuring Rich Text Display Types for
Simple Strings.”
v For a box and URL display types, see “Configuring Text and URL Display
Types for Simple Strings” on page 268.
v For a plain text area display type, see “Configuring Text Area Display
Types for Simple String Data Types” on page 269.
7. To have a row with a field span table columns, see “Spanning Table Columns”
on page 265.
8. When finished, click Save.
Results
Note: To change a field to Read-Only, see “Setting Object Fields as Read-Only or
Editable” on page 264.
Configuring Rich Text Display Types for Simple Strings
The Rich Text display type provides a text display area with a toolbar and
commands for text formatting and word processing. The toolbar can be minimized
or expanded.
When this feature is used, you may not be able to enter 4000 rich text characters
into the text display area because of the space used for formatting and multi-byte
characters.
Note: When generating reports in PDF format, rich text fields do not render
properly and the format is not preserved.
To modify these settings, click Edit on the Display Type Information tab.
You can configure the size of the display area with the following settings:
Chapter 11. Managing the Home Page and Views for Objects
267
Table 47. Rich Text Display Settings
Setting
Description
Rows
The display length of the area, which includes the rich text editor
interface and text input area.
The default value is 250 rows.
To change the value, type a number in the box.
Row Units (pixels or
percent)
The unit of measure in pixels or percent for the Rows setting.
The default value is "Percent".
To change the value to "Pixels", select the Pixels button.
Columns
The percent or number of pixels allocated to the width of the
display area, which includes the rich text editor interface and text
input area.
The default value is 100 percent.
To change the value, type a number in the box. To change the unit
of measure, use the Column units setting.
Column units
The unit of measure in pixels or percent for the Columns setting.
The default value is "Percent".
To change the value to "Pixels", select the Pixels button.
For instructions on how to configure a display type for a String data type object
field, see “Configuring Display Types for Simple String Fields” on page 266.
Configuring Text and URL Display Types for Simple Strings
The Text and URL display types provide a box area in which users can enter a
string value. For these display types, you can control the length of the display box
and the number of characters users can enter for a string value.
Note: The URL display type validates that the internet address is a fully-qualified
URL internet address (for example, http://www.mycompany.com or
ftp://ftp.myftpsite.com) and will display an error message to the user if the format
of the internet address is incorrect.
To modify these settings, click Edit on the Display Type Information tab.
For Text and URL display types, you can configure the following settings:
Table 48. Text and URL Display Settings
Setting
Description
Columns
The display length of the box area.
The default value is 30.
To change the value, type a number in the box.
268
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
Table 48. Text and URL Display Settings (continued)
Setting
Description
Maximum Length
The maximum number of bytes allowed to be entered for a string
value.
The default value is 4000.
To change the value, type a number in the box.
For instructions on how to configure a display type for a String data type object
field, see “Configuring Display Types for Simple String Fields” on page 266.
Configuring Text Area Display Types for Simple String Data
Types
The Text Area display type provides a box display area in which users can enter
either plain or HTML-formatted text.
To modify these settings, click Edit on the Display Type Information tab.
You can configure the size of the display area with the following settings:
Table 49. Text Area Display Settings
Setting
Description
Rows
The display length of the box area.
The default value is 5 rows.
To change the value, type a number in the box.
Columns
The display width of the box area.
The default value is 60.
To change the value, type a number in the box.
For instructions on how to configure a display type for a simple string data type
object field, see “Configuring Display Types for Simple String Fields” on page 266.
Configuring User and Group Selector Display Types for
Simple Strings
You can configure a User, Group, User/Group, Multi-Valued User, Multi-Valued
Group, or Multi-Valued User/Group Selector display type for a Simple String data
type object field.
User and Group Selectors
An object field that has a selector display type allows an application user to click
either the field box or the user or group icon to display a pop-up dialog box from
which they can select users or groups.
Object fields with a display type of User Selector or Multi-Valued User Selector
only accept user names as valid values. For example, ‘Control Owner’ is an object
field for the Control object.
Chapter 11. Managing the Home Page and Views for Objects
269
The following selector display types are available for Simple String data types:
Table 50. User and Group Display Settings
Selector Display Type Description
User Drop-down
Provides an arrow that users can click to display a drop-down
list box of user names.
User Selector
Provides the following:
that users can click to display a phonebook style
v A user icon
pop-up dialog box of user names. For configuration details see,
“Controlling User Selector Performance” on page 272 and
“Modifying User and Group Selectors” on page 273.
v A magnifying glass icon
that users can click to display a
search pop-up dialog box to search for a user.
Group Selector
Provides the following:
that users can click to display a pop-up dialog
v A group icon
box of group names listed in a hierarchical tree structure.
v A magnifying glass icon
that users can click to display a
search pop-up dialog box to search for a group.
User/Group Selector
Provides a group icon
that users can click to display a pop-up
dialog box of user names listed in a hierarchical tree structure
under the group to which the user belongs.
Multi-Valued User
Selector
Provides the ability for users to add multiple users from the
hierarchical tree structure or from the search pop-up dialog box.
Similar to the User Selector.
Multi-Valued Group
Selector
Provides the ability for users to add multiple groups from the
hierarchical tree structure or from the search pop-up dialog box.
Similar to the Group Selector.
Multi-Valued
User/Group Selector
Provides the ability for users to add multiple users or multiple
groups from the hierarchical tree structure. Similar to the
User/Group Selector.
Depending on the selector display type, you can configure some or all of the
following settings.
To modify these settings, click Edit on the Display Type Information tab.
Note: These settings are also applied to the User and Group Search function.
270
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
Table 51. Additional Selector Display Type Settings
Setting
Description
Include Disabled
Allows or disallows disabled user accounts to be
included in a selector listing.
If the Include Disabled value is set to:
v True - disabled user accounts are included in the
selector listing. When this setting is selected, the
Minimum Access setting is disabled.
v False - disabled user accounts are excluded from
the selector listing. When this setting is selected,
the Minimum Access setting is enabled.
Note: This setting generally applies to User (not
Group) selectors.
Starting Group
Controls which group displays at the beginning of
the selection hierarchy.
To select a starting group, click the group icon and
select a valid group name from the selector window.
For example, if you are using role-based security, you
could select the Security Domains group, for non
role-based security, you could select the Workflow,
Reporting and Others group.
Include Subgroups
Controls whether subgroups are included or excluded
from the User selector listing.
Note: This setting applies only to the User/Group
and Group selectors.
If the Include Subgroups value is set to:
v True - subgroups are included in the selector
listing.
v False - subgroups are excluded from the selector
listing.
Chapter 11. Managing the Home Page and Views for Objects
271
Table 51. Additional Selector Display Type Settings (continued)
Setting
Description
Minimum Access
This setting is enabled only if the Include Disabled
value is set to False. This setting allows you to filter
users based on access control list settings on an
object’s folder.
v Read
v Write
v Delete
v Associate
For example, you want to limit the number of users
who can be assigned as a Process "Cycle Owner",
which is an object field with a user selector display
type for the Process object. Because you previously
set up an access control list (ACL) for one or more
groups or users to the Process folder, you can use the
Minimum Access setting to filter the list of users. If
you only wanted users with "Delete" permissions to
be displayed on the user selector list, you can select
the "Delete" Minimum Access setting to filter and
display only those users with "Delete" ACL
permissions.
If the Read box is:
v Selected - only users with Read access are
displayed on the user list.
v Cleared - no filtering occurs.
If the Write box is:
v Selected - only users with Write access are
displayed on the user list.
v Cleared - no filtering occurs.
If the Delete box is:
v Selected - only users with Delete access are
displayed on the user list.
v Cleared - no filtering occurs.
If the Associate box is:
v Selected - only users with Associate access are
displayed on the user list.
v Cleared - no filtering occurs.
Related tasks:
“Set a minimal starting group for display types” on page 785
IBM OpenPages administrators can change the starting groups for display types to
minimize the number of users that are initially displayed.
Controlling User Selector Performance
If your deployment has a large number of users, the performance of the User
Selector or the Multi-Valued User Selector in opening and loading data may be
sluggish. One way to improve the performance of the User Selector or the
Multi-Valued User Selector is to configure it so it only retrieves users that have
permission on the object being edited.
The supplied profiles in the OpenPages application are configured such that the
User Selector or Multi-Valued User Selector pop-up will retrieve all users in the
system - including some application users who do not have security permissions
on the selected object. This may result in the assignment of a user as ‘owner’ on an
object when the user does not have read access on the object.
272
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
The following steps explain how to restrict the set of users retrieved by the User
Selector or the Multi-Valued User Selector to those users that have access
permissions on the object being edited at the time.
Procedure
1. Access the Profiles page (see “Accessing Profiles” on page 218).
2. From the list, click the name of a profile to open its detail page.
3. From the Object Types table listing, click the name of the object type
containing the object field you want to modify (for example, SOXControl).
4. On the Object Fields table for the selected object, click the name of the object
field with the User Selector display type to open its detail page (for example,
‘Control Owner’).
5. On the Display Type Information tab, click Edit.
6. On the edit page:
a. Under Minimum Access, select the Read box. This will restrict the users
that are displayed in the User Selector to the set of users that have read
permission on the object.
b. If wanted, select other permissions to further restrict the users that are
available in the User Selector based on the users' permissions.
7. When finished, click Save.
Modifying User and Group Selectors
The pop-up dialog box for the User and Multi-Valued User Selectors displays user
names in a phonebook style, and you can configure the number of users per
category within the phonebook. Groups appear in a hierarchical tree style.
If wanted, you could also configure the selector display types to open a search box
instead of a phonebook style box (see “Configuring a User or Group Selector to
Use the Search Function” on page 320).
For all the selector display types, you can configure additional display information
for users, such as the user’s e-mail address or first or last name.
Modifying the Phonebook:
The User Selector and Multi-Valued User Selector display user names in a
phonebook style pop-up dialog box. User names within the phonebook are
grouped into data buckets.
Each data bucket has the following characteristics:
v The names of the first and last users in a given bucket are used to show the
scope of the bucket.
v The user names in a bucket can be expanded by clicking the plus sign, or
collapsed by clicking the minus sign.
v The size of a bucket can be configured through the Bucket Size setting. For
configuration details see, “Configuring the Bucket Size of the Phonebook” on
page 318.
Modifying the Selector Dialog Box:
You can show additional information (such as a user’s email address, first name,
and last name) in the pop-up dialog box used for selecting users and groups.
Chapter 11. Managing the Home Page and Views for Objects
273
You can add one or more additional columns by configuring the Display setting.
For configuration details see, “Configuring Display Columns in a Selector Dialog
Box” on page 319.
By default, only the Name and Description columns are displayed in this selection
box. You cannot change or remove the Name column - it is always the first column
and contains the Username of a user or group.
If wanted, you can also change the format of the bucket heading for a locale. For
configuration details see, “Modifying the Bucket Heading Format of the
Phonebook” on page 287.
Configuring Display Types for Long String Fields
For object fields that have a long string data type, you can configure how long
string data displays to users on an object’s details page.
There are two sub types of long text fields: medium and large. The size of medium
long text fields is fixed to 32KB. The size of the large long text fields is set by
default to 256KB, but that can be increased by changing the OpenPages | Platform
| Repository | Resource | Large Text | Maximum Size setting.
Be aware of the space used for non-printing characters (such as tabs and line
breaks), and formatting and multi-byte characters (Rich Text display types). These
may cause the data to exceed the size of the long string field, resulting in a
message such as:
OP-03381: The specified value for "MyMediumLong" is too long. The 32966
characters entered (32966 bytes) exceeds the maximum size of 32768 bytes.
Reduce the number of characters and re-enter the text. Note that character
count includes non-printing characters, such as spaces, tabs, and line
breaks.
The display types for medium long string data are: On Demand, On Demand Rich
Text, Text Area, and Rich Text.
The display types for large long string data are: On Demand, and On Demand
Rich Text.
Both medium and large long string fields default to the On Demand display type.
Note: Changing the display type setting will affect the display of this field in all
profiles.
For more information on long text fields, see “Data Types” on page 150.
Selecting a Display Type for Long String Fields
This is the procedure to select a display type for object fields that have a Long
String data type. You can configure how both medium and large long string data
displays to users on an object’s details page.
Procedure
1. Access the Profiles page (see “Accessing Profiles” on page 218).
2. From the list, click the name of a profile to open its detail page.
274
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
3. From the Object Types table listing, click the name of the object type
containing the object field you want to modify (for example, SOXControl).
4. On the Object Fields table for the selected object type, click the name of the
object field to open its detail page.
5. On the Object Field Information table, click Edit.
6. On the edit page:
a. To make the field required, select the Required box.
b. To select a different display type, click the Display Type arrow and select a
value from the list:
v For On Demand and On Demand Rich Text, see “Configuring the On
Demand Display Types for Long String Fields.” This applies to both
medium and large long string fields.
v For a Text display type, see “Configuring Text Display Types for Medium
Long String Fields” on page 276. This applies only to medium long string
fields.
v For a Rich Text display type, see “Configuring Rich Text Display Types
for Medium Long String Fields” on page 276. This applies only to
medium long string fields.
7. When finished, click Save.
Results
Note: To change a field to Read-Only, see “Setting Object Fields as Read-Only or
Editable” on page 264.
Configuring the On Demand Display Types for Long String
Fields
You can configure how long string fields are displayed On Demand and On
Demand Rich Text to application users on Detail and Activity View pages.
Long string fields can be displayed as On Demand or On Demand Rich Text. Both
settings allow users to edit the field in a pop-up window. On Demand displays
text. On Demand Rich Text displays the data in rich text format.
The On Demand Rich Text display type provides a text display area with a toolbar
and commands for text formatting and word processing. The toolbar can be
minimized or expanded. When this feature is used, be aware of the space used for
non-printing, formatting, and multi-byte characters. These may cause the data to
exceed the size of the long string field, resulting in a message such as:
OP-03381: The specified value for "MyMediumLong" is too long. The 32966
characters entered (32966 bytes) exceeds the maximum size of 32768 bytes.
Reduce the number of characters and re-enter the text. Note that character
count includes non-printing characters, such as spaces, tabs, and line
breaks.
Note:
v When generating reports in PDF format, rich text fields do not render properly
and the format is not preserved.
v Changing the display type setting will affect the display of this field in all
profiles.
Chapter 11. Managing the Home Page and Views for Objects
275
In Detail Views and Activity Views, fields are typically displayed on the page in
rows within a two-column table format. To make the row containing the field span
the table columns, see “Spanning Table Columns” on page 265.
Configuring Text Display Types for Medium Long String Fields
The Text display type provide a box area in which users can enter a medium long
string value. For these display types, you can control the length of the display box
and the number of characters users can enter for a string value.
Note: This only applies to medium long string fields.
To modify these settings, click Edit on the Display Type Information tab.
For the Text display type, you can configure the following settings:
Table 52. Text Display Settings
Setting
Description
Rows
The display length of the box area.
The default value is 25 rows.
To change the value, type a number in the box.
Columns
The display width of the box area.
The default value is 60.
To change the value, type a number in the box.
Span Columns
In Detail Views and Activity Views, fields are typically displayed
on the page in rows within a two-column table format. You can
make a row containing a field span table columns by configuring
the Span Columns setting.
The default is true.
When true, the row containing the field will span the columns of
the table.
When false, the row containing the field will be displayed within a
table column and not span the columns of the table.
For instructions on how to configure a display type for a String data type object
field, see “Configuring Display Types for Long String Fields” on page 274.
Configuring Rich Text Display Types for Medium Long String
Fields
The Rich Text display type provides a text display area with a toolbar and
commands for text formatting and word processing. The toolbar can be minimized
or expanded.
When this feature is used, be aware of the space used for non-printing, formatting,
and multi-byte characters. These may cause the data to exceed the size of the
medium long string field, resulting in a message such as:
276
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
OP-03381: The specified value for "MyMediumLong" is too long. The 32966
characters entered (32966 bytes) exceeds the maximum size of 32768 bytes.
Reduce the number of characters and re-enter the text. Note that character
count includes non-printing characters, such as spaces, tabs, and line
breaks.
Note: When generating reports in PDF format, rich text fields do not render
properly and the format is not preserved.
To modify these settings, click Edit on the Display Type Information tab.
You can configure the size of the display area with the following settings:
Table 53. Rich Text Display Settings
Setting
Description
Rows
The display length of the area, which includes the rich text editor
interface and text input area.
The default value is 250 rows.
To change the value, type a number in the box.
Row Units (pixels or
percent)
The unit of measure in pixels or percent for the Rows setting.
The default value is "Percent".
To change the value to "Pixels", select the Pixels button.
Columns
The percent or number of pixels allocated to the width of the
display area, which includes the rich text editor interface and text
input area.
The default value is 100 percent.
To change the value, type a number in the box. To change the unit
of measure, use the Column units setting.
Column units
The unit of measure in pixels or percent for the Columns setting.
The default value is "Percent".
To change the value to "Pixels", select the Pixels button.
Span Columns
In Detail Views and Activity Views, fields are typically displayed
on the page in rows within a two-column table format. You can
make a row containing a field span table columns by configuring
the Span Columns setting.
The default is true.
When true, the row containing the field will span the columns of
the table.
When false, the row containing the field will be displayed within a
table column and not span the columns of the table.
For instructions on how to configure a display type for a long string data type
object field, see “Configuring Display Types for Long String Fields” on page 274.
Chapter 11. Managing the Home Page and Views for Objects
277
Configuring Display Types for Enumerated Strings
For object fields that have an Enumerated String data type, you can configure how
enumerated string data displays to users on an object’s details page. The display
types for Enumerated String data include lists, radio buttons, and check boxes.
Note: Changing the display type setting will affect the display of this field in all
profiles.
Selecting a Display Type for Enumerated Strings
This is the procedure to select a display type for object fields that have an
Enumerated String data type. Enumerated strings can be displayed as lists, radio
buttons, or check boxes.
Procedure
1. Access the Profiles page (see “Accessing Profiles” on page 218).
2. From the list, click the name of a profile to open its detail page.
3. From the Object Types table listing, click the name of the object type
containing the object field you want to modify (for example, SOXControl).
4. On the Object Fields table for the selected object type, click the name of the
object field to open its detail page.
5. On the Object Field Information table, click Edit.
6. On the edit page:
a. To make the field required, select the Required box.
If a field is not required, to provide the ability to enter an empty value in
the field:
v For radio buttons, a None option is automatically added to the set of
radio buttons.
v For check boxes, the user would clear all check boxes.
v For lists, an empty selection is added to the list of choices.
When None is selected in a set of radio buttons, all check boxes are cleared,
or the empty option in a list is selected, the value for the enumerated field
will be blank.
Note: Field dependencies may mean a field is required even if Required is
not selected. For details on field dependencies, see “Configuring Dependent
Field Behavior” on page 206.
The None label can be changed and localized in the Application Text |
Labels | com.label.enum.selection.none setting. For details on changing
application text, see “About Application Text” on page 284.
b. To select a different display type, click the Display Type arrow and select a
value from the list.
Select List to set the display as a list. Lists can be single selection or
multiple value selection, depending on the multi-value setting for the field.
Select Radio Button/Checkbox to set the display type as radio buttons or
check boxes. If the field is defined as multi-value, the display will use
check boxes. If multi-value is not selected for the field, the display will use
radio buttons.
For details on enumerated string data types, see “Data Types” on page 150.
278
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
Chapter 12. Localizing Text
This chapter describes the administrative interface that you can use to manage
localized text that displays to users for predefined object types, object fields that
are supplied by OpenPages or created by you, and application objects.
Localization Overview
You can localize display text for object types and fields, and for a variety of
application objects and custom return values.
About Locale Codes
The IBM OpenPages application provides translation support in several languages
for predefined object text. Each supported language has a corresponding locale
code that is listed under the object text. The locale code consists of a language code
(for example, "fr" for French) and a country or region code (for example, "FR" for
France).
The following table lists the supported languages with their corresponding locale
code.
Table 54. Supported Languages and Locale Codes
Language
Locale Code
German
de_DE
U.S. English
en_US
U.K. English
en_GB
Spanish
es_ES
French
fr_FR
Italian
it_IT
Japanese
ja_JP
Brazilian Portuguese
pt_BR
Simplified Chinese
zh_CN
Traditional Chinese
zh_TW
Report Design Language
Note: Users authoring reports in the reporting tool
must select this language prior to creating or
modifying reports.
en_CA
The default language for object text that has not been translated is U.S. English.
You can globally set a default language in which the application user interface will
be displayed to users and optionally enable auditing of translation label changes.
For details see “Setting Localization Options” on page 347.
Configuring Client Systems to Display Asian Characters
You can install the East Asian language pack on Windows client machines.
279
Note: For users who will be using the Japanese locale, client machines must have
the Windows East Asian language pack installed. If this pack is not installed, IBM
OpenPages application users will notice that the browser title bar and some
pop-up messages will contain unreadable characters.
Procedure
1.
2.
3.
4.
5.
Click Start and select Control Panel.
Double-click Regional and Language Options to open its properties.
Click the Languages tab.
Select the Install files for East Asian languages option.
Click OK and follow the on-screen directions.
Language and locale support
If you are using IBM OpenPages in a language other than English, this information
will help you to understand the language and locale settings.
Web browser language preference
The web browser language preference is the setting that you choose to specify the
language that web pages can be displayed in. The web browser language
preference affects only the OpenPages login page. The web browser language
preference does not affect number and date formatting in IBM OpenPages.
If the web browser language preference is set to a language other than one of the
following languages, be aware that the OpenPages login page appears in English:
v German
v Spanish
v French
v Italian
v Japanese
v Portuguese
v Chinese
v English
Locale setting
The Locale list contains a list of product languages. This language setting controls
the language of the product except for the login page.
Data formatting and report languages are available in the following cultures in the
Locale list:
Table 55. Languages in the Locale list and the cultures that they represent
280
Language in the Locale list
Culture
French
French (France)
German
German (Germany)
Italian
Italian (Italy)
Japanese
Japanese (Japan)
Portuguese
Portuguese (Brazil)
Spanish
Spanish (Spain)
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
Table 55. Languages in the Locale list and the cultures that they represent (continued)
Language in the Locale list
Culture
Simplified Chinese
Chinese (China)
Traditional Chinese
Chinese (Taiwan)
U.K. English
English (UK)
U.S. English
English (US)
Considerations for specific languages
When OpenPages is set to use U.S. English, dates are formatted as mm/dd/yy. For
example, January 3, 2013, is formatted as 1/3/13 rather than 03/01/2013 in U.K.
English.
When OpenPages is set to use Spanish (Spain), numbers are formatted as
123.456,78, where the period is a thousands separator and the comma is used as a
decimal separator. For example, the number twelve thousand and five hundred is
formatted as 12.500 in Spanish (Spain) rather than 12,500 in Spanish (Mexico).
In several cultures, the convention is to place the currency symbol to the right of
the number. In OpenPages, currency symbols are always displayed to the left of
the number.
Date formatting can be unconventional as well.
Localizing Object Text
About Object Text
Object text is the descriptive label name that displays in the application for object
types and object fields. You can translate and modify object text for a specific
locale.
For a list of supported locales, see the topic, “About Locale Codes” on page 279.
You can modify the following object text for a locale:
v The singular and plural labels that display the name of an object type (for
example, "Risk" and "Risks" for the Risk object type) or custom form (such as a
survey) wherever that object type appears in the application. For details see,
“Modifying Display Text for an Object Type” on page 282.
v A singular label that displays:
– The name of an object field in an object view.
For example, if you had an object field called "Impact" that displayed the
label text "Impact", you could change the label text to display "Severity of
impact" instead.
– The value or values of an enumerated object string that are displayed on an
object’s details page.
Note: Object text has a 4000 character maximum per label.
Object text is grouped primarily by object type with an additional group for
unassigned field groups.
Chapter 12. Localizing Text
281
For example, the SOXControl group contains the label text for the Control object
and its related field groups.
The Unassigned Field Groups group contains the label text for field groups that
are either not assigned to an object type or are commonly used by all object types,
such as System Fields, Currency Attributes, Publishing, and so forth.
Accessing the Object Text Page
To access the Object Text menu item, you must have the Object Text application
permission set on your account.
For details, see “Configuring Application Permissions” on page 21.
Procedure
Log on to the IBM OpenPages application as a user with the Object Text
application permission set.
2. From the menu bar, select Administration and click Object Text.
1.
Results
From the Object Text page, you can:
v View a list of all the available object types and associated field groups with their
corresponding locale text labels.
v Access the label detail page of an object type where you can modify its
locale-specific object text label.
v Access the label detail page of an object field where you can modify its
locale-specific object text label.
v Access the label detail page of a public filter where you can modify its display
name on the various lists (such as pull-down menus or tables).
Modifying Display Text for an Object Type
You can modify the value for the singular and plural forms of the displayed label
text for any object type or custom form object type (such as a survey). These labels
appear in the IBM OpenPages application interface wherever the particular object
type displays, such as on a menu (for object types) or in object views.
Procedure
1. Access the Object Text page (see “Accessing the Object Text Page”).
2. On the Object Text page, click the name of the object type you want to modify
(for example, SOXRisk).
3. On the Locale Information tab, click the name of the locale code you want to
modify (for example, en_US).
4. On the Locale Code detail page, make the required changes in the Singular
Label box and Plural Label box to the display label text as needed.
5. When finished, click Save.
6. To modify other locale-specific labels for this object type, repeat Steps 3 through
5.
282
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
Modifying Display Text for Object Fields
You can modify the value of the displayed label text for any object field, including
field guidance. These labels appear in the IBM OpenPages application interface
wherever the particular object type displays in an object view, such as a detail or
folder view page.
If the object field is an enumerated string data type, each string value is also
displayed and can be modified as needed.
Procedure
1. Access the Object Text page (see “Accessing the Object Text Page” on page 282).
2. On the Object Text page:
a. Click the plus sign next to the object type you want (this will expand its
contents).
b. Under the selected object type, click the plus sign next to the field group
you want.
c. Under the selected field group, click the name of the object field that you
want to modify. If this is an enumerated string, go to Step 8.
3. On the Locale Information tab, click the name of the locale code you want to
modify (for example, en_US).
4. On the Locale Code detail page, make the required changes:
a. In the Label box, change the display label text as needed.
b. In the Guidance box, change the text as needed. This text is displayed
when a user clicks the question-mark icon on an object’s edit or add page.
c. When finished, click Save.
5. To modify other locale-specific labels for this object field, repeat Steps 3
through 6.
6. To modify enumerated string values:
a. On the Object Text page, click the plus sign next to the enumerated object
field you want (this will expand its contents).
b. Click the name of the value that you want to modify.
c. Repeat Steps 4-5.
Modifying Display Text for Public Filters
You can modify the value of the displayed label text for public filters. In a Filtered
List View, the label text for filters is typically displayed under "Public filters" in the
filters list.
Procedure
1. Access the Object Text page (see “Accessing the Object Text Page” on page 282).
2. On the Object Text page:
a. Click the plus sign next to the object type you want to expand its contents.
b. Under the selected object type, click the plus sign next to the Filters
icon to expand its contents.
c. Click the name of the filter that you want to modify.
3. On the Locale Information tab, click the name of the locale code you want to
modify (for example, en_US).
4. On the Locale Code detail page, make the required changes:
a. In the Label box, change the display label text as needed.
Chapter 12. Localizing Text
283
b. In the Guidance box, change the text as needed. This text is displayed
when a user clicks the question-mark icon on an object’s edit or add page.
c. When finished, click Save.
5. To modify other locale-specific labels for this filter, repeat Steps 3 and 4.
Localizing Application Text
About Application Text
Application text is the descriptive label name that displays for objects such as
buttons, table headings and columns, and system object fields that are commonly
used throughout the application.
Application text is considered "static", which means that its label is unlikely to
change over time. You can modify application text that is specific to a locale (see
the topic, “About Locale Codes” on page 279 for a list of supported locales).
You can modify locale-specific application text for:
v A singular label that displays the name of an application object - see the
following table for a list of object categories.
v The format for the display of names and numeric data. For details see,
“Modifying User Display Formats” on page 286.
Note: Application text has a 4000 character maximum.
The following table shows the groupings for application text by folder category.
Table 56. Application Text Folder Categories
This folder...
Contains the label text for...
Application Messages
Messages that are displayed for dependent fields and picklists, and
System Admin Mode.
Buttons
The buttons used within the application.
For example, com.button.back contains the text for the "Back"
button, button.copy contains the text for the "Copy" button.
Column Headings
The table column headings used in the various object views
throughout the application and in JSP Notification Manager
reports.
For example, com.column.heading.start.date contains the text for
the "Start Date" column, jspreports.notification.tests.column.parent
contains the text for the "Parent" column in the JSP Notification
report.
Custom
User-defined keys. For details, see “Using the Custom Folder” on
page 290.
Exceptions
Messages that are displayed to users when an error condition
occurs.
For example, com.exception.object.profile.not.found contains the
text for the error message displayed when a profile is not found,
exception.file.delete contains the text for the error message
displayed when a user does not have permission to delete a file.
Formats
284
The formatting of numeric and name display text. For details, see
“Modifying User Display Formats” on page 286.
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
Table 56. Application Text Folder Categories (continued)
This folder...
Contains the label text for...
Labels
Objects that are generally not considered objects, such as
administrative, task, and configuration objects.
For example, com.label.acl.read contains the text for the "Read"
property on the Access Control details page, com.label.email
contains the text displayed next to the email input box on the User
create and edit pages.
Menu Items
Links to all other menu items that are not listed on the menu bar.
For example, com.menu.item.admin.object.profile contains the text
for the ‘Profile’ link on the Administration menu,
com.menu.item.admin.reporting.schema contains the text for the
"Reporting Schema" link on the Administration menu.
Miscellaneous
A variety of objects that do not belong to other groups. Includes
label text for such objects as guided action, page footer, reporting
status, notification messages, and so forth.
Reporting Framework Objects that are used by the Reporting Framework.
Table Headings
Messages that are displayed to users within a table as well as the
tabs (tabular headings for a table).
For example, com.table.empty.users contains the text that displays
in the User listing table when no users are found,
com.table.heading.object.field contains the text for the "Object Field
Information" tab on the Object Field details page.
Titles
The initial portion of the breadcrumb trail.
Validation Messages
Messages that are displayed to users when invalid information has
been entered in a field or to confirm a specific user action such as
entering or exiting System Administration Mode or deleting any
objects.
For example, com.validation.logon.username.required contains the
message text displayed when a user name is missing such as when
it is created or when a user logs on, file.delete.confirmText contains
the text in the confirmation prompt window that displays during a
delete operation.
Workflow
Workflow related job names, task names, task descriptions, and
arrow labels (originating from task nodes).
Accessing the Application Text Page
To access the Application Text menu item, you must have the Application Text
application permission set on your account.
For details, see “Configuring Application Permissions” on page 21.
Procedure
1.
Log on to the IBM OpenPages application as a user with the Application Text
application permission set.
2. From the menu bar, select Administration and click Application Text.
Chapter 12. Localizing Text
285
Results
From the Application Text page, you can:
v View a list of the various object types with their corresponding object fields.
v Access the detail page of an object field where you can modify its locale-specific
object text label.
About Modifying Display Text in the Application User Interface
You can modify the value of the displayed label or text for any application object
(such as buttons, labels, report names and descriptions, messages) in the IBM
OpenPages application user interface.
Changes to the displayed text appear wherever the particular object is displayed in
the application.
Note: The process for modifying display text is the same for all application objects,
including reports.
Note:
v The ‘Miscellaneous’ folder typically contains a listing of report name and
description keys for localizing the display text of reports that were automatically
published by the system. For information about automatically publishing
Cognos reports, see “Adding Reports” on page 125.
v For reports that were manually published from the IBM OpenPages server and
require localized display text on the application user interface for multiple
languages, keys will need to be added to the ‘Custom’ folder (see “Using the
Custom Folder” on page 290).
1. Access the Application Text page (see “Accessing the Application Text Page” on
page 285).
2. On the Application Text page:
a. Navigate to the folder that contains the label of the object field you want to
modify (for example, ‘Buttons’ or ‘Miscellaneous’), and click the plus sign to
expand the folder contents.
b. Click the name of the object field or key you want to modify.
3. On the Locale Information tab, click the name of the locale code you want to
modify (for example, en_US or ja_JP).
4. On the Locale Code details page, make the required changes in the Label box
to the display label text as needed.
5. When finished, click Save.
6. To modify other locale-specific labels for this object field, repeat Steps 3-5.
Modifying User Display Formats
You can globally change the display format for certain object fields. The most
commonly used formats are described here. For information about other format
settings, contact your IBM representative.
The format string uses Java code. Generally, the {0} in the format string is a
variable that is replaced by the name of the target object.
286
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
Modifying the Bucket Heading Format of the Phonebook
You can modify the format of the bucket heading in the phonebook style pop-up
box of the User selector for a locale.
Note: If wanted, you can also modify the bucket size of the phonebook. For more
information, see “Configuring the Bucket Size of the Phonebook” on page 318.
Procedure
1. Access the Application Text page (see “Accessing the Application Text Page” on
page 285).
2. On the Application Text page:
a. Navigate to the Formats folder, and click the plus sign to expand the folder
contents.
b. Click the com.user.bucket.name.format link to open its detail page.
3. On the Locale Information tab, click the name of the locale code you want to
modify (for example, en_US).
4. On the detail page, modify the format in the Singular Label box. The default
format is {0} - {1}.
5. When finished, click Save.
6. To modify the bucket heading for another locale, repeat Steps 3 - 5.
Example
To display a bucket heading with the name of the first person in the bucket
followed by a dash and then the name of the last person in that bucket, you would
enter the following codes in the Singular Label field: {0} - {1}.
Modifying the User Name Format
You can control how user names are displayed for a locale. By default, only the
user name displays.
When you change the display name format, the change occurs throughout the
application wherever the person’s name displays. For example, if you modified the
name format so that the last name of the person was followed by the person’s first
name, that modified name format displays in the top menu bar, user selector and
search result boxes.
Note: If an invalid format string is defined, only the user’s logon name will be
displayed.
Procedure
1. Access the Application Text page (see “Accessing the Application Text Page” on
page 285).
2. On the Application Text page:
a. Navigate to the Formats folder, and click the plus sign to expand the folder
contents.
b. Click the com.display.name.format link to open its detail page.
3. On the Locale Information tab, click the name of the locale code you want to
modify (for example, en_US).
4. On the detail page, modify the format in the Singular Label box as follows:
Chapter 12. Localizing Text
287
To display this name
format...
Type this code...
Comments
User name
%NM;
By default, displays the logon name of a
User. If other values are entered, the logon
name appears within brackets.
First Name
%FN;
Displays information from the "First name"
object field on a User Information page.
Last Name
%LN;
Displays information from the "Last name"
object field on a User Information page.
Email
%EM;
Displays the email address of a user from
the "Email" object field on a User
Information page.
5. When finished, click Save.
6. To modify the bucket heading for another locale, repeat Steps 3 - 5.
Example
To display the first and last name of users, you would enter the following codes in
the Singular Label box: %FN; %LN;.
The user name displays within brackets when the first and last names are used.
Modifying Navigational Link Formats
You can modify the link format of items that are listed on menus for each locale.
Under the various menu headings on the menu bar, Overview menu item links are
typically listed before the other object view links. With the exception of Overview
object links and the Business Entities link (which is a List view), all other object
types have Filtered List View and/or Folder object views.
Modifying Overview Menu Links
You can globally modify the format of Overview navigational links on menus.
By default, the format for overview links is:
{0} Overview
where {0} represents the singular label of the object.
This format displays, for example, menu item links such as ‘Risk Assessment
Overview’ or ‘Business Entity Overview’.
Example:
If you wanted to change the Overview link format from the singular object name
followed by the text ‘Overview’ (as in Risk Assessment Overview or Business
Entity Overview) to ‘Overview’ followed by the object name (as in Overview Risk
Assessment or Overview Business Entity) you would enter the value in the
Singular Label box as:
Overview {0}
288
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
Procedure
1. Access the Application Text page (see “Accessing the Application Text Page” on
page 285).
2. On the Application Text page:
a. Navigate to the Formats folder, and click the plus sign to expand the folder
contents.
b. Click the menu.item.documentation.object.overview link to open its detail
page.
3. On the Locale Information tab, click the name of the locale code you want to
modify (for example, en_US).
4. On the detail page, modify the text in the Singular Label box.
The singular label of the object type is represented by {0} in the format string.
5. When finished, click Save.
6. To modify the link Overview format for another locale, repeat Steps 3 - 5.
7. To view the changes in the browser, users must log out and then log back in to
the application.
Modifying Navigational View Links
You can globally modify the format of Folder View or Filtered List View
navigational links on menus.
By default, the format for these links is:
{0}
where {0} represents the plural label of the object.
This format displays, for example, menu item links such as ‘Risks’ or ‘Business
Entities’.
Example:
If you wanted to change the Folder View or Filtered List View link format from the
object type name (such as ‘Risks’ or ‘Controls’) which is represented by {0}, to
display the object type name followed by the text "View" (such as ‘Risks View’ or
‘Controls View’), you would enter the value in the Singular Label box as {0} View.
Procedure
1. Access the Application Text page (see “Accessing the Application Text Page” on
page 285).
2. On the Application Text page:
a. Navigate to the Formats folder, and click the plus sign to expand the folder
contents.
b. Click the menu.item.documentation.object.folder.view link to open its
details page.
3. On the Locale Information tab, click the name of the locale code you want to
modify (for example, en_US).
4. On the details page, add or edit text in the Singular Label box.
Note: The plural label of the object type (such as, Risks, Controls, Processes) is
represented by {0} in the format string.
5. When finished, click Save.
Chapter 12. Localizing Text
289
6. To modify the link Folder View or Filtered List View format for another locale,
repeat Steps 3 - 5.
Modifying List View Links
You can globally modify the format of the Business Entity List view navigational
link on the Organization menu.
Procedure
1. Access the Application Text page (see “Accessing the Application Text Page” on
page 285).
2. On the Application Text page:
a. Navigate to the Formats folder, and click the plus sign to expand the folder
contents.
b. Click the menu.item.documentation.object.list.view link to open its details
page.
3. On the Locale Information tab, click the name of the locale code you want to
modify (for example, en_US).
4. On the details page, add or edit text in the Singular Label box.
Note: The plural label of the object type (such as, Business Entities) is
represented by {0} in the format string.
5. When finished, click Save.
6. To modify the link List View format for another locale, repeat Steps 3 - 5.
Using the Custom Folder
About the Custom Folder
The Custom folder is a container for user-defined keys (such as values returned by
computed fields, e-mail text for Notification Reports, and values used by Survey
reports).
The keys also provide a means for displaying localized text in the IBM OpenPages
application user interface for reports (such as reports that are manually published
from the IBM OpenPages server).
Typically, this folder is populated through the ObjectManager tool. Optionally, you
can add new keys to the Custom folder from the Application Text page.
To modify localized display text for a key in the Custom folder, see “About
Modifying Display Text in the Application User Interface” on page 286.
Adding New Keys
You can add new keys to the Custom folder for localization.
Note: For Cognos report pages (or JSP report instances) that were manually
created using the publishing facility on the IBM OpenPages server, you can use the
values in the ‘Report Name Key’ and ‘Report Description Key’ fields on the report
page to manually create custom application text keys to localize the name and
description of a report after it is created.
290
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
Procedure
1. Access the Application Text page (see “Accessing the Application Text Page” on
page 285).
2. On the Application Text page:
a. Navigate to the Custom folder.
b. Click the Add New link to open its detail page.
3. On the add detail page:
a. In the Name box, type the name of the key.
For example, a report called ‘My Loss Events’ could have
report.name.my.loss.events for a report name key or
report.description.my.loss.events for a report description key.
b. Optionally, type a description of the key.
c. In the Default Label box, type the text that will be displayed, by default, if
no translated text is provided.
d. When finished, click Create.
4. Click the name of the field created in the previous step, to open its detail page.
5. To change the label text for a locale, on the Locale Information pane:
a. Click the link for the locale code you want.
b. In the Label box, type the translated text you want displayed for that locale.
c. When finished, click Save.
d. Repeat Steps a-c for other locales.
Modifying Custom Keys
You can modify custom keys.
Procedure
1. Access the Application Text page (see “Accessing the Application Text Page” on
page 285.
2. On the Application Text page:
a. Navigate to the Custom folder.
b. Click the name of a key to open its detail page.
3. On the Locale Information pane:
a. Click the link for the locale code you want.
b. In the Label box, type the translated text you want displayed for that locale.
c. When finished, click Save.
d. Repeat Steps a-c for other locales.
Chapter 12. Localizing Text
291
292
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
Chapter 13. Resetting Objects
Overview of Reporting Periods
A reporting period is a "snapshot" of the current state of the repository, usually
created when the documentation phase of a quarter or year is complete and ready
for attestation. Administrators with the Reporting Periods application permission
can create, modify, and delete reporting periods.
Past reporting periods can then be viewed and reported on from any time in the
future without rolling back the changes made to the repository after the reporting
period was created.
Once a reporting period is created, the existing report is carried forward to the
current reporting period and can be modified in a normal fashion without altering
the state of the earlier reporting period’s data.
Note: Only one reporting period at a time can be "Active".
About Active Reporting Periods and Operational Limitations
Active reporting periods are essentially in the process of being closed (or
"finalized"). An active reporting period can be reapplied at any business entity
level to synchronize the business entity and its children with the Current Reporting
Period.
An active reporting period affects application behavior as follows.
v Filtering behavior:
– Only filters that use system fields (such as, ‘Name’ or ‘Description’) will
work.
– All objects on Filtered List View, Activity View, and Home pages are generally
displayed, unless a system-field filter is applied to a particular view.
v Reporting behavior: Reports cannot run against an active reporting period. You
can only run reports against the current reporting period and any finalized past
reporting periods.
v The following operations CANNOT be performed during an active reporting
period on object types that have their own folders (such as Business Entities,
object types that are part of the security model, and self-contained object types):
– Move operations
– Rename operations
– Delete operations
About Finalized Reporting Periods
Once an active reporting is finalized, the contents of that reporting period cannot
be altered. Any changes to the objects or files will only be reflected in the current
reporting period.
293
This allows administrators to create the next reporting period ahead of time and
then apply it incrementally to different areas of their documentation project when
each area is ready to be finalized.
How Reporting Periods and the Reporting Schema Interact
By default, the reporting schema is only populated with the data from the current
reporting period.
To populate the reporting schema with data from previous reporting periods you
must enable the Populate Past Periods setting and recreate the reporting schema
(see, “Populating Past Reporting Periods” on page 85).
How Reporting Periods and ACLs Interact
When viewing objects, your existing ACLs control which objects you can view in
the current reporting period and in past reporting periods. If your access
permissions change in the current reporting period, you will be able to view the
newly accessible items in past reporting periods, and you will not be able to view
items to which you have lost permissions, even if in past reporting periods you
had access to them.
Regardless of your access permissions, you are never allowed to add, edit or
remove objects and/or files from past reporting periods.
How Reporting Periods and Change Histories Interact
When viewing a change history for an object, only the changes made during the
currently selected reporting period are shown. You can view the change history for
past reporting periods, but only the change activities for that reporting period will
be shown.
You cannot view change histories for multiple reporting periods on the same page.
Using System Administration Mode with Reporting Periods
and Schemas
When you create, recreate, or finalize reporting periods, follow these guidelines:
v If you create an active Reporting Period before creating a real-time Reporting
Schema, you need to be in System Administration Mode (see Chapter 4, “Using
System Admin Mode,” on page 81) to either finalize or drop the active
Reporting Period.
v If the Reporting Period is created after you have created the real-time Reporting
Schema, you do not need to be in System Administration Mode to finalize or
drop the Reporting Period if the Reporting Schema is disabled.
v If the real-time Reporting Schema is enabled, you must be in System
Administration Mode to create, drop, or finalize a Reporting Period.
Reporting Period Permissions and Settings
To manage reporting periods, the user performing the reporting period operation
must belong to a group with the following application permissions.
294
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
Reporting Period Permissions
There are two sub-permissions for reporting periods:
v Finalize - allows members of the group to finalize reporting periods on
Business Entities. Users will only be able to finalize reporting periods on
Business Entities to which they have viewing permissions.
v Reapply - allows members of the group to update the active reporting period to
represent the current state of a Business Entity.
Configuring the Deletion Period
It is possible to configure the amount of time after a reporting period is created in
which the reporting period can be deleted. This property is set in the Delete Interval
setting and defaults to 7 days after the reporting period is created.
For details see, “Modifying the Deletion Interval for a Reporting Period” on page
317.
Creating a New Reporting Period
To create a new reporting period, you must have the Reporting Periods application
permission. If an active reporting period already exists, you cannot create a new
reporting period.
Procedure
1. From the menu bar, select Administration and click Reporting Periods. The
Reporting Periods page is displayed.
2. Click the Add Active... button at the top of the page. A new page is displayed.
3. Enter the necessary information into the correct fields and click Create to create
the new reporting period. You are returned to the Reporting Periods page and
the new reporting period is listed in the table with a status of "Active".
4. Click Refresh to update the current value of the Status field.
Results
After adding a new reporting period, the reporting period will be added to the
Reporting Period selection list at the top of each overview and object page.
Note: If you have any standalone objects in your system (objects that were not
created in the context of a business entity hierarchy) they will be immediately
finalized when the reporting period is created.
Creating a New Finalized Reporting Period
You may know that you will not need to edit a reporting period further, and do
not need to reapply portions of the object hierarchy before finalization. In this case,
you can use the Add Finalized button to create a new reporting period and
immediately finalize it. After the reporting period is created you will not be able to
modify it without deleting the entire reporting period.
Procedure
1. From the menu bar, select Administration and click Reporting Periods.
2. Click the Add Finalized button at the top of the page. The Create a Reporting
Period page is displayed.
3. Enter the label and description for the new reporting period and click Create.
Chapter 13. Resetting Objects
295
Working with the Active Reporting Period
When an active reporting period is created, it is applied to all of the objects
(resources) in the IBM OpenPages repository. While a reporting period is active,
there are two actions you can take - reapplying the reporting period, or finalizing
the reporting period. The reporting period can be reapplied or finalized on a
business entity by business entity case.
When you reapply a reporting period, it updates the "checkpoint" created by the
reporting period to include the current state of the business entity (and its
children).
When you finalize a reporting period, it freezes the reporting period and prevents
any more updates through reapplying the reporting period.
Reapplying the Active Reporting Period to a Business Entity
Reapplying a reporting period updates the reporting period version of the entity
(and its associated hierarchy of objects) to match the current "live" version.
Reapplication of the reporting period can be done at any level of the business
entity hierarchy, and will only affect the children of the currently viewed business
entity.
Note: To perform any Reporting Period operation, the system must be in System
Administration Mode (see Chapter 4, “Using System Admin Mode,” on page 81).
Procedure
1. Navigate to the business entity you want to be the root of the reapplied
reporting period.
2. At the top of the page, select the active reporting period from the list and click
the View button. The Re-Apply and Finalize buttons appear.
3. On the locks page, if you want to remove all locks on the selected business
entity after the reapply operation, select the ‘Remove all Locks’ option.
4. Click the Re-Apply button to update the business entity and all of its children
to their current "live" version.
Results
For example, if you have a business entity with the field "Entity in Scope?" set to
"Yes" and you create an active reporting period, when you view that business
entity in that reporting period you will see "Yes" as the value.
If you then change the value of Entity In Scope to "No" in the Current Reporting
Period (the live data), and you want to update the entity in the active reporting
period, you can reapply the active reporting period and the value of Entity In
Scope will be updated to "No".
Note: There is no way to reverse a reapplication of a reporting period or to only
pick up some of the modifications made to the children of the business entity, so
be careful when reapplying a reporting period.
296
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
Finalizing a Reporting Period
Once you are certain that no more changes need to be made to a business entity
and its descendants, you can finalize the reporting period for that business entity.
Once you have finalized an entire reporting period, it ceases to be active. Only
then can you create a new active reporting period. If even one business entity
remains un-finalized, the reporting period remains active.
Procedure
1. From the menu bar, select Administration and click Reporting Periods.
2. Click the name of the active reporting period to display the detail page.
3. Click the Finalize button to finalize the entire reporting period. You are
returned to the Reporting Periods page. The status of the reporting period
changes to Finalizing.
4. Click Refresh to update the current value of the Status field.
Note: You cannot undo a finalize operation without removing the entire
reporting period. Depending on the size of your repository, it may take a
significant amount of time to finish the finalizing operation.
To finalize a reporting period on a business entity:
a. Navigate to the business entity you want to be the root of the finalized
reporting period.
b. At the top of the page, select the active reporting period from the list and
click the >> button. The Reapply and Finalize button appear.
c. Click the Finalize button to prevent any further changes to the business
entity and all of its child objects.
Deleting a Reporting Period
After you have created a reporting period, occasionally you may have to delete it
to reflect last-minute changes to your financial close, or due to a mistake in the
name (for example, wrong quarter, wrong year, and so forth).
The IBM OpenPages application supports deletion of reporting periods for a
configurable amount of time after the reporting period is created.
Note: The default period for deletion of a reporting period is seven days after
creating an active reporting period.
The following table lists the various conditions under which a reporting period can
be deleted:
If the deletion period has...
Then the active reporting period...
expired
cannot be deleted.
not expired
can be deleted.
When a reporting period is deleted, no files are removed from the database.
Procedure
1. From the menu bar, select Administration and click Reporting Periods.
Chapter 13. Resetting Objects
297
2. On the Reporting Periods page, select the check box next to the name of the
reporting periods you want to delete.
3. Click the Delete button at the top of the page.
4. At the confirmation prompt, click OK to delete the selected reporting period.
You are returned to the Reporting Periods page and the deleted reporting
period is removed from the table.
5. Click Refresh to update the current value of the Status field while the deletion
is occurring.
Results
Note: If you cannot delete a reporting period (you click the check box and the
Delete button does not activate), the deletion period for that reporting period has
expired. However, if wanted, you can retroactively change the setting.
Overview of Object Resets
Object Resets are a way to automatically modify objects that exist in the IBM
OpenPages repository. Resets can be started by users with the proper permissions
from the Object Reset menu item in the Administration section of the menu bar.
The most common use of the Object Reset functionality is to "reset" all of your
objects at the beginning of a new Reporting Period. For example, each quarter you
have controls and tests that need to be reviewed and performed. The results of
those tasks are recorded by updating the properties and attachments of the
appropriate objects. Once all of these quarterly tasks have been completed, and the
quarter is finished, you archive all of the results into a Reporting Period and
prepare for the new quarter. However, the existing objects still display the test
results and changed properties of the previous quarter.
Rather than go in and modify the objects by hand, you can use the Object Reset
capability to take your existing objects and modify their properties based on the
rules in your ruleset.
While Resets work well with the Reporting Period capability of the IBM
OpenPages application, Resets do not require the existence of a Reporting Period
to be utilized.
Using Object Reset on System Fields
When modifying fields or using fields within <criteria> tags, you may not use
"system" fields. System fields are the fields common to all object types, such as
name, description, or creator. Field modifications and ruleset criteria must use
custom fields (non-system fields). If the field you want does not appear in a field
group for the appropriate Object Type, you cannot use it in your ruleset.
Using Object Reset on Currency Fields
If you use an Object Reset rule to update the value of the Local Currency Code of
a currency field, the Exchange Rate and Base Amount are not updated to match
the new Local Currency Code value.
While the Base Amount is calculated using the Local Currency Code and the
Exchange Rate, it will not change because the Exchange Rate has not been
modified and the number of displayed fraction digits for the currency has not been
changed.
298
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
In order to see a change in the Base Amount, you must include a rule to update
the Exchange Rate or modify the number of displayed fraction digits.
Preparing Your Data
Before a Reset is performed, you will need to perform a few tasks to help ensure
that the Reset procedure goes smoothly. It is always recommended that you back
up your IBM OpenPages data before running a Reset.
In addition, if you plan on archiving your changes to a Reporting Period, you will
need to set the Reporting Period up before running the Reset.
Backing Up Your IBM OpenPages Data
It is highly recommended that you back up your pre-existing IBM OpenPages data
prior to running a Reset.
In this way, an un-modified copy of your data is maintained, in case your Reset
ruleset does not perform as intended. For details on backing up your data, see
“About Oracle Database and the OpenPages Backup and Restore Utilities” on page
415.
Creating a Reporting Period (optional)
If you are planning to reset your data as part of the beginning of a new Reporting
Period, you will have to archive the existing data to a Reporting Period.
Detailed instructions for creating a new Reporting Period can be found in
“Overview of Reporting Periods” on page 293.
Creating a Ruleset
Object Resets are rule-based operations on the objects in your IBM OpenPages
repository. The rules that govern how a Reset will affect your data are contained in
a Ruleset.
A Ruleset is a set of rules contained in an XML loader file that is created outside of
the IBM OpenPages application. Multiple Rulesets can be included in a single XML
file. The ruleset loader file is loaded into the system through the ObjectManager
loader tool. Once the Ruleset is imported, it can be selected during the Specify
Options step of the Object Reset guided action.
When you use ObjectManager loader tool to import security rules, the entire
ruleset is loaded and replace existing security rules that have the same name as a
imported rule. Before importing security rules, export your existing rules first.
Object Resets can modify objects in three ways: modifying the value of a property,
deleting an object, and disassociating two objects.
When creating a Ruleset, you must know the bundles, properties, and property
values you are modifying and match them exactly. If you do not specify a valid
property or property value, the property will not be modified.
Note: Before creating a final Ruleset to use for your Reset session, it can be
extremely helpful to create simple Rulesets that contain a single rule from your
final Ruleset. Running these single Rulesets against a known data set can verify the
accuracy of each rule before attempting a massive modification of your data.
Chapter 13. Resetting Objects
299
Creating the Ruleset File
To create the ruleset file, open a new text file in a text editor. Save the file with the
following naming convention:
<file-identifier>-op-config.xml
Once the file is saved, you may edit it to create the XML file.
Sample Ruleset
Here is a sample Ruleset:
<?xml version="1.0" encoding="UTF-8"?>
<openpagesConfiguration xmlFormatVersion="1.20">
<ruleSets>
<ruleSet name="Quarterly Reset"
description="Rule set to be executed at the beginning of each
and every quarter"
type="Object Reset">
<rule name="Rule 1"
description="Property Update rule setting a property"
type="Property Update">
<propertyUpdateRule contentType="SOXControl">
<bundle name="SOXControl">
<property name="Design Effectiveness"
useDefaultValue="false">
<propertyValue name="Not Rated"/>
</property>
</bundle>
</propertyUpdateRule>
</rule>
<rule name="Rule 2"
description="Property Update rule setting a collection of
properties (including a multi-valued one)."
type="Property Update">
<propertyUpdateRule contentType="SOXRisk">
<bundle name="SOXRisk">
<property name="Assertions"
useDefaultValue="false">
<propertyValue name="Existence"/>
<propertyValue name="Rights and Obligations"/>
</property>
<property name="Impact"
useDefaultValue="false">
<propertyValue name="Unknown"/>
</property>
</bundle>
</propertyUpdateRule>
</rule>
<rule name="Rule 3"
description="Object Delete rule"
type="Object Delete">
<objectDeleteRule contentType="SOXTestResult"/>
</rule>
<rule name="Rule 4"
description="Object Delete rule with criteria"
type="Object Delete">
<objectDeleteRule contentType="SOXIssue"/>
<criteria logicalOperator="or">
300
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
<criterion bundle="SOXIssue"
property="Status"
operator="=">
<propertyValue name="Closed"/>
</criterion>
</criteria>
</rule>
<rule name="Rule 5"
description="Object Disassociate rule"
type="Object Disassociate">
<objectDisassociateRule parentContentType="SOXRisk"
childContentType="SOXDocument"/>
</rule>
</ruleSet>
<!-sample Reset Ruleset for a currency property->
<ruleSet name="Your_Ruleset_Name"
description="Reset a currency property"
type="Object Reset">
<rule name="Reset a currency property"
description=""
type="Property Update">
<propertyUpdateRule contentType="SOXAccount">
<bundle name="OPSS-Account_Annualized Value">
<property name="Annualized Value_LA"
useDefaultValue="false">
<propertyValue name="1.0"/>
</property>
</bundle>
<bundle name="OPSS-Account_Annualized Value">
<property name="Annualized Value_LC"
useDefaultValue="false">
<propertyValue name="AED"/>
</property>
</bundle>
<bundle name="OPSS-Account_Annualized Value">
<property name="Annualized Value_ER"
useDefaultValue="false">
<propertyValue name="1.0"/>
</property>
</bundle>
</propertyUpdateRule>
</rule>
</ruleSet>
</ruleSets>
</openpagesConfiguration>
The Ruleset Tag Library
The following XML tags can be used to build a ruleset:
<openpagesConfiguration>
Description: Progenitor tag for the loader file contents. All other tags are contained
within the <openpagesConfiguration> tag.
Parent Tags: None.
Child Tags: <ruleSets>
Syntax:
<openpagesConfiguration xmlFormatVersion="1.15">
</openpagesConfiguration>
Chapter 13. Resetting Objects
301
Attributes:
v xmlFormatVersion
Version of the OpenPages XML DTD.
<ruleSets>
Description: Container tag for one or more ruleSet tags.
Parent Tags: <openpagesConfiguration>
Child Tags: <ruleSet>.
Syntax:
<ruleSets>
</ruleSets>
Attributes: None.
<ruleSet>
Description: A ruleset is a collection of rules that will be executed when the ruleset
is selected during a Reset session. Each ruleset is displayed in the IBM OpenPages
user interface as a separate entry in the list of Rulesets.
Parent Tags: <ruleSets>
Child Tags: <rule>
Syntax:
<ruleSet name="Name"
description="Description"
type="Object Reset"
</ruleSet>
Attributes:
v name
An identifying name for the ruleset. Will be displayed in the IBM OpenPages
user interface. The maximum length for the ruleset name attribute is 255 bytes
(not characters).
v description
A description of the function of the ruleset. The maximum length for the ruleset
name attribute is 2000 bytes (not characters).
v type
The type of ruleset. Currently, there is only one type - "Object Reset".
<rule>
Description: Each <rule> tag contains a single rule that will be applied to the IBM
OpenPages data when the ruleset is selected and a Reset session is initiated.
Parent Tags: <ruleSet>
Child Tags: <propertyUpdateRule>, <objectDeleteRule>, <objectDisassociateRule>,
<criteria>
Syntax:
302
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
<rule name="Name"
description="Description"
type="[Property Update|Object Delete|Object Disassociate]"
</rule>
Attributes:
v name
The name of the rule. The maximum length for the rule name attribute is 255
bytes (not characters).
v description
A description of the function of the rule. The maximum length for the rule name
attribute is 2000 bytes (not characters).
v type
The type of rule. There are three types of rules: Property Update, Object Delete,
and Object Disassociate.
<propertyUpdateRule>
Description: The <propertyUpdateRule> tag defines a rule that modifies the value
of an existing property on a certain object type. Unless modified by the use of the
<criteria> tag within the same <rule> tag, all objects of the specified object type
within the scope of the Reset will be updated.
Parent Tags: <rule>
Child Tags: <bundle>
Syntax:
<propertyUpdateRule contentType="">
</propertyUpdateRule>
Attributes:
v contentType
Specifies the object type that the rule will be applied to. Must match a valid IBM
OpenPages object type.
<bundle>
Description: The <bundle> tag specifies which bundle contains the property to be
modified.
Parent Tags: <propertyUpdateRule>
Child Tags: <property>
Syntax:
<bundle name=""
</bundle>
Attributes:
v name
The name of the bundle whose property will be modified.
<property>
Description: The <property> tag is used inside a <bundle> tag to specify the
property that will be updated.
Chapter 13. Resetting Objects
303
Parent Tags: <bundle>
Child Tags: <propertyValue>
Syntax:
<property name="">
useDefaultValue="[true|false]"
[<propertyValue>
<propertyValue>]</property>
Attributes:
v name
The name of the property to be updated.
v useDefaultValue
Specifies whether the property should be updated to reflect the default value of
the property (if one exists). If no default value exists, the property is not
updated.
<objectDeleteRule>
Description: The <objectDeleteRule> tag is used to specify an object type for
deletion. Unless modified by the use of the <criteria> tag within the same <rule>
tag, all objects of the specified object type within the scope of the Reset will be
deleted.
Parent Tags: <rule>
Child Tags: None.
Syntax:
<objectDeleteRule contentType=""/>
Attributes:
v contentType
Specifies the object type to be deleted. All objects of this type within the scope of
the Reset are deleted.
<objectDisassociateRule>
Description: The <objectDisassociateRule> tag is used to disassociate an object type
from another object type. If you use the <criteria> tag with this rule type, the
criteria must be based on the child’s property values. You cannot base a rule on
properties or property values belonging to the parent object type.
Parent Tags: <rule>
Child Tags: None.
Syntax:
<objectDisassociateRule parentContentType=""
childContentType=""/>
Attributes:
v parentContentType
Identifies the parent object type that the child object type is associated with.
v childContentType
304
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
Identifies the child object type to be disassociated. Any objects of the child object
type associated with objects of the parent object type within the scope of the
Reset will be disassociated from the parent object.
<criteria>
Description: The <criteria> tag is used to refine the behavior of a rule by specifying
the standards that need to be met in order to invoke the rule. The criteria tag can
contain one or more <criterion> tags that will be judged when deciding whether to
apply the rule to a specific object.
It should be noted that criteria can only be applied in a "positive" manner - that is,
if the criteria are met, the rule will be used. You cannot specify a rule where if the
criteria are met, the rule is NOT applied.
Parent Tags: <rule>
Child Tags: <criterion>
Syntax:
<criteria logicalOperator="[and|or]">
Attributes:
v logicalOperator
Specifies whether all of the criterion ("and") will be used to determine whether
the rule will be applied to the object, or if only one of the criterion ("or") needs
to be satisfied.
<criterion>
Description: The <criterion> tag allows the user to specify a property and value(s)
that must match the evaluation specifications set in the <criterion> tag.
Note: It is strongly recommended that you use a maximum of three criterion
within a single <criteria> tag. Adding additional criterion will increase the
processing time required to complete the Reset.
Parent Tags: <criteria>
Child Tags: <propertyValue>
Syntax:
<criterion bundle=""
property=""
operator="[=|<>|<=|<|>|>=|like]"
<propertyValue=""/>
[<propertyValue=""/>]</criterion>
Attributes:
v bundle
The property bundle containing the property to be evaluated.
v property
The property name of the property to be evaluated.
v operator
Chapter 13. Resetting Objects
305
Specifies the manner in which the value of the property will be evaluated. Valid
operators are equal (=), not equal (<>), greater than (>), less than (<), greater or
equal to (>=), less than or equal to (<=), and "like".
Only the equal, not equal, and "like" operators can be used with string variables.
Note: The "like" parameter allows the use of wild cards in the <propertyValue>
tag. These wild cards consist of the "%" and "_" symbols, which are passed to a
SQL database query against the database. The percent mark (%) symbol is used
to represent any number of characters in a location, while the underscore (_)
character is used to represent any single character in a location.
For SQL tool information, see “Database tool information” on page 1.
<propertyValue>
Description: The <propertyValue> tag performs two functions, depending on its
location. The Boolean property value must be all lowercase. For example, "true" is
correct, "True" is incorrect.
If the <propertyValue> tag is contained inside a:
v <property> tag, it specifies the new value (or values) for the updated property.
v <criterion> tag, it specifies the relevant property to be considered when applying
the criteria.
If you are modifying an enumerated string (drop-down list) property that is
multi-selectable, you can place multiple <propertyValue> tags inside the
<property> tag. When the rule is processed, all of the <propertyValue> tags will be
evaluated, and the property will be modified to select all of them.
Parent Tags: <property>, <criterion>
Child Tags: None.
Syntax:
<propertyValue name=""/>
Attributes:
v name
Specifies the value of the property. See the description of the <propertyValue>
tag for details. The maximum length for the property value’s name attribute is
2000 bytes (not characters).
Loading the Ruleset
After you have finished creating the ruleset loader file, you will need to use the
ObjectManager tool to load the ruleset into the IBM OpenPages system.
Procedure
1. Open a command or shell window on the IBM OpenPages server.
2. Navigate to the <OP_Home> directory.
Where: <OP_Home> represents the installation location of the IBM(r)
OpenPages(r) GRC Platform application. By default, this is:
v Windows - C:\OpenPages
v AIX and Linux - /opt/OpenPages
306
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
3. Run the following command on a single line:
ObjectManager load config OpenPagesAdministrator
<path-to-ruleset-xml-file> <file-identifier>
<password>
where
<password> is the password to the OPAdminstrator user account.
<path-to-ruleset-XML-file> is the full path to the ruleset file you created.
<file-identifier> is the portion of the ruleset file name preceding
"-op-config.xml". For example, if you created a ruleset file called
"ruleset-op-config.xml", the <file-identifier> in the ObjectManager command is
"ruleset".
4. The ruleset is now loaded. If you have created multiple ruleset files, repeat this
procedure for each of them.
5. If you encounter errors, read the log file to determine the cause of the error and
fix it, then re-run the command in Step 2.
Updating a Ruleset
If you load a ruleset with the same name as an already-loaded ruleset, the ruleset
will be overwritten with the new rules. To return to an earlier version of the
ruleset, you would have to re-load the original ruleset loader file. Rulesets are not
"version-controlled".
Performing the Object Reset
After you have loaded the ruleset you will be using for the Object Reset, you must
log into the system and begin the Reset.
Preparing for the Reset
The user running the Reset must have the Object Reset application permission and
the proper access to modify the data. If the user does not have the Object Reset
permission, they will not be able to see the Object Reset menu item under the
Administration heading.
Configuring the Ruleset Parameters
Before executing the Reset, there are some configuration parameters that should be
set. In general, these settings will only need to be set once before your first time
initiating a Reset, but you may want to change them for different entity trees or
ruleset behavior.
The following Object Reset settings can be accessed from the Settings link on the
Administration menu (located in the OpenPages\Applications\Common\Object Reset
folder):
v Logging Level - this setting controls how much information is displayed. For
configuration details, see “Changing the Logging Level” on page 338.
v Check ACL - this setting controls whether the Reset occurs against all or only
some of the objects contained within the scope of the Reset session. For
configuration details, see “Obeying ACL Restrictions” on page 339.
v Ignore Locks - this setting controls whether existing locks on objects are honored
when running the Reset. For configuration details, see “Obeying Locking
Restrictions” on page 340.
Chapter 13. Resetting Objects
307
v
Continue on Error - this setting controls whether the Reset session will log errors
and continue to run or halt processing. For configuration details, see
“Continuing on Error” on page 339.
Using the Object Reset Page
The Object Reset page contains a table that shows all of the previous Reset sessions
that have been started.
The table contains columns with the following information:
v the name of the Reset session
v the description of the Reset session
v the date and time the Reset began
v the date and time the Reset completed
v the current status of the Reset
The table also has an Start New Reset button that can be selected to start a new
Reset session. For more information on starting a new Reset session, see “Starting
the Object Reset.”
Starting the Object Reset
Procedure
1. Log on to the IBM OpenPages system as a user with the Object Reset
application permission.
2.
3.
4.
5.
6.
7.
8.
Note: If you have chosen to obey ACL restrictions, the user must have the
permissions to modify the objects within the scope of the Reset. If the user does
not have sufficient permissions, warning messages will be generated in the log,
and the objects will not be modified.
Click the Object Resets menu item under the Administration heading on the
menu bar. The Object Reset page is displayed.
Click the Start New Reset button at the top of the table to create a new Reset.
The Specify Options page is displayed.
Enter a name and description for the new Reset.
Select a Ruleset from the list of available Rulesets. The chosen Ruleset will be
used for the new Reset.
Click Next to display the Reset Scope page.
Choose the Business Entities to which the Reset will be applied by selecting the
check boxes next to the entity names. Once you have selected the Business
Entities, click the Start Reset button to begin the Reset.
A confirmation warning dialog is displayed. If, after reading the warning, you
want to begin the Reset, click Ok. The Reset begins, and the Object Reset page
is displayed.
Viewing the Reset Status
The new Reset session is added to the list of Reset sessions on the Object Reset
page. You can track the progress of the Reset by monitoring the Status column of
the table.
The possible values for the Status field are Initiated, In Progress, Completed, or
Failed.
308
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
The "Failed" status will only be shown if the system is set to stop the Reset if
errors are encountered. If the system is set to continue on errors, then when the
Reset is completed, the "Completed" status will be shown. Any errors that occurred
during the Reset will be captured in the Reset Session Log.
Viewing the Reset Session Details
Every time you start a Reset, an entry is added to the Reset Session table. By
clicking on the name of the reset, the Reset Session detail page is displayed for that
Reset Session.
The detail page contains the following information:
Name - The name of the Reset Session.
Description - The description of the Reset Session (set during the creation
procedure)
Ruleset Name - The name of the Ruleset that was applied during this session.
Created - The time and date the Reset Session was created.
Start Date - The time and date the Reset was begun.
End Date - The time and date the Reset was completed.
Status - The current status of the Reset. The Status can be one of the following
values:
v Initiated - The Reset has been initialized, and is preparing to modify your data.
v In Progress - The Reset is currently modifying the selected data.
v Completed - The Reset finished successfully. Depending on whether the Reset
was set to continue on errors, some errors may be reported in the Session Log.
v Failed - The Reset did not finish, because errors were encountered. Check the
Session Log for details on what errors occurred.
Created By - The user that initiated the Reset Session.
Scope - The Business Entities that were modified by the Reset.
Logging Level - The level of detail that will be displayed in the Session Log. Can
be one of the following values:
v Low - display error messages only
v Medium - display any error messages and any warning messages.
v High - display any errors, warnings, and any informational or diagnostic
messages.
Continue on Error - Whether the Reset Session will log errors and continue to run,
or whether the error will be logged and the session will halt. Value will either be
"true" or "false".
Check ACLs - Whether the Reset occurs against all objects contained within the
scope of the Reset session, or whether the Reset occurs against only those objects
that the user who initiated the Reset has access to. It can have a value of "true" or
"false".
Chapter 13. Resetting Objects
309
Ignore Locks - Whether existing locks on objects are honored when running the
Reset. A value of "true’ means that locks were ignored when running the Reset,
and a value of "false" means that locked objects were not modified by the Reset.
Viewing the Reset Session Log
In addition to the detail page, a detailed view of the Reset Session is recorded in
the Reset Session Log. The level of detail depends on the configuration setting.
For details on setting the logging level, see the section “Configuring the Ruleset
Parameters” on page 307.
Procedure
Click the View Log button on the Reset Session detail page.
The Reset Session Log contains three sections - the Error Messages section, the
Warning Messages section, and the Informational Messages section.
Error Messages
The Error Messages section contains the details of any errors encountered by the
Reset.
Warning Messages
The Warning Messages section contains any warning messages generated by the
Reset.
Informational Messages
The Informational Messages section captures the running details of the Reset - the
number of successful operations, details on the preparation steps that occur during
the Initializing phase, and a summary of the number of errors encountered during
the Reset.
Refreshing the Reporting Database After the Reset
After you have performed an Object Reset, it is highly recommended that you
refresh the Reporting database so that users who run third-party reports will
immediately see the changes.
If your users are using the real-time reporting schema, you do not need to perform
a reporting schema refresh. The IBM OpenPages reports will automatically see the
changes. If you are still using the datamart reporting schema, you will need to
manually update the reporting schema
For detailed information on performing a reporting database refresh, see
“Administering the Reporting Schema” on page 83.
Exporting Rulesets to an XML File
You can export all of the Object Reset rulesets to an XML file using ObjectManager.
In order to do this, you must have file access to the IBM OpenPages application
server.
This will export ALL defined rulesets. Exporting rulesets does not remove them
from the IBM OpenPages application - they will still be available for use after they
are exported.
1. Back up the ObjectManager.properties file.
310
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
Note: The ObjectManager.properties file is located in the root installation
folder of your IBM OpenPages installation. By default, this is c:\OpenPages.
2. Open the ObjectManager.properties file in a text editor.
3. Locate the following block of settings in the file:
configuration.manager.dump.modules=true
configuration.manager.dump.file.types=true
configuration.manager.dump.bundle.types=true
configuration.manager.dump.file.upload.content.types=true
configuration.manager.dump.jsp.based.content.types=true
configuration.manager.dump.content.type.relationship.sets=true
configuration.manager.dump.app.permissions=true
configuration.manager.dump.actors=true
configuration.manager.dump.actor.group.memberships=true
configuration.manager.dump.actor.object.profile.associations=true
configuration.manager.dump.non.form.based.resources=true
configuration.manager.dump.form.based.content.types=true
configuration.manager.dump.form.based.resources=true
configuration.manager.dump.channels=true
configuration.manager.dump.resource.sets=true
configuration.manager.dump.associated.resources=false
configuration.manager.dump.rule.sets=true
configuration.manager.dump.rule.set.execute.sessions=true
configuration.manager.dump.registry=true
configuration.manager.dump.object.profiles=true
configuration.manager.dump.locales=true
configuration.manager.dump.application.string.key.categories=true
configuration.manager.dump.application.string.keys=true
configuration.manager.dump.application.strings=true
configuration.manager.dump.error.strings=true
configuration.manager.dump.object.strings=true
configuration.manager.dump.job.types=true
configuration.manager.dump.currency.exchange.rates=true
configuration.manager.dump.currencies=true
configuration.manager.dump.query.definitions=true
4. Modify each line to have a false value, except the line that reads:
configuration.manager.dump.rule.sets=true
5. Make sure that the following setting has a value of false:
configuration.manager.migrate.configuration.objects
6. Once you have finished your modifications, save the file and exit the editor.
7. Open a Command Prompt window.
8. Navigate to the <OP_Home> directory.
Where:
<OP_Home> is the installation location of the OpenPages application. By default,
this is c:\OpenPages.
9. Run the following command on a single line:
ObjectManager dump config OpenPagesAdministrator
<path-to-xml-file> <file-identifier>
<password>
where
<password> is the password to the OPAdminstrator user account.
<path-to-XML-file> is the full path to the ruleset file you created.
<file-identifier> is the portion of the ruleset file name preceding
"-op-config.xml". When the XML file is created, the file name will append
"-op-config.xml" to the end of the filename. For example, if you specified a
<file-identifier> called "ruleset", the generated XML file would be named
"ruleset-op-config.xml".
Chapter 13. Resetting Objects
311
10. A new XML file is generated in the specified location that contains only the
latest version of the rulesets that exist in the application at the time of the
export.
Note: Be sure to "reset" the ObjectManager.properties file to its original contents otherwise, your scheduled backups using ObjectManager will only export the
rulesets.
312
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
Chapter 14. Configuring Settings
This chapter contains information about the various settings you can configure for
the IBM OpenPages application.
About the Settings Page
The Settings page in the application contains a structured collection of name-value
pairs used to store non-machine specific configuration data that spans across
load-balanced systems. Settings are organized in a folder hierarchy by category
with each name-value pair having a unique full path name.
Note: The add and copy buttons on the Setting list view page are for OpenPages
Services and Support use only.
The top-level folder categories are:
v Applications - contains settings related to application and object specific
behaviors.
v Common - contains settings that are common to both the application and
platform.
v Platform - contains settings related to the system such as workflow, reporting,
and the repository.
v User Preferences - contains settings related to users, such as alert behavior.
You can make changes to the value of a configuration "setting" (a name-value pair)
without having to restart system services.
This section highlights the most commonly used configuration settings. For
information about changing the value of settings that are not listed in this section,
contact your IBM representative for details.
Accessing the Settings Page
To access the Settings menu item, you must have the Settings application
permission set on your account.
For details, see “Configuring Application Permissions” on page 21.
Procedure
1. Log on to the IBM OpenPages application with an account that has the Settings
application permission set.
2. From the navigation bar, select Administration and click Settings.
From the Settings list view page, you can:
v View summary information about settings
v Access the detail page of a setting
Applications Folder Settings
The settings listed in this section represent a selected list of individual settings that
are under the OpenPages Applications folder.
313
Modifying the Overview View Cache Capacity
To enhance performance on an Overview view page, you can change the
maximum number of nodes that can be displayed to users in an Overview view by
changing the value of the Overview Cache Capacity setting.
By default, the Overview Cache Capacity value is set to display 10000 nodes. If the
number of nodes displayed exceeds the above setting, the additional nodes will
not be displayed. Each cached object requires 1600 bytes of memory.
Procedure
1.
2.
3.
4.
Access the Settings page (see “Accessing the Settings Page” on page 313).
Expand the OpenPages | Applications | GRCM | Caches folder hierarchy.
Click the Overview Cache Capacity setting to open its detail page.
In the Value box, type a new numeric value.
5. When finished, click Save.
Results
The new setting will take effect after you log out and log back in.
Configuring the Browser Cache
You can affect the behavior of the browser’s Back and Forward buttons by
changing the value of the Disable Browser Cache setting. By default, the
browser’s cache setting is enabled (the value is set to false).
Procedure
1. Access the Settings page (see “Accessing the Settings Page” on page 313).
2. Expand the OpenPages | Applications | Common | Configuration folder
hierarchy.
3. Click the Disable Browser Cache setting to open its detail page.
4. In the Value box, if the value is set to:
v true – the browser's cache is disabled; so using the Back button will
sometimes require a refresh command for the page to display.
v false - the browser's cache is enabled and no refresh action is required;
however, the data on the page may be whatever was cached in the browser.
This is the default setting value.
5. When finished, click Save.
Displaying the Accessibility Link
If you want to display a client-specific page with information about accessibility
for disabled users, you can configure the display of the Accessibility link in the
header pane of the IBM OpenPages application.
When a user clicks the Accessibility link, the designated page is displayed. By
default, the Accessibility link is not displayed in the header pane of the
application.
Procedure
1. Access the Settings page (see “Accessing the Settings Page” on page 313).
314
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
2. Expand the OpenPages | Applications | Common | Accessibility folder
hierarchy.
3. Click the URL setting to open its detail page.
4. In the Value box, type a URL (it is blank by default).
5. When finished, click Save.
Example
Let’s say you created a page in HTML format that contained information about
your company’s accessibility policy for disabled users and wanted this policy to be
available to all users through the application. Let’s also say that the saved file is
named "accessibility.htm" and was copied to the "custom_files" folder, which you
created, under the /sosa folder location on the server, "machine1".
The URL path that you would enter in the Value box might look similar to this:
http://machine1:7009/openpages/custom_files/accessibility.htm
Displaying or Hiding Field Guidance
You can show or hide field-specific guidance on the Add or Edit page of an object
through the Show Field Guidance setting.
By default, the Show Field Guidance setting is set to display in the application.
When a user clicks a question mark icon next to a specific field on an object’s Add
or Edit page, the field guidance text is displayed.
Procedure
1. Access the Settings page (see “Accessing the Settings Page” on page 313).
2. Set the value in the Show Hidden Settings setting to true (for details, see
“Showing Hidden Settings” on page 318).
3. Expand the OpenPages | Applications | Common | Configuration folder
hierarchy.
4. Click the Show Field Guidance setting to open its detail page.
5. In the Value box, if the value is set to:
v true - the question mark icon and field guidance text will be displayed to
users. This is the default setting value.
v false - the question mark icon and field guidance text is hidden from users.
6. When finished, click Save.
Displaying or Hiding System Generated Field Guidance
The Show System Generated Field Guidance setting controls whether information
about field dependencies and dependent picklists is appended to field guidance.
When a field is included in a field dependency or dependent picklist, information
about the dependencies is appended to the field’s guidance. This information may
not be relevant to end users and can now be disabled.
Before you begin
For this setting to have effect, the Show Field Guidance setting must be set to
true. If Show Field Guidance is false, then no guidance would be shown in any
Chapter 14. Configuring Settings
315
event. For details, see “Displaying or Hiding Field Guidance” on page 315.
Procedure
1. Access the Settings page (see “Accessing the Settings Page” on page 313).
2. Set the value in the Show Hidden Settings setting to true (for details, see
“Showing Hidden Settings” on page 318).
3. Expand the OpenPages | Applications | Common | Configuration folder
hierarchy.
4. Click the Show System Generated Field Guidance setting to open its detail
page.
5. In the Value box, if the value is set to:
v true - shows system-generated dependencies information. This is the default
setting value.
v false - suppresses system-generated dependencies information.
6. When finished, click Save.
Setting a Default Object View
If an object view for an object type is configured to display both a Folder View and
Filter List View (displayed as tabs on the page), you can configure which tab is
displayed first to users on the page through the Default Object View setting.
Note: For information about configuring Folder and Filter List views for an object
type, see “Folder views and Filtered List views” on page 240.
By default, the Default Object View setting is configured to display the Filtered
List View tab first.
Procedure
1.
2.
3.
4.
Access the Settings page (see “Accessing the Settings Page” on page 313).
Expand the OpenPages | Applications | GRCM folder hierarchy.
Click the Default Object View setting to open its detail page.
In the Value box, if the value is set to:
filter – the Filter List View tab is displayed first to users. This is the default
setting value.
v folder - the Folder View tab is displayed first to users.
v
5. When finished, click Save.
Configuring File Check-out
The file check-out feature locks files to prevent other users from uploading and
overwriting changes, or from moving, renaming, or deleting the file while a file is
checked out. When the file is checked in, the lock is removed.
You can configure the display of the Check Out and Check In buttons by
changing the value of the Enable File Checkout setting. By default, the setting is
enabled (the value is set to true).
Procedure
1. Access the Settings page (see “Accessing the Settings Page” on page 313).
2. Expand the OpenPages | Applications | GRCM folder hierarchy.
316
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
3. Click the Enable File Checkout setting to open its detail page.
4. In the Value box, if the value is set to:
v true – the file check-out and check-in feature is enabled and the
corresponding buttons are displayed on the detail page of a file. This is the
default setting value.
v false – the file check-out and check-in feature is disabled and the
corresponding buttons are hidden.
5. When finished, click Save.
Configuring the Sort Order of Object List Views By
Modification Date
You can use the Sort by Modification Date setting to globally configure the
sorting behavior of objects in list views so that objects are listed by their
modification date. By default, objects in a list view are listed by name.
Note: The information in this topic applies to IBM OpenPages GRC Platform
6.0.1.2 or greater.
For example, let’s say an object type has multiple associated objects. By default,
associated objects are listed by name in a list pane on a Detail View page.
However, users want to see associated objects listed by their last modified date. To
globally change the sort order of objects in list panes so that objects are listed by
the date they were last modified, you would set the value of the Sort by
Modification Date setting to true.
Procedure
1. Access the Settings page (see “Accessing the Settings Page” on page 313).
2. Expand the OpenPages | Applications | GRCM | List View folder hierarchy.
3. Click the Sort by Modification Date setting to open its detail page.
4. In the Value box, if the value is set to:
v true - objects in a list view will be sorted by their last modification date.
v false - objects in a list view will be sorted by name. This is the default
setting value.
5. When finished, click Save.
Modifying the Deletion Interval for a Reporting Period
You can configure the number of days in which a reporting period can be deleted
after it is created. By default, the interval is set to 7 days (after day 7, the reporting
period can no longer be deleted).
Procedure
1. Access the Settings page (see “Accessing the Settings Page” on page 313).
2. Expand the OpenPages | Applications | GRCM | Reporting Periods folder
hierarchy.
3. Click the Delete Interval setting to open its detail page.
4. In the Value box, edit the number of days you want for the new deletion
interval.
5. When finished, click Save.
Chapter 14. Configuring Settings
317
Showing Hidden Settings
Some settings within the OpenPages product are hidden to protect these settings
from accidentally being modified. To display hidden settings so you can modify a
particular setting, you will need to change the value in the Show Hidden Settings
setting.
By default, this value is set to false (hide).
Procedure
1. Access the Settings page (see “Accessing the Settings Page” on page 313).
2. Set the value of the Show Hidden Settings setting to true (this will display all
hidden settings) as follows:
a. Expand the OpenPages | Applications | Common | Configuration folder
hierarchy.
b. Click the Show Hidden Settings setting to open its detail page.
c. In the Value field on the setting detail page, change the value to true (the
default value is false).
3.
d. Click Save.
Set the value of the Allow Create and Delete Settings setting to true as
follows:
a. Expand the OpenPages | Applications | Common | Configuration folder
hierarchy.
b. Click the Allow Create and Delete Settings setting to open its detail page.
c. In the Value box, change the value to true (the default value is false).
4. Modify any hidden settings as necessary.
5. When finished, reset the value in the Show Hidden Settings setting to false.
Configuring Actor Table Page Size
Use the Page Size setting to control the number of rows listed per page. This
setting applies to the following administrative areas within the IBM OpenPages
application: user and group management, role assignments, profile user
association, and custom security.
Procedure
1. Access the Settings page (see “Accessing the Settings Page” on page 313).
2. Expand the OpenPages | Applications | Common | Administration | Users
and Groups folder hierarchy.
3. Click the Page Size setting to open its detail page.
4. In the Value box, type a number. The default value is 100.
Selector Display Type Settings
This section contains the following topics for configuring actor selectors.
Configuring the Bucket Size of the Phonebook
You can use the Bucket Size setting to control the number of user names that are
displayed in a bucket or category within the User Selector phonebook style pop-up
dialog box. By default, this value is set to 10.
318
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
For information about the phonebook, see the topic “Modifying the Phonebook” on
page 273.
The number of buckets that are displayed in the phonebook is determined by the
size of the bucket and the number of users. For example, if there are 100 users and
the bucket size is set to 20, the phonebook would display 5 buckets of 20 users per
bucket.
Procedure
1. Access the Settings page (see “Accessing the Settings Page” on page 313).
2. Expand the OpenPages | Applications | Common | User Selector folder
hierarchy.
3. Click the Bucket Size setting to open its detail page.
4. In the Value box, type a numeric value for the number of users you want
displayed per bucket. By default, the value is set to 10.
Note: If the value of the bucket size is set to zero or a negative number (such
as -5), all users will be displayed in a single bucket.
5. When finished, click Save.
6. To configure the columns that are displayed in a selector dialog box, see
“Configuring Display Columns in a Selector Dialog Box.”
Configuring Display Columns in a Selector Dialog Box
For all selector display types, you can use the Fields setting to configure additional
display information for users and groups.
For information about selector dialog boxes, see the topic “Modifying the Selector
Dialog Box” on page 273.
Note:
v The Name column is always displayed as the first column of the table and
cannot be removed or changed. The Name column in a User Selector represents
the user account name (Username). In a Group selector, it is the name of the
group.
v If no values are present in the Fields setting, the Name and Description column
headings are displayed by default.
v The values in the setting are globally displayed in the appropriate selector
dialog box. For example, if you set the first name of a user to be displayed, the
user’s first name would appear in the User and User/Group dialog boxes but
not the Group dialog box because the Group dialog box lists only groups (no
users).
Procedure
1. Access the Settings page (see “Accessing the Settings Page” on page 313).
2. Expand the OpenPages|Applications|Common|Actor Selector folder
hierarchy.
3. Click the Fields setting to open its detail page.
4. In the Value box, type one or more of the following codes in the order in which
you want the columns to display in a User, Group, or User/Group Selector
dialog box:
Chapter 14. Configuring Settings
319
To display this
column heading...
Type this code...
Comments
Description
%DN;
Displays any description information from
the "Description" object field on a User or
Group Information page. This column
heading is displayed by default in the User,
Group, and User/Group Selector dialog
boxes.
First Name
%FN;
Displays information from the "First name"
object field on a User Information page.
This column heading is displayed only in
the User and User/Group Selector dialog
boxes.
Last Name
%LN;
Displays information from the "Last name"
object field on a User Information page.
This column heading is displayed only in
the User and User/Group Selector dialog
boxes.
Email
%EM;
Displays the email address of a user from
the "Email" object field on a User
Information page. This column heading is
displayed in the User, Group, and
User/Group Selector dialog boxes.
5. When finished, click Save.
Example
To display the Email address of users followed by a description of the user, you
would enter the following codes in the Value box: %EM;%DN;.
The result of these settings in the User Selector is that the Name column is
followed by the Email and Description columns.
Configuring a User or Group Selector to Use the Search
Function
If you have a large number of users and/or groups, you can improve performance
by using the Use Actor Search Only setting to globally configure the selector
display types to open a search box instead of a phonebook style box.
By default, this value is set to always display buckets or categories of users and
groups in a phonebook style box.
Procedure
1. Access the Settings page (see “Accessing the Settings Page” on page 313).
2. Expand the OpenPages | Applications | GRCM | Detail Page folder
hierarchy.
3. Click the Use Actor Search Only setting to open its detail page.
4. In the Value box, type one of the following values:
320
Value
Result
true
A search box will open when a user clicks
either the selector field box or a user or
group icon.
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
Value
Result
false
A phonebook style box will open when a
user clicks either the selector field box or a
user or group icon
This value is set by default.
5. When finished, click Save.
Configuring Menus
This section contains topics for configuring menus.
Attention: Changes to menus will not appear until users log out and then log
back in to the application.
Updating the administration menus
Some menus and submenus have been reorganized, and a new toolbar has been
added to IBM OpenPages Administration.
The My OpenPages and Administration menus and their submenus have been
reorganized. Many of the items that appeared on the My OpenPages menu have
moved to a new toolbar. The items that appeared in the Administration menu have
been moved into separate sub-menus. Any custom menu items that had been
added to those menus must be re-added.
Procedure
To add your custom menu items back into the Administration menu, click
Settings > OpenPages > Applications > GRCM > NavigationMenu >
Administration > SubItems, and add the menu items. For example,
"YourCustomMenuItem,Security,Schema,Application,Management".
Modifying the Order of Menus on the Navigation Bar
The navigation bar on the IBM OpenPages application contains various menus that
represent categories for grouping views and object types. You can use the Items
setting to modify the order in which the main menus are displayed on the
navigation bar.
Which categories for object types are available as menus on the navigation bar
depends on your particular business solution.
By default, ‘My OpenPages’ is typically displayed as the first menu item on the
navigation bar, and ‘Administration’ as the last menu item.
Procedure
1. Access the Settings page (see “Accessing the Settings Page” on page 313).
2. Expand the OpenPages | Applications | GRCM | NavigationMenu folder
hierarchy.
3. Click the Items setting to open its detail page.
4. In the Value box, modify the order of the menus as you want these to appear
on the navigation bar.
Note:
Chapter 14. Configuring Settings
321
v The list must be comma delimited.
v The order in which the menus are defined in the list determines the order in
which the menus are displayed on the navigation bar in the application user
interface.
In the following example, the menus on the navigation bar will be displayed
as follows: ‘My OpenPages’ followed by ‘Reports’, ‘Organization’,
‘Remediation’, and then ‘Administration’.
MyOpenPages,Reports,Organization,Remediation,Administration
v The list must not have any leading or trailing spaces.
5. When finished, click Save.
6. To view the changes in the browser, users must log out and then log back in to
the application.
Modifying Submenus
The navigation bar on the IBM OpenPages application contains various menus that
represent categories for grouping views, object types, and system pages.
There are two types of menu items that you can add to a menu: object types and
system pages.
Note:
v The list of submenu items must be comma delimited.
v Optionally use the __separator__ (two underscores) keyword to organize
submenu items into groups.
The following example shows how to create two groupings of object types in a
list.
RiskAssessment,SOXRisk,__separator__,SOXControl,SOXTest,SOXTestResult
The result is a list of submenu items that are grouped as follows:
Risk Assessment
Risk
______________
Control
Test
Test Result
v The order in which the submenu items are defined in the list determines the
order in which the submenu items are displayed in the selected menu on the
application user interface.
v The list must not have any leading or trailing spaces.
Modifying Object Type Submenus:
You can use the ObjectTypes setting to globally add or modify the various object
type submenus that are displayed in the list for a specific menu.
Which object types are available as submenus depends on your particular business
solution.
Let’s say you have a new custom ‘Baseline’ object type that must be added to the
‘Assessments’ menu, and then made available to users who are assigned the
322
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
‘Analyst’ profile. In this example, the ‘Assessments’ menu already contains the
following object types in the submenu listing: Risk Assessment, Risk, Control, Test,
and Test Result.
You want the new ‘Baseline’ object type to come after the Risk Assessments
submenu item in the drop-down list. You also want the Risk Assessment and
Baseline object types to be displayed in a separate group from the other object
types in the list. Using the ObjectTypes setting, you would add the submenu item
for the new ‘Baseline’ object type to the ‘Assessments’ menu as follows:
RiskAssessment,Baseline,__separator__,SOXRisk,SOXControl,SOXTest,SOXTestResult
To make the new object type available to users with the ‘Analyst’ profile, you
would then modify the profile to include the new object type and then add the
new object type to various navigational views.
Because this change is global, any other profiles that contain the ‘Baseline’ object
type would also see this submenu item displayed under the ‘Assessments’ menu.
Procedure
1. Access the Settings page (see “Accessing the Settings Page” on page 313).
2. Expand the OpenPages | Applications | GRCM | NavigationMenu folder
hierarchy.
3. Navigate to the folder that contains the submenu items you want to modify
(for example, ‘Assessments’) and then expand the folder to see its settings.
4. Click the ObjectTypes setting to open its detail page.
5. In the Value box, type the name of the object type where you want it to appear
in the list.
6. When finished, click Save.
7. To view the changes in a browser, users must log out and then log back in to
the application.
8. If wanted, add the new object type to a profile and views. For more
information, see “Configuring Object Types in Profiles” on page 222, and
“Views for objects” on page 238.
Modifying System Page Submenus:
System page menus are menus that generally contain various functions but can
also include object types. Some examples of system page menus are My IBM
OpenPages and Administration.
You can use the Subitems setting to globally add or modify the various submenu
items that are displayed in the list for a specific menu.
Which functions and object types are available as submenus depends on your
particular business solution.
Procedure
1. Access the Settings page (see “Accessing the Settings Page” on page 313).
2. Expand the OpenPages | Applications | GRCM | NavigationMenu folder
hierarchy.
3. Navigate to the folder that contains the submenu items you want to modify
(for example, ‘Administration’) and then expand the folder to see its settings.
4. Click the Subitems setting to open its detail page.
Chapter 14. Configuring Settings
323
5. In the Value box, type the name of the item where you want it to appear in the
list.
6. When finished, click Save.
7. To view the changes in the browser, users must log out and then log back in to
the application.
Auto-Naming Settings
For most object types, you can auto-generate the names of newly created objects.
This ability allows users to enforce internal naming policies and ensure unique
object names.
The auto-generation of object names is controlled by a series of settings that can be
accessed from the Settings menu item under the Administration menu on the
navigation bar. It is possible to turn autonaming on or off for each object type
individually. For example, you may want all business entities and processes named
by users, but all risks, controls, and test plans named automatically by the IBM
OpenPages application.
Note: Autonaming is not supported for the following object types: SOXDocument
and SOXSignature.
Configuring Auto-naming for an Object Type
You can configure auto-naming for an object type when an object is copied or
created.
Procedure
1. Access the Settings page (see “Accessing the Settings Page” on page 313).
2. Expand the OpenPages | Applications | GRCM | Auto Naming folder
hierarchy.
3. Navigate to the object type that you want to modify and then expand the
folder to see its auto-naming settings.
For each object type, you can modify the following settings:
Setting Name
Description
Auto-Named folder
Copied Object
Determines whether or not copied instances
of the selected object type are automatically
named.
If the value is set to:
v
true - auto-naming is enabled for copied
instances.
Note: Only the object that is directly
selected for copy will be auto-named. Any
child objects associated with the selected
object will not be renamed, even if the
‘Copied Object’ setting is set to ‘true’ for
these associated child objects.
v
false - auto-naming is disabled for copied
instances.
The default value is false.
324
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
Setting Name
Description
New Object
Determines whether new instances of the
object are automatically named.
If the value is set to:
v
true - auto-naming is enabled for new
instances.
v
false - auto-naming is disabled for new
instances.
The default value is false.
Can be Edited
Determines whether the generated name can
be edited during the creation process.
If the value is set to:
v
v
true - the generated name can be edited.
false - the generated name cannot be
edited.
The default value depends on the object
type.
Default Parent Name
If the created object has no parent, the value
for this parameter will be used to replace
the "%P;" variable in the generated name.
Format
Determines the format of the generated
name. Additional details can be found in
“Configuring the Format of Object Names.”
4. Click a setting to open its detail page.
5. In the Value box, type a value.
6. Click Save.
Configuring the Format of Object Names
The Format setting allows you to incorporate some contextual information about
the object, as well as an identifier in the object name.
You can use the variables described in Table 57 to format the auto-generated name.
Note:
v In addition to the variables, you can include any valid text in the autoname.
v The name of an object:
– Must be 252 bytes or less.
– Cannot contain forward slashes (/), backslashes (\), or the ellipsis character
(...).
Table 57. Auto-naming Variables
Variable
Meaning
%P;
Will be replaced with the name of the parent of the new object. If
the created object has no parent, the value of the default setting
will be used.
%U;
Will be replaced with the creator’s user name.
Chapter 14. Configuring Settings
325
Table 57. Auto-naming Variables (continued)
Variable
Meaning
%Nn;
A unique sequentially generated numeric identifier.
Where:
n" specifies the amount of padding the number has.
For example, %N3 might result in 001, 002, 003, while %N5 might
result in 00001, 00002, 00003, and so forth.
%Rn;
A unique randomly generated alphanumeric identifier.
Where:
n" specifies the amount of padding the number has.
For example, %R3 might result in T6d, while %N5 might result in
T6d3fF, and so forth.
About Auto-generating Long Names:
Be wary of nesting objects with auto-generated names too deep, as the generated
names can "stack" with repeated use of the %P; variable.
For example, if you auto-generate the names of Processes, Control Objectives,
Risks, Controls, and Tests using the %P; variable for all of them, the following will
happen.
The Process Name will be Entity_Name - Process 001 (given the format string %P;
- Process &N3;)
Using the same format through the rest of the object hierarchy, the name of the
associated Control Objective is "Entity_Name - Process 001 - Control Objective 001"
(the parent name plus the rest of the format string).
The Risk name would then be "Entity_Name - Process 001 - Control Objective 001 Risk 001".
The Control name would then be "Entity_Name - Process 001 - Control Objective
001 - Risk 001 - Control 001".
And finally, the Test name is "Entity_Name - Process 001 - Control Objective 001 Risk 001 - Control 001 - Test 001". (85 characters)
With repeated use of the %P; variable, the names can get extremely long. With
longer naming conventions or the use of a multi-byte language, you could exceed
the maximum length of an object name (252 bytes).
Naming Examples:
Here are some examples of the various ways the variables can be used:
If we use a parent Process of "Hiring Practices" and a creator of "JSmith", and have
the following settings:
326
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
Auto-Named value is
Can be Edited value
Format value is set
Default Parent Name
set to true
is set to false
to %P;_RIS_%N7;
has no value set
The auto-generated name is "Hiring Practices_RIS_0000001" and could not be
edited.
Example 1:
For the auto-naming format parameter
Format is set to:%P;-Risk-%N5;
the generated Risk name is "Hiring Practices-Risk-00001".
Example 2:
Given a different auto-naming format parameter, such as
Format is set to: Risk %N3; for %P; (%U;)
would result in the generated name "Risk 001 for Hiring Practices (JSmith)"
Example 3:
Not all of the variables need to be used in an auto-generated name. For example,
Format is set to: Risk %N4;
results in "Risk 0001"
Example 4:
If the risk HAD no parent process, the value of Default Parent Name is used. In
this case, the value
Format is set to: %P;_RIS_%N7;
results in "_RIS_0000001"
Signature and Lock Settings
This section contains topics for configuring signatures and locks.
Overview of Signatures and Locks
The IBM OpenPages application allows users to create "signatures" on objects. By
itself, a signature is a merely a virtual "note" that signifies the user’s agreement
that the object meets with their approval. It has no enforcement powers, and does
not prevent the item from being modified after approval has been given.
There are two ways in which signatures can be applied to an object: manually
through the Add button, or automatically through a workflow task. Your IBM
OpenPages system must be configured to support either method, and they are not
exclusive - you can implement both ways, if desired.
A workflow signature is a signature that is created on an object as a direct result of
a workflow being completed. If all other methods of creating a signature are
Chapter 14. Configuring Settings
327
disabled, the presence of a signature verifies that the necessary workflow was
completed (and when). A manual signature is added through the object’s detail
page.
A signature lock is a lock placed on an object and its descendants that prevents the
objects from being modified. The lock is activated by placing a signature on an
object; whether manually or automatically makes no difference. Once the signature
is placed, the lock becomes active. The signed object and all of its associated child
objects below it in the object hierarchy cannot be modified until the signature is
revoked or an administrator removes the lock.
Only one active lock can be placed on an object. Multiple locks can be inherited
from parent objects as those objects are locked.
The following sections explain how to implement signatures and locking behavior.
Configuring Signatures
There are two types of signatures you can enable or disable: automatic and manual
signatures.
About Automatic Signatures:
Automatic signatures are applied to an object as a result of a workflow task.
If a user is assigned a task to create a signature, completing the task results in a
signature dialog box. Once the user fills out the dialog, the new signature is
created on the object. For instructions on setting up automatic workflow
signatures, see "Enabling Signatures for Jobs" in the IBM OpenPages Workflow
Authors Guide .
About Manual Signatures:
Manual signatures are added on the detail page of an object type by clicking the
Signatures link. If configured, users can add, edit, and revoke signatures for the
specified object type from the Actions menu on the Signature pane.
The Actions menu is hidden from users who do not have the correct permissions.
When you configure manual signatures for a specific object type (such as Processes
or Accounts), you are actually granting permission to a specific group of users to
add a signature to that object type. The group will be able to add, edit, or revoke a
signature for the specified object types to which they have Read access.
To enable a user group to manually add or revoke signatures directly on an object,
you must configure the Permission setting for the specified object type. For details,
see “Configuring Manual Signatures.”
Configuring Manual Signatures:
When you explicitly add a group to an object type setting for signatures, the
following occurs:
v Manual sign off is enabled for objects of that type.
v Users who belong to the specified group will have add and revoke signature
links displayed on the Signatures pane Actions menu for the configured object
type.
328
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
Note: Only groups that are explicitly named in the setting for a selected object
type can manually sign off on objects of that type. Sub-groups of a named group
do not inherit the sign-off permission.
Procedure
1. Access the Settings page (see “Accessing the Settings Page” on page 313).
2. Expand the OpenPages|Applications|GRCM|Signature|Permission folder
hierarchy.
3. Click the name of the setting that corresponds to the object type to which you
want to enable or disable a signature.
4. In the Value box on the setting detail page, do the following:
v To enable one or more groups to manually add a signature to the selected
object type, type a name of the group you want to add.
Note: If you are entering multiple user groups, use a comma to separate
group names, and do not use a space after the comma.
For example, to add the groups Auditors and Managers to the sign-off list
for Process object types, the value in the SOXProcess setting would look like
this: Auditors,Managers
v To disable one or more user groups from manually adding a signature to the
selected object type, delete the group name.
5. When finished, click Save.
6. Repeat Steps 3-5 for each object type for which you want to enable or disable a
manual signature for a group.
Configuring Signature Locks
The Mode setting controls whether a lock is created when a signature is added.
When the Autolock value is set, adding a signature to an object will also create a
lock on the object that prevents further changes from being made to the object and
any object associated with it. Revoking a signature will remove the associated lock.
Note: When the locking feature is enabled, users can only create signatures on
items to which they have Write privileges.
Configuring the Mode Setting:
This Mode setting controls how signature locks are applied to objects. By default,
this value is set to ‘None’ and objects are not automatically locked when a
signature is added.
Note: If you want to enable cascading signatures (for details see, “Configuring
Cascading Signatures” on page 330), the value must be set to Cascade.
Procedure
1. Access the Settings page (see “Accessing the Settings Page” on page 313).
2. Expand the OpenPages|Applications|GRCM|Signature folder hierarchy.
3. Click the Mode setting to open its detail page.
4. In the Value box, type one of the following values:
If the value is set to...
Then...
None
No lock is applied to the object when a
signature is added. This is the value set by
default.
Chapter 14. Configuring Settings
329
If the value is set to...
Then...
Autolock
The object is locked when a signature is
added. Only users with Write permission for
an object can create a signature.
Cascade
Cascading signatures as specified in the
Cascade setting are enabled for child objects
(for details see, “Configuring Cascading
Signatures”).
5. When finished, click Save.
Configuring Cascading Signatures:
When a parent object has a signature added to it, you can automatically apply
signatures to all of the associated objects underneath the signed object down the
entire object tree. For example, signing a process would apply that signature to any
sub-processes, accounts, risks, controls, and tests associated with the process.
This feature is turned off by default, but can be enabled through the Cascade
setting.
Note: To enable cascading signatures, the Mode setting must have the "Cascade"
value set (for details see, “Configuring the Mode Setting” on page 329).
Procedure
1. Access the Settings page (see “Accessing the Settings Page” on page 313).
2. Expand the OpenPages|Applications|GRCM|Signature|Cascade folder
hierarchy.
3. Click the name of the setting that corresponds to the parent object type to
which you want to add or remove a cascading signature.
4. In the Value box on the setting detail page, do the following:
v To add a cascading signature to child objects, type the name of the child
object type.
Note: If you are entering multiple child objects, use a comma to separate
the names, and do not use a space after the comma.
For example, to add a cascading signature to the Process object type for child
sub-processes, accounts, and risks, the value in the SOXProcess setting would
be: SOXSubprocess,SOXAccount,SOXRisk
v To remove a cascading signature from child objects, delete the name of the
child object type.
5. When finished, click Save.
6. Repeat Steps 3-5 for each object type you want to modify.
About Locking and Unlocking Objects
Locks can be applied to objects without the use of signatures.
If the Lock application permission is granted to a group, the group can create a
lock on any object to which they have Write privileges (as long as they also have
write privileges to all of the object’s associated objects down the hierarchy).
330
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
The Unlock application permission allows a user to unlock any locked object, as
long as the user has Write permission to the object and all associated objects in the
hierarchy.
Note: Unlocking an object using the Actions > Unlock this menu item does NOT
revoke the signature.
For information about object tree locking, see “Configuring Object Tree Locking”
on page 332.
For information about globally unlocking business entities, see “Globally
Unlocking Business Entities” on page 334.
Locking Access Privileges:
By default, "Read" permission is required in order to be able to lock an object. This
setting can now be configured through a new property in the aurora.properties file
named "allow.locking.read.access". This property is set to ‘false’ by default.
When set to ‘true’, users with Read access to an object will be able to lock the
object by adding a signature. The default value of ‘false’ requires that users have at
least "Write" access to an object before they are allowed to lock it.
Configuring Display of the Lock Menu Item for Object Types:
You can configure the display of the Lock this menu item on the Actions menu for
various object types through the Display Lock Button setting. This setting applies
to manual and automatic signature locking.
For details, see “Configuring the Lock Menu Item for Object Types.”
For users in a group to see the Lock this menu item on the Actions menu of an
object type, the Lock application must be set on the role template for the user
group. For details, see “Configuring the Lock Menu Item for Display to Users” on
page 332.
Configuring the Lock Menu Item for Object Types:
You can view or edit the list of object types for which the Lock this menu item on
the Actions menu will be displayed.
Procedure
1. Access the Settings page (see “Accessing the Settings Page” on page 313).
2. Navigate to the OpenPages | Application | GCRM | Locks folder.
3. Click the Display Lock Button setting. The current list of object types that can
be locked appears in the Value box.
4. In the Value box:
a. To add an object type, type the name of the object type separated by a
comma.
For example: SOXBusEntity, SOXAccount, SOXSubaccount, SOXProcess,
SOXSubprocess, SOXControlObjective, SOXRisk, SOXControl, SOXTest,
SOXTestResult, SOXSignature, SOXIssue, SOXTask, SOXDocument,
SOXExternalDocument.
b. To remove an object type, delete the name of the object type from the list.
Chapter 14. Configuring Settings
331
5. When finished, click Save.
6. To view the changes in the browser, users must log out and then log back in to
the application.
Configuring the Lock Menu Item for Display to Users:
For users in a group to see the Lock this menu item on the Actions menu, you
must set the Lock application on the role template for the user group you want.
Procedure
1. Access the Role Templates page (see “Accessing the role templates page” on
page 47).
2.
3.
4.
5.
6.
Select the role template you want.
On the Role Template detail page, navigate to the Role Permissions table.
Click Edit, and select the Lock application permission under Files.
When finished, click Save.
To view the changes in the browser, users must log out and then log back in to
the application.
Configuring Object Tree Locking
About Object Tree Locking:
Typically, users lock entire object hierarchies by either adding a signature (if
Autolock is enabled) or clicking the Lock this menu item on the Actions menu of
an object type's detail page.
You can, as an administrator, configure specified child object types to automatically
lock whenever the parent object is locked using the Lock Child Types setting. If
values in the Lock Child Types setting are specified, then the platform checks each
object type for criteria settings. If criteria is not specified, then that particular child
object will be locked as it is. For details, see “Locking Child Objects When a Parent
Object is Locked” on page 333.
For example, suppose you want to lock a business entity. The IBM OpenPages
application would do the following to lock objects under a business entity
(SOXBusEntity):
Procedure
1. The IBM OpenPages application would read the setting value for the
SOXBusEntity key under the Locked Objects/Lock Child Types folder.
2. If a value is specified for SOXBusEntity, then for each of the object types listed
in the value, the platform would check whether any criteria is specified for
them under the Lock Child Types/Criteria folder.
3. If a criteria is not specified, then that particular child object will be locked as it
is.
4. If a criteria is specified for a child object type, then that child object will be
locked only if the specified criteria is met.
5. If the value obtained is step 2 is null or empty (value not specified for the
SOXBusEntity setting), then only that particular business entity will be locked.
None of its child objects would be locked.
332
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
6. If the SOXBusEntity (the key itself) setting does not exist, then the default
Lock/Lock Object Types settings will come into effect. All the object types
specified in it will be locked.
Results
If you were, for example, to specify the value for SOXBusEntity as SOXProcess,
SOXAccount, then only the Process and Account child objects under that business
entity would be locked.
The child objects of that process and account will not inherit any locks. If you
want to lock their child objects too, then you would have to specify those object
types in the value of the SOXBusEntity setting.
Locking Child Objects When a Parent Object is Locked:
You can use the object type settings under the Lock Child Types folder to
configure locks on child objects when a parent object is locked. If multiple child
object types are specified, then for each of the object types listed in the value, the
platform checks whether any criteria for each listed object type is specified under
Lock Child Types/Criteria setting.
For example, let’s say you wanted to lock child Risk objects whenever a business
entity is locked. You would enter SOXRisk in the setting Value box for
SOXBusEntity. When a business entity is locked, users would not be able to add,
associate, copy, and disassociate risks to the locked business entity. The child
objects of that risk will not inherit any locks. If you want to lock its child objects
too, then you would have to specify those object types in the value of the
SOXBusEntity setting.
Procedure
1. Access the Settings page (see “Accessing the Settings Page” on page 313).
2. Navigate to the OpenPages | Applications | GRCM | Locked Objects | Lock
Child Types folder.
Make note of the exact object name (as listed under Allowed Associations
folder) that you want to define.
3. Under the Lock Child Types folder, click a setting link that corresponds to the
child object type for which you want to configure locks (for example SOXRisk).
4. In the Value box of the selected setting, enter the exact name of one or more
child object types that should be locked when the parent object is locked.
Note: If there are multiple child object types, you must add a comma to
separate each object name. For example:
SOXControl,SOXIssue,SOXDocument,SOXExternalDocument,SOXSignature
5. When finished, click Save.
Enabling Buttons on Locked Associated Objects
You can enable associations of child objects, such as Risks or Controls, to their
locked parent objects. You can define these child objects in the Allowed
Associations setting. Specifically, the Add New, Associate, Copy From, and
Disassociate buttons or menu items remain available to users on specific
Associated object tabs of the parent object, as well as in the detail pages of the
child objects.
Chapter 14. Configuring Settings
333
For example, you can enable the SOXProcess and LossEvent child objects for
SOXBusEntity so users can associate processes and loss events to a locked business
entity. When enabled, the business entity detail page displays the Associate buttons
(Add New, Associate, Copy From, and Disassociate) only on the Processes and Loss
Events tabs. Note that the Associate buttons also display on the SOXProcess and
LossEvent detail pages.
Configuring the Registry to Enable Associations of Child Objects:
You can make objects available to users for association when a parent object is
locked.
Procedure
1. Access the Settings page (see “Accessing the Settings Page” on page 313).
2. Navigate to the OpenPages | Applications | GRCM | Locked Objects |
Allowed Associations folder.
3. Make note of the exact object name (as listed under Allowed Associations) that
you want to define (for example SOXRisk).
4. Under Allowed Associations, click the name of a parent object type (such as
SOXBusEntity).
5. In the Value box, enter the exact name of one or more child object types.
Note: If you have multiple object types, you must add a comma to separate
each object type name.
6. When finished, click Save.
Results
When a business entity is locked, users will be able to add, associate, copy, and
disassociate risks to the locked business entity.
Note: The Add New, Associate, Copy From, and Disassociate buttons are
disabled for all other object types in the system that are not defined in the
Allowed Associations setting.
Globally Unlocking Business Entities
Administrators can enable a global unlock operation for business entities or
sub-entities by enabling the Remove All Tree Locks application permission for
designated groups of users. The Unlock All operation removes all direct and
inherited locks on a business entity, including all of its children.
Note: When you enable the Remove All Tree Locks application permission for a
group, the Unlock All button is displayed only on a business entity or sub-entity
detail page.
Typically, you would use the Unlock All operation if
v The remove locks option was not selected after a finalized reporting period.
v Different business sub-entities of a multi-national organization have different
reporting-period closure dates during the year. One sub-entity may need to
remain locked while other entities are unlocked.
For example:
334
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
BE-US is a business entity representing the corporate office of a multi-national
firm. BE-IND and BE-UK are two sub-entities within the BE-US entity. December
is the financial closure period for BE-UK while March is the closure period for
BE-IND.
When BE-US is signed off in December, BE-IND and BE-UK remain locked along
with their associated objects. Since December is the reporting-period closure date
for BE-UK also, its reporting period is finalized. If the Unlock All operation is
applied to BE-UK exclusively, users can keep working in the BE-UK object
hierarchy while BE-IND and its hierarchy remain locked.
Setting a Global Unlock Permission:
When loading buttons for a business entity or sub-entity detail page, the IBM
OpenPages application checks whether the logged-in user has the Remove All Tree
Locks application permission. If permissions are satisfied, the Unlock All button
displays on the business entity or sub-entity detail page.
Procedure
1. Access the Settings page (see “Accessing the Settings Page” on page 313).
2. Create or select a group and navigate to its Permissions tab.
3. On the Permissions tab, click Edit.
4. Under Files, select Remove All Tree Locks.
5. When finished, click Save.
Settings That Apply to Environment Migration
The environment migration settings are found in the OpenPages | Applications |
GRCM | Environment Migration folder hierarchy.
For instructions on accessing the settings page, see “Accessing the Settings Page”
on page 313.
Table 58. Environment Migration Settings
Setting
Definition
Asynchronous
Timeout
The timeout value (in seconds) for AJAX calls on environment
migration pages. The default is 120.
Export File Name
Prefix
Prefix to be added to the environment migration export JAR file
name. The default prefix openpages is used if no value is given. Prefix
length is limited to 15 characters. If the prefix is longer than 15
characters, it is truncated.
Important:
v The following characters cannot be used in the prefix:
\ / | * : { } [ ] " ?
v Do not use the special characters as defined in CJK Compatibility
Ideographs Unicode Block Name and the four-byte characters as
defined in the CJK Unified Ideographs EXTENSION-B Unicode
Block Name in the Export File Name Prefix.
The special characters to avoid are:
Chapter 14. Configuring Settings
335
Table 58. Environment Migration Settings (continued)
Setting
Definition
Maximum String
Items
Controls how many rows are displayed in the Review selected items
box when exporting items with environment migration. Permissible
values are any integer greater than zero. The default is 10000.
Certain categories of items that can be exported with Environment
Migration (such as Application Text) contain many tens of thousands
of items. To reduce the page size and make Internet Explorer more
responsive when reviewing these categories, you can now set a limit
on the number of items that are shown. When a limit is set you can
still use the search feature to find items beyond the row limit.
Process Log Report
Page Spec
The location of the Process Log Report Page Spec. This value was
previously fixed and can now be set. The default is
/_cw_channels/Reporting/Hidden Reports/CommandCenter/
Administrative Reports/Environment Migration/Process Log
Report.pagespec
Special Character
Validation
Specifies whether or not special characters are checked while
validating names of metadata. The default is true. Set to false to
preserve legacy special character rules.
The ImportConfiguration and ExportConfiguration Application Permissions are
required to access environment migration for import and export. For details on
these permissions, see “Application Permissions” on page 22.
For an overview of Environment Migration, see Chapter 19, “Migrating IBM
OpenPages Environments,” on page 627.
Reporting Fragment Settings
For all profiles, you can globally configure the following settings for report
fragment fields.
Setting Limits for Automatically Sized Reporting Fragment
Pop-up Windows
Using the settings in this section, you can control the size of the pop-up window
for report fragment fields in certain object views.
A report fragment pop-up window can be sized:
v Manually — by specifying the size of the pop-up on the field definition page of
a report fragment field.
v Automatically — if no size is specified on the field definition page of a report
fragment field, the pop-up window will be automatically sized using the settings
in Table 59 on page 337.
Report fragment fields with a display type of ‘On Demand’ always display Cognos
report components in a pop-up window.
For report fragment fields with a display type of ‘Automatic’, the display behavior
varies depending on the object view:
v For Detail and/or Activity View pages — Cognos report components are always
embedded directly into the cell of the report fragment field.
v For view pages that have a tabular format, such as List View, Folder View, and
Filtered List View pages, and on the My Work tab on the Home page — Cognos
report components are displayed in pop-up windows.
336
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
The sizing rules for report fragment field pop-up windows apply to both ‘On
Demand’ and ‘Automatic’ display types used in List and/or Folder Views.
Procedure
1. Access the Settings page (see “Accessing the Settings Page” on page 313).
2. Expand the OpenPages | Applications | Common | Report Fragments folder
hierarchy.
3. Click one of the following settings to open its detail page:
Table 59. Settings for Reporting Fragment Pop-up Windows
Setting
Description
Initial Value
Maximum Height
Sets the default maximum height allowable
for a report fragment pop-up window.
375
Maximum Width
Sets the default maximum width allowable
for a report fragment pop-up window.
575
Minimum Height
Sets the default minimum height allowable
for a report fragment pop-up window.
250
Minimum Width
Sets the default minimum width allowable
for a report fragment pop-up window.
350
4. In the Value box for the selected setting, change the existing value to a new
number (must be greater than zero).
5. To change another setting value, repeat Steps 3 and 4.
6. When finished, click Save.
Notification Manager Mail Server Settings
This section contains topics for mail server configuration.
Setting the Address of the Mail Server
You can use the Mail Server setting to configure your mail server so you can
automatically send e-mail notifications to users from your JSP-based reports or the
Notification Manager utility.
Note: You can override this global setting by entering the name of a mail server
in the notification ‘Mail Server’ parameter (for details, see “Creating a
Notification” on page 729).
By default, the mail server value is: mail.yourcompany.com
Procedure
Access the Settings page (see “Accessing the Settings Page” on page 313).
Expand the OpenPages | Applications | Common | Email folder hierarchy.
Click the Mail Server setting to open its detail page.
In the Value box, type the name of your mail server and domain in the format
provided.
5. When finished, click Save.
1.
2.
3.
4.
Configuring the Host Setting
If you have legacy or older JSP reports and want to send e-mail notifications to
users from these legacy JSP-based reports or the Notification Manager utility, you
must enable and configure the following settings.
Chapter 14. Configuring Settings
337
Note: This setting is only used for backward compatibility.
Procedure
1. Access the Settings page (see “Accessing the Settings Page” on page 313).
2. Set the value in the Show Hidden Settings setting to true (for details, see
“Showing Hidden Settings” on page 318).
3. Expand the OpenPages | Platform | Publishing | Mail folder hierarchy.
4. Click the name of a setting listed in the following table to open its detail page,
and change the value as follows. Make sure to click Save after each setting
change.
For this setting...
In the Value box on the setting detail
page...
Enabled
Set the value to true.
From Address
Verify or enter the e-mail address of the
sender using a valid e-mail address and
format.
By default, the value is:
[email protected]
Host
Verify or enter the name of your mail server.
By default, the value is:
mail.yourcompany.com
5.
Reset the value in the Show Hidden Settings setting to false.
Object Reset Settings
Before performing an Object Reset, you can set the logging level, whether or not
the Reset session should continue or halt if errors are encountered, if ACLs should
be checked and locks ignored. In general, these settings will only need to be set
once before your first time initiating an Object Reset, but you may wish to change
them for different entity trees or ruleset behavior.
Changing the Logging Level
The Logging Level setting controls how much information is displayed on the user
interface. The Session Log captures detailed information regardless of the user
interface display setting. You can change the logging information that is displayed
on the user interface for a reporting period.
Procedure
1. Access the Settings page (see “Accessing the Settings Page” on page 313).
2. Expand the OpenPages | Applications | Common | Object Reset folder
hierarchy.
3. Click the Logging Level setting to open its detail page.
4. In the Value box, type one of the following values:
338
If the value is set to...
Then...
Low
Only error messages are displayed.
Medium
Both error and warning messages are
displayed.
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
If the value is set to...
Then...
High
Errors, warnings, and any informational or
diagnostic messages are displayed.
This value is set by default.
5. When finished, click Save.
Continuing on Error
The Continue on Error setting determines whether the Object Reset session will
log errors and continue to run, or whether the errors will be logged and the
session halted. You can change whether the Object Reset session runs or halts
processing when an error is encountered.
Procedure
1. Access the Settings page (see “Accessing the Settings Page” on page 313).
2. Expand the OpenPages | Applications | Common | Object Reset folder
hierarchy.
3. Click the Continue on Error setting to open its detail page.
4. In the Value box, type one of the following values:
If the value is set to...
Then...
true
Errors are logged and processing continues.
This value is set by default.
false
Errors are logged and processing is halted.
5. When finished, click Save.
Obeying ACL Restrictions
The Check ACL setting controls whether the Object Reset occurs against all objects
contained within the scope of the Reset session, or whether the Object Reset occurs
against only those objects to which the user who initiated the Reset has access. You
can change the scope of the Object Reset session.
Procedure
1. Access the Settings page (see “Accessing the Settings Page” on page 313).
2. Expand the OpenPages | Applications | Common | Object Reset folder
hierarchy.
3. Click the Check ACL setting to open its detail page.
4. In the Value box, type one of the following values:
If the value is set to...
Then...
true
Includes all objects within the scope of the
Reset session.
This value is set by default.
false
Includes only those objects within the Reset
session to which the user has access.
5. When finished, click Save.
Chapter 14. Configuring Settings
339
Obeying Locking Restrictions
The Ignore Locks setting controls whether existing locks on objects are honored or
ignored when running an Object Reset. You can change whether or not locks are
ignored during an Object Reset session.
Procedure
1. Access the Settings page (see “Accessing the Settings Page” on page 313).
2. Expand the OpenPages | Applications | Common | Object Reset folder
hierarchy.
3. Click the Ignore Locks setting to open its detail page.
4. In the Value box, type one of the following values:
If the value is set to...
Then...
true
Locks on objects will be ignored when
running the Reset session.
false
Locked objects will not be modified by the
Reset session.
This value is set by default.
5. When finished, click Save.
Configuring Object View Settings
Home Page Settings
For all profiles, you can globally configure the following Home page settings.
Ordering the Display of Pre-defined Tables:
You can use the Items setting to globally change the order of how pre-defined
tables are displayed on a Home page. The order of the items determines the order
of the corresponding HTML tables.
The format and default order of items are:
myTasks,myJobs,myCheckedOutFiles,myReports
Where:
This item value...
Corresponds to this pre-defined table...
myTasks
My Tasks
myJobs
My Jobs
myCheckedOutFiles
My Checked-Out Files
myReports
My Reports
Procedure
1. Access the Settings page (see “Accessing the Settings Page” on page 313).
2. Expand the OpenPages | Applications | GRCM | Home Page folder
hierarchy.
3. Click the Items setting to open its detail page.
4. In the Value box, re-order the items as wanted.
5. When finished, click Save.
340
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
Defining the Number of Embedded Reports:
You can use the Maximum Embedded Reports setting to globally change the
maximum number of embedded reports that can be configured for a Home page.
By default, the value is set to display a maximum of 2 embedded reports.
Procedure
1. Access the Settings page (see “Accessing the Settings Page” on page 313).
2. Expand the OpenPages | Applications | GRCM | Home Page folder
hierarchy.
3. Click the Maximum Embedded Reports setting to open its detail page.
4. In the Value box, type a number greater than zero.
Note: Setting this value too high will negatively impact performance.
5. When finished, click Save.
Setting the Number of Objects Listed in a Table:
You can use the Maximum Objects setting to globally control the maximum
number of objects that can be listed for each table (excluding My Reports) on a
Home page.
By default, the value is set to display a maximum of 5 listed objects per table.
Procedure
1. Access the Settings page (see “Accessing the Settings Page” on page 313).
2. Expand the OpenPages | Applications | GRCM | Home Page folder
hierarchy.
3. Click the Maximum Objects setting to open its detail page.
4. In the Value box, type a number greater than zero.
5. When finished, click Save.
Setting the Number of Report Listings:
You can use the Maximum Reports Listing setting to globally control the
maximum number of reports that can be listed in the My Reports table on a Home
page.
By default, the value is set to display a maximum of 5 listed reports.
Procedure
1. Access the Settings page (see “Accessing the Settings Page” on page 313).
2. Expand the OpenPages | Applications | GRCM | Home Page folder
hierarchy.
3. Click the Maximum Reports Listing setting to open its detail page.
4. In the Value box, type a number greater than zero.
5. When finished, click Save.
Filtered List View Settings
You can globally configure the following Filtered List View page settings.
Chapter 14. Configuring Settings
341
Note: If you are using the FastMap tool, in addition to configuring export settings
on a Filtered List View page, you can also configure FastMap import settings to
optimize performance. See “Optimizing FastMap Performance” on page 723.
Configuring the Display of Initial Results on Filtered List View Pages:
You can use the Show All Objects setting to control whether results are displayed
on a Filtered List View page the first time users select an object type. By default,
no results are displayed to users until a filter is selected or added.
Procedure
1. Access the Settings page (see “Accessing the Settings Page” on page 313).
2. Expand the OpenPages > Applications > GRCM > Filtered List folder
hierarchy.
3. Click the Show All Objects setting to open its detail page.
4. In the Value box, type one of the following:
v true - displays all available results (if any). No filter is applied.
v false - no results are displayed until a filter is selected or added. This is the
default value.
Note: Users can type % (percentage symbol) in the Quick Filter box then
click Apply to return all available results (if any).
5. When finished, click Save.
Configuring Fields for Advanced Filters:
You can use the Filter on all fields in profile setting to control whether the fields
in a Detail View or in a user's profile are available for creating an Advanced Filter
on a Filtered List View page. By default, only the fields included in an object type
Detail View page are available for creating an Advanced Filter.
For example, you might exclude certain system fields (such as Creation Date and
Created by) and custom fields from a Detail View of an object type, but include
these fields in the user's profile. If you wanted to make all fields included in the
user's profile available for creating an Advanced Filter, you would set the value of
the Filter on all fields in profile setting to true.
Procedure
1. Access the Settings page (see “Accessing the Settings Page” on page 313).
2. Expand the OpenPages > Applications > GRCM > Filtered List folder
hierarchy.
3. Click the Filter on all fields in profile setting to open its detail page.
4. In the Value box, type one of the following:
v true - all fields included in the user's profile are available for creating an
Advanced Filter.
v false - only fields included in an object type Detail View are available for
creating an Advanced Filter. This value is the default.
5. When finished, click Save.
342
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
Setting the Number of Objects for Export to Excel:
You can use the Maximum Export Size setting to control the maximum number of
objects that can be retrieved and exported to Microsoft Excel (in .xls format) from
a Filtered List View page.
By default, the value is set to retrieve and export a maximum of 1000 objects.
If the number of objects being exported exceeds the defined number, then the user
will be prompted to refine their filter.
Procedure
1. Access the Settings page (see “Accessing the Settings Page” on page 313).
2. Expand the OpenPages | Applications | GRCM | Filtered List folder
hierarchy.
3. Click the Maximum Export Size setting to open its detail page.
4. In the Value box, type a number greater than zero.
5. When finished, click Save.
Setting the Number of Concurrent Export Requests:
You can use the Concurrent Exports setting to control the maximum number of
Export to Excel (in .xls format) requests that will be handled at the same time.
By default, the value is set to 10.
Procedure
1. Access the Settings page (see “Accessing the Settings Page” on page 313).
2. Expand the OpenPages | Applications | GRCM | Filtered List folder
hierarchy.
3. Click the Concurrent Exports setting to open its detail page.
4. In the Value box, type a number greater than zero.
5. When finished, click Save.
Listing Pane Setting
You can globally configure the following listing pane setting.
Setting the Number of Objects Listed:
You can use the Page Size setting to control the maximum number of associated
objects that can be listed in a child object listing pane on Detail View and Activity
View pages.
By default, the value is set to 5. If the number of child objects that are returned
exceed the set value, a ‘Prev’ and ‘Next’ link is displayed.
Procedure
1. Access the Settings page (see “Accessing the Settings Page” on page 313).
2.
3.
4.
5.
Expand the OpenPages | Applications | GRCM | List View folder hierarchy.
Click the Page Size setting to open its detail page.
In the Value box, type a number greater than zero.
When finished, click Save.
Chapter 14. Configuring Settings
343
Optimizing File Uploads
To enhance the performance of large files for upload to the OpenPages application,
you can enable the Optimized File Upload setting.
When enabled, this feature:
v Compresses the selected file on the user’s machine before uploading it to the
IBM OpenPages repository.
v Displays additional ‘Optimized File Upload’ text and a Browse and Save button
to users for attaching files.
Note: The file upload applet requires the Java Runtime Environment version 6
on the client browser.
By default, this value is disabled.
Procedure
1. Access the Settings page (see “Accessing the Settings Page” on page 313).
2. Expand the OpenPages | Applications |Common folder hierarchy.
3. Click the Optimized File Upload setting to open its detail page.
4. In the Value box, type one of the following values:
If the value is set to...
Then...
true
The Optimized File Upload Browse and
Save button is displayed to users in addition
to the standard file upload button.
false
Only the standard file upload button is
displayed to users.
This value is set by default.
5. When finished, click Save.
Creating and Deleting Custom Settings
When enabling new content types and creating your own reports, you may need to
create your own custom setting within the OpenPages Settings menu.
By default, you cannot create or delete settings in the IBM OpenPages application,
so you will need to enable the feature, and then create the new setting as described
in the following instructions.
Enabling the Creation and Deletion of New Settings
Use the Allow Create and Delete Settings entry to enable or disable the Add
Setting button on the Settings page. This button allows you to add and delete
settings.
By default, the Add Setting button is disabled (the value is set to false).
Important: Do not delete any of the predefined settings shipped with IBM
OpenPages . These settings are required and will cause unexpected behavior in the
application if they are removed.
344
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
Procedure
1.
2.
3.
4.
Access the Settings page (see “Accessing the Settings Page” on page 313).
Expand the OpenPages | Applications | Common | Configuration folder.
Click the Allow Create and Delete Settings setting to display the Edit page.
In the Value box, change the value to true (the default value is false).
5. Click Save. The Add Setting button at the top of the page is enabled.
Creating a New Setting
After enabling the Allow Create and Delete Settings setting, you can create
custom settings entries in new or existing folders.
Procedure
1. Access the Settings page (see “Accessing the Settings Page” on page 313).
2. Verify that the Allow Create and Delete Settings entry is set to true (see
“Enabling the Creation and Deletion of New Settings” on page 344).
3. Navigate to the folder where you want to create the new setting and select the
check box next to the folder.
4. Click the Add Setting button.
5. On the Settings detail page, do the following:
In this box...
Do this...
Setting Name
This field is required. Type a name for this
setting.
Description
Type a description of the setting.
Value
Type a value for this setting
6. Select Encrypted if you want the value of the setting to be encrypted.
7. When finished, click Create to add the new setting to the current folder.
Deleting a Setting
After enabling the Allow Create and Delete Settings setting, you can delete
settings in new or existing folders.
Important: Do not delete any of the predefined settings shipped with IBM
OpenPages . These settings are required and will cause unexpected behavior in the
application if they are removed.
Procedure
1. Access the Settings page (see “Accessing the Settings Page” on page 313).
2. Navigate to the folder that contains the setting to be deleted and select the
check box next to the desired setting. The Delete button should become active.
Note: If you select a folder, all settings within that folder will be deleted as
well.
3. Click the Delete button. A confirmation dialog is displayed.
4. Click OK to delete the chosen setting.
Chapter 14. Configuring Settings
345
Common Folder Settings
The settings listed in this section represent a selected list of individual settings that
are under the OpenPages Common folder.
Excluding Characters From User Names
When you create user names, you can exclude the use of any alphanumeric and
special characters, including spaces, through the Illegal Characters setting.
For example, if you were to add an asterisk (*) as a value to this setting, the
application would validate the user name for that character before it was created.
If it detected an asterisk in the user name, such as Test*User, it would display an
error message.
Procedure
1. Access the Settings page (see “Accessing the Settings Page” on page 313).
2. Expand the OpenPages | Common | Security | User Name folder hierarchy.
3. Click the Illegal Characters setting to open its detail page.
4. In the Value box, type any characters (including spaces and punctuations) that
you want to be considered as invalid when creating a user name. For example,
to include the asterisk (*) and ampersand (&) as invalid characters when
creating a user name, you would enter *& in the Value box.
5. When finished, click Save.
Setting the System Security Model
During installation, by default, the security context point at which you can assign
Role Templates to users on objects in the hierarchy is set at the Business Entity
(SOXBusEntity) level.
If wanted, you can extend the security context to other objects in the hierarchy to
achieve a finer level of control by changing the Model setting.
Important:
This is a system-wide setting. Switching the security model after data is loaded (or
migrated) into the system is not recommended and requires assistance from
OpenPages Professional Services.
The syntax for the Model setting is: SOXBusEntity/object_type-name
Example
To create a security point for assigning Role Templates at a Process level, you
would enter:
SOXBusEntity/SOXProcess
Permissions in the Role template could then be assigned at either the Business
Entity or Process level, and would include any objects that were created beneath
that security context point in the same location.
The maximum number of security context points you can have in the Model
setting is 3. For example, SOXBusEntity/SOXProcess/RiskAssessment
346
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
Procedure
Access the Settings page (see “Accessing the Settings Page” on page 313).
Expand the OpenPages | Common | Security folder hierarchy.
Click the Model setting to open its detail page.
In the Value box, enter the object type names you want to use as security
points.
For example, SOXBusEntity/SOXProcess
5. When finished, click Save.
1.
2.
3.
4.
Disabling Access Control on Role Groups
When a Role Template is disabled, you can use the Disable Role Group setting to
globally control the security access of users and groups who were previously
assigned that role.
By default, the value of the setting is ‘false’, which means that users and groups
retain their access control and application permissions when a previously assigned
role template is disabled.
A disabled role template is removed from the role assignment selection list and
cannot be used for further role assignments.
Procedure
1. Access the Settings page (see “Accessing the Settings Page” on page 313).
2. Expand the OpenPages | Common | Security | Role Templates folder
hierarchy.
3. Click the Disable Role Group setting to open its detail page.
4. In the Value box, type one of the following values:
If the value is set to...
Then...
true
Users and groups who were previously
assigned that role, will lose their access
control and application permissions.
false
Users and groups who were previously
assigned that role, will retain their access
control and application permissions.
This value is set by default
5. Click Save.
Related tasks:
“Enabling and disabling a role template” on page 49
You can make a role inactive and keep it for future use by disabling the role. You
can also enable a role that was previously disabled.
Platform Folder Settings
The settings listed in this section represent a selected list of individual settings that
are under the OpenPages Platform folder.
Setting Localization Options
You can configure settings in the Globalization folder to audit translation label
changes and set a default language for the IBM OpenPages application.
Chapter 14. Configuring Settings
347
The Globalization folder contains the following configuration settings:
About this task
Table 60. . Globalization folder configuration settings
Setting
Description
Auditing Enabled
Enable auditing of changes made to
translated object and application label text.
If the value is set to:
v
true - auditing is enabled.
v
false - auditing is disabled.
By default, the value is true.
Default Locale
Set the language in which the application
user interface will be displayed to users by
default.
Note: Users can override the default locale
setting by choosing another language
through the My OpenPages, My Settings
menu item on the navigation bar.
The following is a list of the supported
locale code values with their corresponding
language:
v
de_DE (German)
v
en_GB (U.K. English)
v
en_US (U.S. English)
v
es_ES (Spanish)
v
fr_FR (French)
v
it_IT (Italian)
v
ja_JP (Japanese)
v pt_BR (Brazilian Portuguese)
v zh_CN (Simplified Chinese)
v zh_TW (Traditional Chinese)
The default installation locale value is
en_US.
To set, for example, the default language of
the application interface so it displays
information in German, you would type
de_DE in the Value box.
Procedure
1. Access the Settings page (see “Accessing the Settings Page” on page 313).
2. Expand the OpenPages | Platform | Globalization folder hierarchy.
3. Click a setting to open its detail page.
4. In the Value box, type a value.
5. When finished, click Save.
Configuring Primary Associations
When a child object has multiple parent objects, the Association Heuristic setting
controls how the system reassigns a new primary parent to a child object that is
348
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
disassociated from its primary parent object. You can change how primary parent
objects are reassigned to disassociated child objects.
Procedure
1.
2.
3.
4.
Access the Settings page (see “Accessing the Settings Page” on page 313).
Expand the OpenPages | Platform | Repository | Resource folder hierarchy.
Click the Association Heuristic setting to open its detail page.
In the Value box, type one of the following values:
v Chronological
The reassignment of a primary parent is based upon the earliest creation date
and time of an association.
This value is set by default.
v Folder Context
The reassignment of a primary parent is based upon the folder path within
the context of the business entity.
For example, let’s say that control, C1, has multiple risk parents: R1, R2, R3,
and R4 (primary parent) and the object associations were created in the
following chronological order:
Parent Folder Path
C1 Child Folder Path
/BE1/SBE2/R2
/BE1/SBE1/C1
/BE1/SBE1/R1
/BE1/SBE1/C1
/BE1/SBE3/R3
/BE1/SBE1/C1
/BE1/SBE4/R4
(primary parent)
/BE1/SBE1/C1
If you disassociate the primary parent, R4, from C1, although R2 is
chronologically the earliest association to C1, R1 will be reassigned as the
primary parent. This is because R1 and C1’s folder paths match
(/BE1/SBE1).
Note: If no folder path matches the child object, then chronological order is
used.
5. When finished, click Save.
Configuring the legacy move behavior
The Legacy Move Behavior setting controls how the IBM OpenPages application
handles storage locations when moving a self contained object (such as a Business
Entity).
The Legacy Move Behavior setting can be found at OpenPages > Platform >
Repository > Resource > Move > Self-Contained Object Types > Legacy Move
Behavior.
The setting defaults to false, which means that the system will use hierarchical
based logic when moving self-contained objects.
When the Legacy Move Behavior setting is true, objects that are stored within the
self-contained object hierarchy are moved to a corresponding folder in the new
location. Objects stored outside of the self-contained object hierarchy are left in
Chapter 14. Configuring Settings
349
their original location. Use this option if the location of the objects plays an
important role in security or object management.
When the Legacy Move Behavior setting is false, all objects with primary
associations are moved to the logical location dictated by the object relationship
hierarchy. Use this option to allow the system to reorganize object storage so that it
mirrors the relationship hierarchy.
Reporting Framework V6 Generation Settings
This section contains settings for controlling reporting framework generation.
Enabling Reporting for Custom Forms
In order to run reports against a custom object type (such as a custom form or
survey), you must include the object type in the Object Prefix setting with a
unique two-letter identifier. The framework generator will use the two-letter
identifier as a prefix when creating columns in the real-time reporting schema
tables.
As a best practice, we recommend you use Z<n> as a prefix for custom forms to
avoid conflicts with future IBM OpenPages object types.
Where: Z represents the first letter of the prefix, and <n> represents an uppercase
letter, such as ‘A’, ‘B’, ‘C’, and so forth (for example, ZA, ZB, ZC).
Procedure
1. Access the Settings page (see “Accessing the Settings Page” on page 313).
2. Expand the OpenPages | Platform | Reporting Framework V6 |
Configuration folder hierarchy.
3. Click the Object Prefix setting to open its detail page.
4. Add the new object type and prefix to the end of the current setting with a
comma.
In the following example, the new object type (in bold) is called
‘CustomSurvey’ and the prefix is ‘ZA’.
...PROJECTACTIONITEM=PA,SOXSIGNATURE=SI,CUSTOMSURVEY=ZA
Note: The prefix must be entered as two upper-case letters, and must be
unique - no other content type in the list can have the same prefix.
5. When finished, click Save.
6. Update the reporting framework model. For details, see “Updating the
Reporting Framework” on page 89.
Results
Note: The following information applies only to systems that have been upgraded
from versions of OpenPages 5.x or earlier and are using the Legacy Reporting
Framework.
If you add a new custom form (such as a survey) and want reporting capability in
both the Reporting Framework V6 and Legacy Reporting Framework, then you
must also add the new prefix to the Object Prefix setting in the OpenPages |
Platform | Reporting | Framework | Generation folder hierarchy for the Legacy
Reporting Framework.
350
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
Configuring Namespaces in the Reporting Framework
If the supplied (out-of-the-box) namespaces in the generated IBM OpenPages
Reporting Framework V6 do not meet your reporting requirements, you can define
new namespaces that contain the required objects with the necessary relationships.
Note: For systems that have been upgraded from versions of OpenPages 5.x or
earlier, see Appendix C, “Legacy Reporting Framework Generation Settings,” on
page 747 for information on configuring namespaces in the Legacy Reporting
Framework.
About Namespaces:
A namespace uniquely identifies a collection of query subjects and other objects
(such as calculations) for satisfying reporting requirements. The IBM OpenPages
Cognos reporting framework model contains one default namespace and,
depending on your environment, non-default namespaces.
Table 61 lists the entries that define a namespace in the IBM OpenPages Reporting
Framework V6. Only the Object Model entry is required, all other entries are
optional.
Important: Entries in a namespace must exactly match the names under the
‘Entry Name’ column in Table 61.
Table 61. Entries that Define a Namespace
Entry Name
Required?
Comment
Is Default
No
This setting defines whether or not a namespace will be
used as the default namespace in the IBM OpenPages data
model.
If the value is set to:
Is Enabled
No
v
true - the namespace is set as the default namespace
for use by generation logic, and is created first.
Note: The data model can have only one default
namespace. By default, the value of the DEFAULT
namespace that is supplied by IBM OpenPages
(out-of-the-box) is set to true.
v
false - the namespace is set as a non-default
namespace.
This setting defines whether or not a namespace is
generated in the IBM OpenPages Reporting Framework
V6 data model.
If the value is set to:
Object Model
Yes
v
true - the namespace will be generated when the
framework model is updated. This is the default value.
v
false - the namespace will not be generated and any
previously existing namespace will be removed.
This setting contains your data object model (object
relationships).
The IBM OpenPages Reporting Framework V6 generator
uses the value pairs in this entry to define the parent-child
relationships in the generated framework model.
Chapter 14. Configuring Settings
351
Table 61. Entries that Define a Namespace (continued)
Entry Name
Required?
Comment
Entity
Recursive
Object Levels
No
If one or more sets of recursive object levels are defined in
the IBM OpenPages application, this setting provides the
ability to specify which recursive object level set you want
available in a given namespace.
Multiple recursive object level sets must be separated by a
comma.
Example
ROL-1,ROL-2,ROL-3
For information on defining recursive object levels, see
“Configuring Recursive Object Levels” on page 97.
The IBM OpenPages Cognos Reporting Framework V6 generator uses the
definition of a namespace to create corresponding namespaces in the framework
model.
If a relationship defined in a namespace matches a relationship that is defined in
the object model, then the Reporting Framework V6 automatically creates a direct
relationship between these objects.
About Naming Namespaces:
Names of namespaces can be translated in application text. The following list
contains best practices to keep in mind when naming namespaces.
v Keep namespace names short for readability (long names will wrap to another
line).
v For consistency and compatibility with the reporting framework, use only the
following characters when naming namespaces:
– Uppercase letters
– Numbers
– Underscores (_)
Examples : MY_NAMESPACE and NAMESPACE101
Configuring a New Namespace:
The process for configuring a new namespace in the IBM OpenPages Reporting
Framework V6 involves the following tasks:
“Add a New Namespace” on page 353.
“Populate the Namespace with Entries” on page 353.
Note:
v Only the Object Model entry is required.
v If you want reporting capability for object types that are in a triangle
relationship and have configured the Supported Triangle Relationships setting,
the paths between these object types must be reflected in the Object Model
entry of a namespace. The namespace can be either new or existing. For details
on configuring the Supported Triangle Relationships setting, see “Configuring
Triangle Object Relationships” on page 355.
352
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
Add a New Namespace:
Use the following steps to add a new namespace to the IBM OpenPages Reporting
Framework V6.
Procedure
1. Access the Settings page (see “Accessing the Settings Page” on page 313).
2. Set the value in the Show Hidden Settings setting to true (for details, see
“Showing Hidden Settings” on page 318).
3. Expand the OpenPages | Platform | Reporting Framework V6 | Models |
OPENPAGES_FRAMEWORK_V6 | Namespaces folder hierarchy.
4. Select the box next to the Namespaces folder, and then click the Add Folder
button.
5. In the Add Folder box, type a name for the new namespace. For example,
MYCOMPANY_NAMESPACE.
The newly created namespace is represented by a folder icon under the
Namespaces folder.
Populate the Namespace with Entries:
You can populate a namespace with the proper namespace entries by doing one of
the following:
v “Creating Each Entry Separately”
v “Copying Entries from an Existing Namespace” on page 354
Note: The Object Model entry is required. Other entries from Table 61 on page 351
can be added to the namespace as wanted.
Once the reporting framework is updated with the new namespace, that
namespace will be available in Cognos for reports.
Creating Each Entry Separately:
This method requires that you create and type the name of each entry you want.
Procedure
1. Verify that the Allow Create and Delete Settings setting is enabled (see
“Enabling the Creation and Deletion of New Settings” on page 344).
2. Select the box next to the namespace you created in “Add a New Namespace.”
3. Click the Add Setting button.
4. On the Settings detail page, do the following
a. In the Setting Name box, type Object Model (text must be exactly as
shown).
b. In the Description box, optionally type a description.
c. In the Value box, type the values you want.
The Object Model entry uses value pairs to reflect parent-child object
relationships. The syntax is:
<parent object>|<child object>,<parent object>|<child object>
Example
SOXBusEntity|SOXBusEntity,SOXRisk|SOXControl
d. When finished, click Save.
Chapter 14. Configuring Settings
353
5. If wanted, create additional namespace entries (see Table 61 on page 351 for a
list) in the new namespace. Repeat Steps 2 - 4 substituting the name of the
entry and values you want.
6. When finished, update the reporting framework model. For details, see
“Updating the Reporting Framework” on page 89.
Copying Entries from an Existing Namespace:
This method involves using the copy operation to copy an entry from an existing
namespace into the new namespace and then modifying the values of the copied
entry as wanted.
Procedure
1. Navigate to an existing namespace and expand the selected namespace folder.
2. Copy the Object Model entry from the existing namespace into the new
namespace created in task “Add a New Namespace” on page 353 as follows:
a.
b.
c.
d.
In the existing namespace, select the box next to the Object Model entry.
Click the Copy To button.
In the copy window, select the name of the new namespace.
Click OK to copy the entry from the existing namespace into the new
namespace.
3. Modify the copied values in the Object Model entry as follows:
a. Under the new namespace, click the Object Model entry to open its detail
page.
b. In the Value box, modify the value pairs that reflect the parent-child object
relationships you want.
The syntax for adding parent-child object relationships is:
<parent object>|<child object>,<parent object>|<child object>
Example
SOXBusEntity|SOXBusEntity,SOXRisk|SOXControl
c. When finished, click Save.
4. If wanted, copy additional namespace entries (see Table 61 on page 351 for a
list) into the new namespace. Repeat Steps 2 and 3 substituting the name of the
entry and values you want.
5. When finished, update the reporting framework model. For details, see
“Updating the Reporting Framework” on page 89.
Editing Values in an Existing Namespace:
If wanted, you can modify the values contained in an existing namespace so that
the namespace satisfies your reporting requirements.
Important: We do not recommend changing the relationships of any IBM
OpenPages supplied namespaces.
Procedure
1. Access the Settings page (see “Accessing the Settings Page” on page 313).
2. Expand the OpenPages | Platform | Reporting Framework V6 | Models |
OPENPAGES_FRAMEWORK_V6 | Namespaces folder hierarchy.
3. Navigate to and expand the namespace folder you want to modify.
4. To change the value of an entry, do the following:
354
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
a. Under the selected namespace, click the entry name to open its detail page.
b. In the Value box of the selected entry, modify the values as wanted.
c. When finished, click Save.
5. When finished, regenerate the framework model. For details, see “Updating the
Reporting Framework” on page 89.
Configuring Triangle Object Relationships
To enhance report authoring capability, you can use the Supported Triangle
Relationships setting to configure object types with triangle relationships in the
Reporting Framework V6 relational data model.
About Triangle Object Relationships:
A triangle object relationship exists when one child has two parents that are related
to each other. Within the triangle, the "top" (parent 1) and "bottom" (child) object
types are non-recursive, with the "middle" (parent 2) object type being recursive
(such as Sub-Process).
A triangle relationship that includes two recursive object types is not supported.
For example, a report author has a requirement to create a Risk report that allows
business users to access risks associated with various processes and sub-processes
within their company.
To provide the report author with easier reporting capability in the framework
model, you could configure a triangle relationship between the non-recursive child
Risk object and its two related parents: a non-recursive parent Process object and a
recursive parent Sub-Process object type, as shown in Figure 12.
Figure 12. Triangle Relationship Between Objects
Without the configured triangle, the report author would have to use advanced
techniques that may not perform as well to accomplish this task.
Process Overview:
Whenever you configure triangle object relationships in the reporting framework,
you must perform the tasks described in the following topics.
Configure Triangle Object Relationships in a Namespace:
The path between the objects forming a triangle relationship must be reflected in a
namespace within the reporting framework.
Chapter 14. Configuring Settings
355
For example, a namespace might have the following object type hierarchy
configured for Business Entity, Process, Sub-Process, and Risk object types as
follows:
Note: If you have already configured triangle object relationships in a namespace,
then skip this task.
SOXBusEntity|SOXProcess,SOXProcess|SOXSubprocess,SOXSubprocess|SOXRisk
To reflect the triangle relationship shown in Example 1 in Figure 12 on page 355,
that namespace would have to be modified to also include the path between
Process and Risk objects as follows:
SOXBusEntity|SOXProcess,SOXProcess|SOXSubprocess,SOXProcess|SOXRisk,
SOXSubprocess|SOXRisk
You can add triangle object relationships to a namespace.
For instructions on:
v Modifying an existing namespace, see “Editing Values in an Existing
Namespace” on page 354.
v Adding a new namespace, see “Configuring a New Namespace” on page 352.
Configure the Supported Triangle Relationships Setting:
The spelling and case of the object type name must exactly match its system name.
For example, you would type SOXBusEntity for the Business Entity object type.
Using the wrong case for letters or using the label text will result in an error
message.
Procedure
1. Access the Settings page (see “Accessing the Settings Page” on page 313).
2. Expand the OpenPages | Platform | Reporting Framework V6 |
Configuration folder hierarchy.
3. Click the Supported Triangle Relationships setting to open its detail page.
4. In the Value box, use the following syntax to configure the three objects in a
triangle relationship:
Parent1|Parent2|Child
Example
SOXProcess|SOXSubprocess|SOXRisk
Note: To enter multiple sets of triangle relationships, separate each triangle set
with a comma.
Example
SOXProcess|SOXSubprocess|SOXRisk,Mandate|Submandate|Requirement
5. When finished, click Save.
Update the Reporting Schema to Include the Configured Triangle Relationship:
There are two ways to update the reporting schema.
You can either:
v Run the SQL script described in this procedure. This method incrementally
updates the reporting schema with the triangle relationship configuration.
356
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
v Use the IBM OpenPages application user interface described in “Creating or
Re-creating the Reporting Schema” on page 84. This method updates the entire
reporting schema.
Note: We recommend running the following SQL script to incrementally update
the reporting schema as it is much faster than using the application user interface
method.
Procedure
1. Log on to a machine with SQL*Plus and access to the database server.
2. Run the following script:
begin
OP_CONTEXT_MGR.ENTER_SINGLE_USER_MODE;
OP_RPS_TRIANGLE_MGR.ADD_TRIANGLE_SUPPORT;
commit;
OP_CONTEXT_MGR.EXIT_SINGLE_USER_MODE;
end;
/
3. When finished, log out of SQL*Plus.
Update the Reporting Framework:
When finished, regenerate the IBM OpenPages Reporting Framework V6 data
model.
For details, see “Updating the Reporting Framework” on page 89.
Reporting Framework Configuration Settings
This section contains settings for controlling reporting framework configuration.
Configuring Fact Types
A fact is typically a numeric field that can be aggregated.
For each fact that is selected for inclusion in the dimensional model (see
“Configuring Facts and Dimensions” on page 91 for details), you can use the Fact
Types setting to globally control the types of aggregations that can be created for
each configured fact field.
Table 62 on page 358 lists the valid fact types that can be used for aggregation.
When the reporting framework is generated, all the aggregation types specified in
the Fact Types setting will be created for each fact selected for inclusion in the
dimensional model. The aggregated facts are then grouped into a single measure
dimension under each object type in the model where they were defined.
By default, the following fact types are configured: SUM,AVG.
Procedure
1. Access the Settings page (see “Accessing the Settings Page” on page 313).
2. Expand the OpenPages | Platform | Reporting Framework V6 |
Configuration folder hierarchy.
3. Click the Fact Types setting to open its detail page.
4. In the Value box, type one or more of the following values.
Note: If multiple values are specified, you must separate each value with a
comma (for example: SUM,MIN,MAX,AVG).
Chapter 14. Configuring Settings
357
Table 62. Valid Fact Type Values
This Fact Type...
Performs this summary function on a set of
objects...
SUM
Totals the value of objects in the set.
MIN
Returns the smallest existing value of an object in the
set.
MAX
Returns the largest existing value of an object in the
set.
AVG
Adds all values in the set and then divides by the
count of existing values.
MED
Returns the median value of objects in the set.
STD
Returns the standard deviation of objects in the set.
5. When finished, click Save.
Configuring Legacy Reporting Framework Settings in Upgraded
Systems
Upgraded systems can generate two reporting frameworks:
v OPENPAGES_REPORTS - this is the legacy reporting framework and is available for
backward compatibility for Cognos reports that have not been migrated to the
new reporting framework
v OPENPAGES_REPORTS_V6 - this is the new reporting framework, which has a new
architecture with faster execution of Cognos reports
Note: These settings are only available for systems that have been upgraded from
IBM OpenPages 5.x or earlier.
Enabling the Legacy Framework:
You can control whether or not to generate the legacy reporting framework
through the Enable Legacy Framework setting.
By default, the legacy framework is enabled for all upgrades.
Procedure
1. Access the Settings page (see “Accessing the Settings Page” on page 313).
2. Expand the OpenPages | Platform | Reporting Framework V6 |
Configuration | Legacy folder hierarchy.
3. Click the Enable Legacy Framework setting to open its detail page.
4. In the Value box, type one of the following:
v true - to enable the Legacy Reporting Framework
v false - to disable the Legacy Reporting Framework
5. When finished, click Save.
Enabling Computed Fields in Reporting Framework V6:
When the Legacy Framework setting is enabled, computed fields are, by default,
executed against it. Object types that are listed in the Object Types Using New
Framework For Computed Fields setting will use the new Reporting Framework
V6 for computed field calculations.
By default, this setting is blank.
358
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
Procedure
1. Access the Settings page (see “Accessing the Settings Page” on page 313).
2. Expand the OpenPages | Platform | Reporting Framework V6 |
Configuration | Legacy folder hierarchy.
3. Click the Object Types Using New Framework For Computed Fields setting to
open its detail page.
4. In the Value box, type the name each object type containing computed fields.
Note: If there are multiple object types, separate each object type with a
comma.
Example : SOXBusEntity,SOXProcess,SOXIssue
5. When finished, click Save. The change is effective immediately.
Reporting Schema Settings
Adding New Indexes
You can add an index to any RT_ table in the database through the Create Index
on Fields setting.
Before configuring this setting, do the following steps:
v Review this task with both your database administrator and your IBM
representative.
v Test the change by manually creating the index in the database before making a
permanent change in the IBM OpenPages GRC Platform application.
Note:
v You can create a string only up to 4000 characters.
v Configure this setting only after careful analysis of your data query patterns.
Adding too many indexes to a table can harm performance.
Procedure
1. Access the Settings page (see “Accessing the Settings Page” on page 313).
2. Expand the OpenPages | Platform | Reporting Schema folder hierarchy.
3. Click the Create Index on Fields setting to open its detail page.
4. In the Value box, enter an index in the following format:
ObjectTypeName1= [FieldGroupName1.PropertyName1,...,
FieldGroupNameN.PropertyNameN]
|ObjectTypeNameN= [FieldGroupName1.PropertyName1
,...,FieldGroupNameN.PropertyNameN]
Where:
ObjectTypeName1 is the name of the object type you want to add an index to.
FieldGroupName1 is a bundle definition associated with the object.
PropertyName1 is the name of a property in the bundle.
Note:
v Vertical bars (|) separate multiple index strings.
v Commas (,) separates columns inside an index.
5. When finished, click Save.
6. Re-create the reporting schema.
Chapter 14. Configuring Settings
359
Results
Depending on the size of the database, you can update the reporting schema
through the application user interface or incrementally through scripts with
assistance from your IBM representative.
For more details, see “Updating the Reporting Schema” on page 84.
Example 1 - Adding an Index on Name and Reporting Period:
Let’s say you want to add an index on the Risk object type that includes the name
and reporting period. The string would look as follows:
SOXRisk = [Core Attributes.Resource Name,
Reporting Period Attributes.Reporting Period ID]
The Core Attributes bundle includes all of the following system parameters:
v Latest Resource Version
v Resource Check Out Status
v
v
v
Resource Check-in Date
Resource Checked in By
Resource Checked Out By
v
v
v
v
v
Resource
Resource
Resource
Resource
Resource
v
v
Resource Full Path
Resource ID
v
v
v
v
v
Resource
Resource
Resource
Resource
Resource
Content Type
Creation Date
Creator
Description
File Type
Name
Parent Folder
Subresource Type
Type
Visibility
The Reporting Period Attributes bundle includes the following reporting period
parameters:
v Reporting Period ID
v Reporting Period Name
Example 2 - Adding an Index on a Custom Field:
Let’s say you created a custom field called Test Reviewer on the Test object type
and now want to add an index to this custom field. The index for the Test
Reviewer custom field would be as follows:
SOXTest = [OpenPagesStandardTest.Test Reviewer]
Example 3: Adding an Index for Quick Filters and Custom Simple Strings:
Indexes can help the performance of certain searches with Quick Filters and filters
on custom simple string fields (except users and user groups).
360
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
The usual indexing technique is not applicable here, because Quick Filters and
filters on custom simple string fields are commonly case insensitive and commonly
implement "contains" logic. As such, even if a database index existed on the
filtered field, it would not be used.
A typical use case is as follows:
v Filter performance appears inadequate.
v The user executing a filter has IBM OpenPages security access to a small fraction
of the data.
v The number of records is high. This is a function of the number of object
instances in the current reporting period and the number of reporting periods in
the system.
v The width of records is high. This is a function of the number of custom
properties.
For example, loss event data may be tightly restricted within a company. As such,
indexing the LossEvent object type could improve filter performance.
LossEvent = [Reporting Period Attributes.Reporting Period ID,
Core Attributes.Resource Parent Folder]
It is beneficial to filter on security access before applying any property filter. The
security access filter will filter out a large percentage of data, leaving the property
filter to work on fewer records.
Such an index will benefit all the filters on a given Object Type, so it only needs to
be created once per Object Type.
Workflow Settings
This section contains topics for workflow configuration.
Setting the Display Size of the Workflow List
With the Default Page Size setting, you can control the number of
workflow-related jobs and tasks that are displayed per page when a user clicks:
v The "Show All" button from the My Tasks and My Jobs tab on the Home page
v The Jobs or Tasks link under the Administration heading
By default, the number of workflow jobs and tasks that are displayed per page is
10.
Procedure
1. Access the Settings page (see “Accessing the Settings Page” on page 313).
2. Expand the OpenPages | Platform | Workflow folder hierarchy.
3. Click the Default Page Size setting to open its detail page.
4. In the Value box, type the number of jobs and tasks you want displayed per
page.
5. When finished, click Save.
Configuring a Mail Server for Workflow
The following settings are used to configure your mail server and the sender’s
e-mail address for automatically generated remediation e-mails and standard
(out-of-the-box) task messages.
Chapter 14. Configuring Settings
361
Setting the Address of the Mail Server:
You can use the Mail Server setting to configure your mail server so you can
automatically send remediation e-mails and standard task messages from a
workflow to users and/or groups.
By default, the mail server value is: mail.yourcompany.com
Procedure
1. Access the Settings page (see “Accessing the Settings Page” on page 313).
2. Expand the OpenPages | Platform | Workflow | Email folder hierarchy.
3. Click the Mail Server setting to open its detail page.
4. In the Value box, type the name of your mail server and domain in the format
provided.
5. When finished, click Save.
Setting the Sender’s E-mail Address:
You can use the Mail From setting to configure the sender’s e-mail address for
remediation e-mails and standard task messages automatically sent by a workflow
to users and/or groups.
By default, the e-mail value is: [email protected]
Procedure
1. Access the Settings page (see “Accessing the Settings Page” on page 313).
2. Expand the OpenPages | Platform | Workflow | Email folder hierarchy.
3. Click the Mail From setting to open its detail page.
4. In the Value box, type the name of the sender’s e-mail address using a valid
e-mail address and format.
5. When finished, click Save.
Configuring Workflow Actor Selectors
The following settings are used to configure user and/or group selectors for
workflows.
Configuring the Reassign Task User Selector:
By setting the minimum access value for users or groups in the Associated Objects
Minimum Access setting, you can globally control which users or groups are
displayed in the workflow task reassignment selection list.
The access values, listed in Table 63 on page 363, correspond to the type of
permissions that each user or group must have for a related object. If a user or
group has the minimum access that is specified in the setting, then that user or
group will be displayed in the workflow task reassignment selection list.
Example
If the access value is set to 0, all users and groups are displayed in the task
reassignment list. If the value is set to 3, only users or groups that have a
minimum of Read and Write permissions are displayed in the list (users or groups
with Read only permission would be excluded).
362
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
By default, the Associated Objects Minimum Access value is set to 0 (all users
and groups are displayed).
Procedure
1. Access the Settings page (see “Accessing the Settings Page” on page 313).
2. Expand the OpenPages | Applications | GRCM | Workflow | Actor Selector
folder hierarchy.
3. Click the Associated Objects Minimum Access setting to open its detail page.
4. In the Value box, type one of the following values:
Table 63. Minimum Access Values
If the access value is
set to...
Then only users with these minimal permissions will be
displayed in the task reassignment list...
0
All users and groups. This value is set by default.
1
Read
3
Read, Write
7
Read, Write, Delete
15
Read, Write, Delete, Manage
16
Associate
17
Read, Associate
19
Read, Write, Associate
23
Read, Write, Delete, Associate
31
Read, Write, Delete, Manage, Associate
5. When finished, click Save.
Configuring the Workflow Selector Starting Group:
You can use the Starting Group setting to control which group displays at the
beginning of the selection hierarchy.
By default, the starting group is set to OpenPagesApplicationUsers.
Procedure
1. Access the Settings page (see “Accessing the Settings Page” on page 313).
2. Expand the OpenPages | Applications | GRCM | Workflow | Actor Selector
folder hierarchy.
3. Click the Starting Group setting to open its detail page.
4. In the Value box, type a valid group name.
5. When finished, click Save.
Configuring Comments for Task Completion
You can use the Require Task Completion Comments setting to configure whether
or not a user is required to enter comments in the Comments box to complete an
assigned workflow task.
By default, the value is set to true and comments are required to complete a task.
Chapter 14. Configuring Settings
363
Procedure
1.
2.
3.
4.
Access the Settings page (see “Accessing the Settings Page” on page 313).
Expand the OpenPages | Applications | GRCM | Workflow folder hierarchy.
Click the Require Task Completion Comment setting to open its detail page.
In the Value box, type one of the following values:
If the value is set to...
Then...
true
The Comments box is a required field for
task completion.
This value is set by default.
false
The Comments box is not a required field
for task completion.
5. When finished, click Save.
Configuring Security Settings
The settings listed in this section represent a selected list of individual settings that
are under the OpenPages Platform|Security folder.
Redirecting the IBM OpenPages Log Off Link
By default, clicking the Log Off link in the header pane logs the user out of the
IBM OpenPages application and displays the Log On page.
If you are using single sign-on (SSO), you can change the destination page by
modifying the value of the Logout URL setting.
Note: If you are not using single sign-on, you cannot redirect the logout link. You
will always return to the Log On page.
Procedure
1. Access the Settings page (see “Accessing the Settings Page” on page 313).
2. Expand the OpenPages | Platform | Security folder hierarchy.
3. Click the Logout URL setting to open its detail page.
4. In the Value box, type a fully qualified URL.
5. Click Save.
Configuring Security for User Log On
You can configure all or some of the following settings to prevent users from
logging into the IBM OpenPages application.
Locking a user account prevents the user from logging into the IBM OpenPages
application. The user is still an active user in the system, however, and can be
selected through the user selector.
Users can be locked automatically if they exceed a set number of unsuccessful
login attempts.
The User Locking folder contains the following settings that control the locking
behavior of the IBM OpenPages GRC Platform application.
364
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
Setting
Description
Enabled
Sets whether the User Locking settings are
active. When set to true, users will be
locked after they unsuccessfully log in more
than the allowed amount. Defaults to false.
Maximum Allowed Attempts
Sets the maximum number of times a user
can unsuccessfully log in to the application
before their account is locked. Defaults to
‘3’.
Timeout
Sets the amount of time (in minutes) that the
user account will be locked after failing to
log in. Defaults to 300 minutes.
Unsuccessful Login Window
Sets the amount of time (in minutes) that
has to pass in order to reset the number of
unsuccessful login attempts. Defaults to 120
minutes.
Procedure
1. Access the Settings page (see “Accessing the Settings Page” on page 313).
2. Expand the OpenPages | Platform | Security | User Locking folder hierarchy.
3. Click a setting to open its detail page.
4. In the Value box, type a value.
5. When finished, click Save.
Setting the Cross-site Scripting Filter
Cross-site scripting (XSS) is a type of computer security vulnerability that allows
malicious attackers to inject client-side script into web pages viewed by other
users. You can use the Cross-site Scripting Filter setting to check all HTTP GET
requests sent to the IBM OpenPages application server.
If you want to allow certain HTML elements or attributes to pass through this
filter, see “Configuring the Safe Tags Setting” on page 366.
Attention: The XSS filter will block attempts to save text fields that contain
JavaScript. The XSS filter will also block updates to items that were created and
saved with JavaScript when the XSS filter was disabled. Text fields that contain
JavaScript are not supported.
Procedure
1. Access the Settings page (see “Accessing the Settings Page” on page 313).
2. Set the value in the Show Hidden Settings setting to true (for details, see
“Showing Hidden Settings” on page 318).
3. Expand the OpenPages | Platform | Security folder hierarchy.
4. Click the Cross-site Scripting Filter setting to open its detail page.
5. In the Value box, type one of the following values:
If the value is set to...
Then...
true
Cross-site filtering is enabled.
This value is set by default.
false
Cross-site filtering is disabled
Chapter 14. Configuring Settings
365
6. Click Save.
7. Restart all application servers in your cluster to effect the change. For details,
see “Starting and Stopping OpenPages Application Servers” on page 613.
Configuring the Safe Tags Setting
When the Cross-site Scripting Filter setting is enabled, certain HTML elements
will be blocked by that filter.
For more information on enabling this filter, see “Setting the Cross-site Scripting
Filter” on page 365. You can use the Safe Tags setting to globally allow certain
HTML elements to pass through the filter.
By default, the HTML style element is the only element allowed through the XSS
filter. To allow additional HTML elements or attributes to pass through the filter,
use the following instructions.
Let’s say your company uses embedded forms to capture information provided by
users. The embedded form contains the HTML form element, which is passed in an
HTTP request. By default, the Cross-site Scripting Filter setting is enabled so the
form element will be blocked. To allow user input in an embedded form to be
passed in an HTTP request, you would add the HTML form element to the Safe
Tags value list as follows:
style, form
After you change the value of this setting, you must restart all application servers
in your cluster to effect the change.
Procedure
1. Access the Settings page (see “Accessing the Settings Page” on page 313).
2. Set the value in the Show Hidden Settings setting to true (for details, see
“Showing Hidden Settings” on page 318).
3. Expand the OpenPages | Platform | Security folder hierarchy.
4. Click the Safe Tags setting to open its detail page.
5. In the Value box, type the name of an HTML element or attribute.
Note: Multiple values must be separated by a comma.
6. Click Save.
7. Restart all application servers in your cluster to effect the change. For details,
see “Starting and Stopping OpenPages Application Servers” on page 613.
User Preferences Folder Settings
The settings listed in this section represent a selected list of individual settings that
are under the OpenPages User Preferences folder.
Setting Alert Notification Behavior
You can set which alert notifications are displayed, by default, to application users.
The various alert notification settings that you can select are under the Alerts
folder.
366
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
Application users, if wanted, can change these default settings through their My
Settings page.
Example
Let’s say you configured dependent fields or dependent picklists for an object type
and you want to alert users that different values for particular fields are available
depending on their selection. Under the Alerts folder, you can set the values in the
Picklist Options Changed and Picklist Values Removed settings to ‘true’, so each
time a user changes a value in one of these fields, an alert notifying the user that
values have changed is displayed.
By default, no alert settings under the Alerts folder are selected.
Procedure
1. Access the Settings page (see “Accessing the Settings Page” on page 313).
2. Expand the OpenPages | User Preferences | Alerts folder hierarchy.
3. Select the name of a setting you want under the Alerts folder to open its detail
page.
4. In the Value box, type one of the following values:
If the value is set to...
Then...
true
An alert is displayed to application users.
false
No alert is displayed to application users.
This value is set by default.
5. When finished, click Save.
6. To select another setting, repeat Steps 3 - 5.
Copy Settings
This section contains topics for configuring copy operations.
Setting Copy Operations
You can optionally configure settings in the Copy Options folder to resolve
duplicate names during copy operations and show additional copy options to
users during a "Copy From" operation.
Note:
v During a copy operation for self-contained objects, if a naming conflict exists
between the source and the target object, the copy operation will fail and the
naming conflict resolution choices made by a user are ignored (see “About
Self-Contained Object Types” on page 370).
v Self-contained object types and security context point object types do not respect
the "copyof" naming option, if selected. By definition self-contained and security
context point objects types automatically have their own folder, so no "Copy Of"
prefix is required.
v In a ‘Copy From’ operation, the target folder path is based on the closest
self-contained parent object.
The Copy Options folder contains the following configuration settings:
Chapter 14. Configuring Settings
367
Table 64. Copy Operations Configuration Settings
Setting
Description
Conflict Policy
Set the default behavior of the copy operation when it encounters a
duplicate object name during a copy operation.
If the value is set to:
v
overwrite - a new version of the object in the target directory is
created with all of the information of the copied object. All prior
versions of the object in the target directory are maintained.
v
copyof - during the copy operation, any objects with the same name
as an existing object in the target location will be renamed to "Copy
of <objectname>".
v
existing - if a copied object has the same name as an object in the
target location, that file will not be copied. All other objects (without
duplicate names) will still be copied to the target location.
If you choose this option, you should examine the results of copy
operations to determine whether any associations between objects
have changed as a result of the copy. For example, if an associated
risk is not copied to the new location because an existing risk has the
same name, the copied parent process of the risk will be associated
with the pre-existing risk in the target location.
The default value is overwrite.
Show Copy
Options Page
Allow users to select how duplicate names will be handled for the
current copy. This setting displays the following options to users during
a copy operation:
v
Create a new version of the existing object in the destination directory.
This is the default selection. This option corresponds to the
"overwrite" value in the Conflict Policy setting.
v
Create new object whose name is prefixed with "Copy Of". This option
corresponds to the "copyof" value in the Conflict Policy setting.
v
Do not copy resources with naming conflicts. This option corresponds to
the "existing" value in the Conflict Policy setting.
If the value is set to:
v
true - the additional copy options are displayed to users.
v
false - no additional copy options are displayed to users.
The default value is false.
Procedure
1. Access the Settings page (see “Accessing the Settings Page” on page 313).
2. Expand the OpenPages | Applications | Common | Configuration | Copy
Options folder hierarchy.
3. Click a setting to open its detail page.
4. In the Value box, type a value.
5. When finished, click Save.
Cross-Context Sharing
You can use the Cross context sharing setting to affect whether any non-primary
links to objects outside the context (scope) of a copy operation are included or
ignored during a copy operation.
368
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
When cross-context sharing is enabled, copy operations will maintain non-primary
links to objects outside the context of the copy. When it is disabled, non-primary
links to objects outside the context of the copy are ignored.
Example
Let’s say that in Figure 13, Control C1 was originally created under Risk R1, and
R1 has a primary association to C1. Risks R2 and R3 have non-primary
associations to C1. If a user copies Process P2 from BE2 to BE3, the link to C1 will
be maintained if the Cross context sharing setting is enabled (set to ‘true’). If the
setting is disabled (set to ‘false’), the copied tree will end at R3 as the non-primary
association to C1 is outside the context of the copy operation. If the user copies P1
from BE1 to BE3, the current state of the Cross context sharing setting is irrelevant
as the non-primary association from R2 to C1 falls within the context of the copy
operation.
Figure 13. Sample Hierarchy
Procedure
1. Access the Settings page (see “Accessing the Settings Page” on page 313).
2. Set the value in the Show Hidden Settings setting to true (for details, see
“Showing Hidden Settings” on page 318).
3. Expand the OpenPages | Platform | Repository | Resource | Copy folder
hierarchy.
4. Click the Cross context sharing setting to open its detail page.
5. In the Value box, type one of the following values:
If the value is set to...
Then...
true
Cross-context sharing is enabled and the
copy operation will maintain any
non-primary links to objects that are outside
the scope (context) of the copy.
Chapter 14. Configuring Settings
369
If the value is set to...
Then...
false
Cross-context sharing is disabled and the
copy operation will ignore any non-primary
links to objects that are outside the scope
(context) of the copy.
This value is set by default.
6. When finished, click Save.
7. Reset the value in the Show Hidden Settings setting to false.
Self-Contained Object Type Settings
This section contains topics for configuring self-contained object types.
About Self-Contained Object Types
A self-contained object type is an object type that has its own folder and is either
part of the role-based security model as defined in the Model setting or defined
using the Self Contained Object Types setting.
For information about the Model setting, see “Setting the System Security Model”
on page 346. For information about the Self Contained Object Types setting, see
“Configuring Settings for Self Contained Object Types” on page 371.
Note:
v Roles can only be assigned to objects that are defined as security context points
through the Model setting.
v Defining an object type through the Self Contained Object Types setting does
not automatically change the folders of existing instances of that type. If
instances of the object type you want to define as self-contained already exist,
you must contact your IBM representative for assistance in executing a special
PL/SQL script that will go back and create folders for existing instances. This
script is maintained by IBM OpenPages Customer Services & Support and does
not ship as part of the product. Conversely, if an object type is later removed
from the self-contained list, no automatic re-foldering occurs. All existing
instances retain their dedicated folders.
By default, Business Entities are self-contained objects. For example, if the
role-based security model setting is defined as SOXBusEntity/SOXProcess, both
Business Entity and Process objects are treated as self-contained objects.
Self-contained object types behave differently than non-self-contained object types
for copy, move, and rename operations. The characteristics that distinguish
self-contained objects from non-self-contained objects follow.
Self-contained objects:
v Are always created under a parent folder that matches the object name (the
same behavior as Business Entities). For example, a process ‘P1’ under the
‘North America’ business entity will have the path /North America/P1/P1.txt
v When copied, all the objects under its hierarchy will also be copied to the target.
v When moved, all the objects under its hierarchy will also be moved to the target.
v Can only be moved to an allowed parent object.
v Cannot be moved to a folder.
370
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
v Cannot have their parent folder edited, moved, or renamed.
v Can be renamed by users who have Read+Write access control (ACLs)
permission.
v During a copy operation, if a naming conflict exists between the source and the
target object, the copy operation will fail and the naming conflict resolution
choices made by a user are ignored.
Configuring Settings for Self Contained Object Types
When you define an object type using the Self Contained Object Types setting,
the behavior of that object type changes for copy, move, and rename operations.
For more details, see “About Self-Contained Object Types” on page 370.
Procedure
1. Access the Settings page (see “Accessing the Settings Page” on page 313).
2. Expand the OpenPages | Common folder hierarchy.
3. Click the Self Contained Object Types setting to open its detail page.
4. In the Value box, type a comma-separated list of object type names. For
example, if you wanted Process and Risk Assessment object types, you would
type: SOXProcess,RiskAssessment.
5. When finished, click Save.
Chapter 14. Configuring Settings
371
372
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
Chapter 15. Using IBM OpenPages Utilities with IBM DB2
You can use the IBM OpenPages utilities to back up and restore IBM OpenPages
and Cognos files and configuration data.
You must use the utilities that are provided with IBM DB2 to back up and restore
databases in the IBM OpenPages GRC Platform.
About IBM DB2 and the OpenPages Backup and Restore Utilities
The backup and restore utilities are installed during the IBM OpenPages
installation procedure.
You must use the utilities that are provided with IBM DB2 to back up and restore
databases in the IBM OpenPages GRC Platform.
For information about developing a database backup and restore strategy, see the
IBM DB2 Information Center at: http://publib.boulder.ibm.com/infocenter/
db2luw/v10r1/topic/com.ibm.db2.luw.admin.ha.doc/doc/c0005945.html
For more information about the databases in IBM OpenPages and backing up or
restoring them, see “Backing up and Restoring IBM DB2 Databases for OpenPages”
on page 387.
You can use the following utilities for backing up and restoring the IBM
OpenPages environment:
IBM OpenPages backup (OPBackup) and restore (OPRestore)
These utilities are used to backup and restore the IBM OpenPages application
(see “Using the IBM OpenPages Backup Utility” on page 378 for details).
Users can choose to run a live OPBackup. When you run a live OPBackup,
OpenPages services are not stopped on the application server, which allows for
maximum uptime of the OpenPages application. By default, OpenPages services
are restarted.
v Cognos backup (OPCCBackup) and restore (OPCCRestore)
v
These utilities are used to back up and restore IBM OpenPages Cognos files (see
“Using the Cognos Backup Utility” on page 383 for details).
Configuring Email Notification for Backup Jobs
If wanted, you can configure email notification upon the completion of an IBM
OpenPages application backup or Cognos backup job.
About Email Notification
You can configure email notification (which includes an attached log file) upon the
completion of an IBM OpenPages application backup or Cognos backup job.
Note:
v Log files for email notification are stored in the logs folder in the following
location:
– For OPBackup ( IBM OpenPages application backup):
373
<OP_Home>|aurora|bin|logs with the timestamp on the log files.
– For OPCCBackup (Cognos backup):
<CC_Home>|tools|bin|logs with the timestamp on the log files.
v Make sure to set rules in your email client to never send emails from the IBM
OpenPages application server to the Spam or Junk mail folders.
Configuring Backup Job Notification
The following steps provide instructions for configuring email parameters for IBM
OpenPages application and Cognos backup jobs.
Procedure
1. Open a command or shell window and do one of the following.
a. For an OPBackup ( IBM OpenPages application backup):
Navigate to the op-backup-restore.env file in the bin directory as follows.
Table 65. Installation location of the IBM OpenPages GRC Platform application
Operating system
Installation location
Windows
<OP_Home>\aurora\bin
AIX and Linux
<OP_Home>/aurora/bin
For details on <OP_Home>, see the section on “Documentation conventions”
on page 1.
b. For a OPCCBackup (Cognos backup):
Navigate to the op-cc-backup-restore.env file in the bin directory as
follows.
Where <CC_Home> represents the installation location of the Cognos
application.
Table 66. Installation location of the Cognos application
Operating
system
Installation location
Windows
<CC_Home>\tools\bin
By default, <CC_Home> is C:\OpenPages\CommandCenter
AIX and
Linux
<CC_Home>/tools/bin
By default, <CC_Home> is /opt/OpenPages/CommandCenter
2. Open the selected .env file in a text editor of your choice.
3. To configure email notification, specify a value after the equal sign (=) for the
following parameters (shown in Table 67) in the selected .env file:
Table 67. Backup email Parameters
374
Parameter Name
Description
BACKUP_EMAIL_NOTIFICATION
_SERVER=
The host name of the outgoing mail server.
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
Table 67. Backup email Parameters (continued)
Parameter Name
Description
BACKUP_EMAIL_NOTIFICATION
_TO_EMAIL_ID=
The name of one or more recipients that will
receive the email notification. The names
appear in the To: field of the email address.
Multiple email addresses must be delimited
with a comma (,).
Note: Do not enter a comma after the last
email address.
Example
[email protected],emailid2
@yourdomain.com
BACKUP_EMAIL_NOTIFICATION
_FROM_EMAIL_ID=
The name that will appear as the sender of
the notification email in the From: field of
the email.
The email address is also used as the
personal name.
BACKUP_EMAIL_NOTIFICATION
_SUCCESS_MSG_
FILE=BACKUP_SUCCESS_MSG.txt
The BACKUP_SUCCESS_MSG.txt is the default
file containing the message text that will be
used if the OPBackup.cmd completes
successfully.
You can modify the message text in the
BACKUP_SUCCESS_MSG.txt file as wanted.
The first line of the file is used as the email's
subject.
BACKUP_EMAIL_NOTIFICATION
_FAIL_MSG_FILE=
BACKUP_FAIL_MSG.txt
The BACKUP_FAIL_MSG.txt is the default file
that contains the message text that is used if
the OPBackup.cmd fails with errors.
You can modify the message text in the
BACKUP_FAIL_MSG.txt file as wanted.
The first line of the file is used as the email's
subject.
4. Save the changes to the file and exit the editor.
Running Asynchronous Background Jobs and Administrative
Functions
The IBM OpenPages GRC Platform supports asynchronous execution of processes
in the background.
The most common examples of these type jobs are FastMap web-based data import
jobs, object resets, and reporting schema generation.
For example, after a user submits a data import file, that file is queued for loading
and the import process occurs in the background. Since it is important that
asynchronous background jobs run to completion, certain administrative operations
in the application are suspended until all background jobs complete.
Chapter 15. Using IBM OpenPages Utilities with IBM DB2
375
By default, the following administrative functions will not start until background
jobs are completed:
v OPBackup command
v OPRestore command
v System Administrative Mode (SAM)
Note: To disable the default setting that checks for background jobs before you
start OPBackup or OPRestore, see “Enabling and Disabling Asynchronous
Background Processes Checking” on page 377.
If asynchronous processes are found, error messages are written to the OPBACKUP
restore log.
Example
The following is a sample error log message that occurred when an OPBackup
command was initiated while the reporting schema was still being generated.
Note: The .log file name has the format op_backup_<yyyy_mm_dd_hh_mm_ss>.log
Where:
<yyyy_mm_dd_hh_mm_ss> represents the year_month_day_hour_minute_second. For
example:
Windows
C:\OpenPages\openpages-backup-restore\
op_backup_2010_07_26_09_35_42.log
AIX and Linux
/opt/OpenPages/openpages-backup-restore/
op_backup_2010_07_26_09_35_42.log
Sample error log messages follow.
v For Oracle Database environments, a sample error log message might look
similar to this text:
– can-proceed:
[exec] declare
[exec] *
[exec] ERROR at line 1:
[exec] ORA-20001: There are existing processes running.
[exec] Please let them finish or terminate them before proceeding.
[exec] ORA-06512: at line 7
[exec]
– can-proceed:
[exec] declare
[exec] *
[exec] ERROR at line 1:
[exec] ORA-20001: There are existing object reset operations running.
[exec] Please let them finish or terminate them before proceeding.
[exec] ORA-06512: at line 7
[exec]
v For IBM DB2 environments, a sample error log message might look similar to
this text:
376
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
– can-proceed:
[exec] ERROR near line 26:
[exec] SQL0438N Application raised error or warning with diagnostic
[exec] text: "There are existing processes running. Please let them
[exec] finish or termi".
– can-proceed:
[exec] ERROR near line 26:
[exec] SQL0438N Application raised error or warning with diagnostic
[exec] text: "There are existing object reset operations running.
[exec] Please let them finish or termi".
Enabling and Disabling Asynchronous Background Processes
Checking
By default, the IBM OpenPages GRC Platform does not allow a backup
(OPBackup) or restore (OPRestore) operation to start until all asynchronous
background jobs run to completion.
Although we strongly recommend that all jobs run to completion before you start a
backup or restore operation, this check can be enabled or disabled as follows.
Procedure
1. Open a command or shell window on the IBM OpenPages server.
2. Navigate to the op-backup-restore.env file in the bin directory as follows.
Table 68. Installation location of the IBM OpenPages GRC Platform application
Operating system
Installation location
Windows
<OP_Home>\aurora\bin
AIX and Linux
<OP_Home>/aurora/bin
For details on <OP_Home>, see the section on “Documentation conventions” on
page 1.
3. Open the op-backup-restore.env file in a text editor of your choice.
4. Set the CHECK_BACKGROUND_PROCESSES parameter in the file to one of the
following values:
Table 69. CHECK_BACKGROUND_PROCESSES parameter values and their meanings
If the value is set to...
Then...
true
The validation check for asynchronous
background jobs is enabled and
OPBackup/OPRestore will not start if
background processes are still running.
This value is the default.
false
The validation check for asynchronous
background jobs is disabled and
OPBackup/OPRestore will start even if
background processes are still running.
5. When finished, save the changes to the file and exit the editor.
Chapter 15. Using IBM OpenPages Utilities with IBM DB2
377
Using the IBM OpenPages Backup Utility
OPBackup is the IBM OpenPages backup utility that backs up the necessary
OpenPages files and configuration data on the server where it is run. The
OPBackup utility creates a backup file that can be used by the OpenPages restore
utility (OPRestore).
To back up or restore the IBM DB2 databases in the OpenPages application, you
must use the utilities that are provided with DB2. For more information about the
databases in IBM OpenPages and backing up or restoring them, see “Backing up
and Restoring IBM DB2 Databases for OpenPages” on page 387.
When you use the OPBackup utility in an IBM DB2 environment, the following
IBM OpenPages resources are backed up:
v The IBM OpenPages storage folder and its content
v The IBM OpenPages application environment files
Depending on your configuration, if any asynchronous background jobs are
detected, an OPBackup job will exit and possibly display errors (see “Running
Asynchronous Background Jobs and Administrative Functions” on page 375).
Optionally, you can configure email notification (with an attached log file) upon
the completion of an OPBackup job. For details, see “Configuring Email
Notification for Backup Jobs” on page 373.
Backing Up Custom OpenPages Files
Custom OpenPages files, such as SiteSync or scheduled job files that are custom to
your environment, can be included in the backup using an OpenPages manifest
file. A manifest file is a text file that contains the full path name to any directory or
file that needs to be included in the backup.
Important:
v You must list all of your custom directories and files in a manifest. If you have
any questions about the location of your custom data, contact OpenPages
Customer Support.
v In a horizontal clustered environment, you must perform this procedure on each
OpenPages Application Server in the horizontal cluster.
Procedure
1. Log on to the current OpenPages application server.
2. Navigate to the <OP_Home>|aurora|bin directory and open the
op_backup.manifest file in a text editor.
Table 70. Installation location of the IBM OpenPages GRC Platform application
Operating system
Installation location
Windows
<OP_Home>\aurora\bin
AIX and Linux
<OP_Home>/aurora/bin
For details on <OP_Home>, see the section on “Documentation conventions” on
page 1.
3. Enter the full path name to all custom directory name or a specific file. Each
directory or file must be on a separate line in the file.
4. Save the manifest file using the current location and name.
378
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
Running the OPBackup Command
When you use the IBM OpenPages application backup utility, you run the
OPBackup command in a command or shell window.
The OPBackup command does the following:
v Stops all IBM OpenPages services before performing any backup operation
v Backs up IBM OpenPages application and environment files
v Restarts the services when the backup activities are complete
See “Running a Live OpenPages Backup” on page 424 if you want to perform a
backup without stopping services.
Procedure
1. Open a command or shell window on the IBM OpenPages server.
2. Navigate to the bin directory as follows:
Table 71. Installation location of the IBM OpenPages GRC Platform application
Operating system
Installation location
Windows
<OP_Home>\aurora\bin
AIX and Linux
<OP_Home>/aurora/bin
For details on <OP_Home>, see the section on “Documentation conventions” on
page 1.
3. Execute the following backup command:
Windows
OPBackup <path-to-backup-location>
AIX and Linux
OPBackup.sh <path-to-backup-location>
Where:
Note: <path-to-backup-location> is the full path of the directory where the
backed up files are located on the IBM OpenPages GRC Platform application
server.
If a file path is not specified, the OPBackup command uses, by default, the
backup location specified in the BACKUP_LOCATION parameter of the
<OP_Home>|aurora|bin|op-backup-restore.env file.
Running a Live OpenPages Backup
A live OpenPages backup means that the OpenPages application can continue
running while the backup is in progress. OpenPages services are not stopped
during the backup.
To use the IBM OpenPages application backup utility live, you run the OPBackup
command with the nosrvrst option. The utility backs up IBM OpenPages
application and environment files.
Procedure
1. Open a command or shell window on the IBM OpenPages server.
2. Navigate to the bin directory as follows:
Chapter 15. Using IBM OpenPages Utilities with IBM DB2
379
Table 72. Installation location of the IBM OpenPages GRC Platform application
Operating system
Installation location
Windows
<OP_Home>\aurora\bin
AIX and Linux
<OP_Home>/aurora/bin
For details on <OP_Home>, see the section on “Documentation conventions” on
page 1.
3. Execute the following backup command:
Windows
OPBackup <path-to-backup-location> nosrvrst
AIX and Linux
OPBackup.sh <path-to-backup-location> nosrvrst
Where:
Note: <path-to-backup-location> is the full path of the directory where the
backed up files are located on the IBM OpenPages GRC Platform application
server.
If a file path is not specified, the OPBackup command uses, by default, the
backup location specified in the BACKUP_LOCATION parameter of the
<OP_Home>|aurora|bin|op-backup-restore.env file.
About OPBackup Generated Files
The backup process produces several files.
About IBM OpenPages Backed-Up Content
The backup process creates a ZIP file (.zip) in the <backup-directory-name>
directory.
This ZIP file contains the following necessary backed up data files, including the
database dump file:
v OpenPages properties files (such as aurora.properties and sosa.properties).
v Application server configuration files for IBM WebSphere or Oracle WebLogic.
v The openpages-storage directory.
v Pointers to the database schema dump extracts.
v Manifest-defined content (such as solutions-sosa-files.zip or
services-sosa-files.zip).
Note:
v If a backup file is very large (4 GB or larger), you should configure the
OPBackup utility to use gzip (GNU zip). Gzip produces an archive with an
extension of .tar.gz. To view and extract the contents of the archive file, use
WinZip® 12 (or higher) or WinRAR® 3.71 (or higher).
v The OPBackup utility adds a military timestamp on the .zip and log files it
creates.
The ZIP file can be used as a parameter to the OPRestore command to restore the
installation-specific OpenPages files and the database. Each time the OPBackup
command is run, a separate ZIP file is created and each data file is identified by a
unique name.
380
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
About the OPBackup Log File
The backup process creates a log file, which is identified by a unique name in the
<backup-directory-name> folder. Each time you run the OPBackup command, a
separate log file is generated.
Configuring OPBackup to Use GZIP
If a ZIP backup file grows beyond the 4-GB limit of ZIP file capacity, you can
configure the OPBackup utility to use gzip (GNU zip). Once the file is configured,
new backup files will have a .tar.gz extension. The OPRestore utility will detect if
a file is in ZIP or gzip format and process it accordingly.
Procedure
1. From a command or shell window, navigate to the op-backup-restore.env file
in the bin directory as follows.
Table 73. Installation location of the IBM OpenPages GRC Platform application
Operating system
Installation location
Windows
<OP_Home>\aurora\bin
AIX and Linux
<OP_Home>/aurora/bin
For details on <OP_Home>, see the section on “Documentation conventions” on
page 1.
2. Open the op-backup-restore.env file in a text editor of your choice.
3. Change the following setting in the file from false to true:
USE_GZIP_COMPRESSION=true
4. Save the changes to the file and exit the editor.
Enabling and Disabling Storage Backup
By default, the IBM OpenPages GRC Platform backup includes the storage folder
and its content.
Optionally, you can disable storage backup by setting the BACKUP_OP_STORAGE
parameter in the op-backup-restore.env file. If the setting is disabled, the storage
folder is not backed up.
Procedure
1. Open a command or shell window on the IBM OpenPages server.
2. Go to the op-backup-restore.env file in the bin directory as follows.
Table 74. Installation location of the IBM OpenPages GRC Platform application
Operating system
Installation location
Windows
<OP_Home>\aurora\bin
AIX and Linux
<OP_Home>/aurora/bin
For details on <OP_Home>, see the section on “Documentation conventions” on
page 1.
3. Open the op-backup-restore.env file in a text editor of your choice.
4. Set the value of the BACKUP_OP_STORAGE parameter in the file to either true or
false.
Chapter 15. Using IBM OpenPages Utilities with IBM DB2
381
Table 75. BACKUP_OP_STORAGE parameter values and their meanings
If the value is set to...
Then...
true
The storage folder and its content are
backed up.
This value is the default setting.
false
The storage folder and its content are not
backed up.
5. When finished, save the changes to the file and exit the editor.
Using the IBM OpenPages Restore Utility
OPRestore is the IBM OpenPages restore utility that restores the necessary
OpenPages files on the server from which it was originally run. The OPRestore
utility uses a backup file that is created by the OpenPages backup utility
(OPBackup).
Prerequisites
Important: Before you run the OPRestore utility, you must restore the DB2
OpenPages database.
OPRestore tool can be used only on an existing OpenPages database. It cannot be
used on a database that does not have an OpenPages schema.
Restoring files
To back up or restore the IBM DB2 databases in the OpenPages application, you
must use the utilities that are provided with DB2. For more information about the
databases in IBM OpenPages and backing up or restoring them, see “Backing up
and Restoring IBM DB2 Databases for OpenPages” on page 387.
Note: To refresh a "test" environment, see “Refreshing a Test Environment from
Backup Files” on page 443.
As part of the restoration process, the following IBM OpenPages resources are
restored:
v If the OpenPages storage folder was backed up, the storage folder and its
content are restored.
For information about enabling and disabling storage folder backup, see
“Enabling and Disabling Storage Backup” on page 381.
v The OpenPages application environment files are restored.
v The OpenPages and workflow database schema are populated with data
restored from backup files.
Depending on your configuration, if any asynchronous background jobs are
detected, an OPRestore job might exit and possibly display errors. See “Running
Asynchronous Background Jobs and Administrative Functions” on page 375.
Running the OPRestore Command
You can restore OpenPages files and configuration data from an OPBackup by
using the OPRestore command.
382
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
Procedure
1. On the reporting server, stop the Cognos service if it is running.
2. From a command or shell window, navigate to the bin directory as follows:
Table 76. Installation location of the IBM OpenPages GRC Platform application
Operating system
Installation location
Windows
<OP_Home>\aurora\bin
AIX and Linux
<OP_Home>/aurora/bin
For details on <OP_Home>, see the section on “Documentation conventions” on
page 1.
3. Execute the following command:
Windows
OPRestore <backup-file-name> <path-to-backup-location>
AIX and Linux
OPRestore.sh <backup-file-name> <path-to-backup-location>
Where:
<backup-file-name> is the name of the backup file (without the .zip or tar.gz
file extension)
Note: <path-to-backup-location> is the full path of the directory where the
backed up files are located on the IBM OpenPages GRC Platform application
server.
If a file path is not specified, the OPBackup command uses, by default, the
backup location specified in the BACKUP_LOCATION parameter of the
<OP_Home>|aurora|bin|op-backup-restore.env file.
What to do next
Preferences related to the long string text index won't be exported by “Running the
OPBackup Command” on page 423, and therefore are not restored. You must
“Create a Long String Index” on page 462 pointing to the database server you are
restoring to.
About OPRestore Log Files
The restore process creates a log file identified by a unique name in the
<backup-directory-name> folder. Each time you run the OPRestore command, a
separate log file is created.
Using the Cognos Backup Utility
OPCCBackup is the Cognos utility that backs up the necessary Cognos files. The
OPCCBackup utility creates a backup file that can be used by the Cognos restore
utility (OPCCRestore).
To back up or restore the IBM DB2 databases in the OpenPages application, you
must use the utilities that are provided with DB2. For more information about the
databases in IBM OpenPages and backing up or restoring them, see “Backing up
and Restoring IBM DB2 Databases for OpenPages” on page 387.
When you use the OPCCBackup utility, the following Cognos resources are backed
up.
Chapter 15. Using IBM OpenPages Utilities with IBM DB2
383
v Cognos reports
v Branding and environment files
Optionally, you can configure e-mail notification (with an attached log file) upon
the completion of an OPCCBackup. For details, see “Configuring Email
Notification for Backup Jobs” on page 373.
Running the OPCCBackup Command
When you use the Cognos backup utility, you run the OPCCBackup command in a
command or shell window.
Procedure
1. From a command or shell window, navigate to the bin directory as follows:
Where <CC_Home> represents the installation location of the Cognos application.
Table 77. Installation location of the Cognos application
Operating
system
Installation location
Windows
<CC_Home>\tools\bin
By default, <CC_Home> is C:\OpenPages\CommandCenter
AIX and
Linux
<CC_Home>/tools/bin
By default, <CC_Home> is /opt/OpenPages/CommandCenter
2. Execute the following backup command:
Windows
OPCCBackup <path-to-backup-location>
AIX and Linux
OPCCBackup.sh <path-to-backup-location>
Where:
<path-to-backup-location> is the full path of the directory where the backed
up files are located on the Cognos server. The file path is optional.
Note: If no file path is specified, the OPCCBackup command uses, by default,
the backup location specified in the BACKUP_LOCATION parameter of the
<CC_Home>|tools|bin|op-cc-backup-restore.env file.
About OPCCBackup Generated Files
About the OPCCBackup Log File
The backup process creates a log file, which is identified by a unique name in the
<backup-directory-name> folder. Each time you run the OPCCBackup command, a
separate log file is generated.
About Cognos Backed-Up Content
The Cognos backup process creates a ZIP file (.zip) in the <backup-directoryname> directory. This ZIP file contains the necessary report and environment files
that can be used by the Cognos restore utility (OPCCRestore).
Note:
v If a backup file is very large (4 GB or larger), you should configure the
OPCCBackup utility to use gzip (GNU zip). Gzip produces an archive with an
384
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
extension of .tar.gz. To view and extract the contents of the archive file, use
WinZip® 12 (or higher) or WinRAR® 3.71 (or higher).
v The OPCCBackup utility adds a military timestamp on the .zip and log files it
creates.
The ZIP file can be used as a parameter to the OPCCRestore command to restore the
installation-specific OpenPages files and the database. Each time the OPCCBackup
command is run, a separate ZIP file is created and each data file is identified by a
unique name.
Configuring OPCCBackup to Use GZIP
If a ZIP backup file grows beyond the 4-GB limit of ZIP file capacity, you can
configure the OPCCBackup utility to use gzip (GNU zip). Once the file is
configured, new backup files will have a .tar.gz extension. The OPCCRestore
utility will detect if a file is in ZIP or gzip format and process it accordingly.
Procedure
1. From a command or shell window, navigate to the op-cc-backup-restore.env
file in the bin directory as follows.
Where <CC_Home> represents the installation location of the Cognos application.
Table 78. Installation location of the Cognos application
Operating
system
Installation location
Windows
<CC_Home>\tools\bin
By default, <CC_Home> is C:\OpenPages\CommandCenter
AIX and
Linux
<CC_Home>/tools/bin
By default, <CC_Home> is /opt/OpenPages/CommandCenter
2. Open the op-cc-backup-restore.env file in a text editor of your choice.
3. Change the following setting in the file from false to true:
USE_GZIP_COMPRESSION=true
4. Save the changes to the file and exit the editor.
Using the Cognos Restore Utility
OPCCRestore is the IBM OpenPages Cognos utility that restores the necessary
Cognos files on the server from which it was originally run. The OPCCRestore
utility uses a backup file created by the OpenPages Cognos backup utility
(OPCCBackup).
Important: Before you run the OPCCRestore utility, you must restore the DB2
reporting database.
To back up or restore the IBM DB2 databases in the OpenPages application, you
must use the utilities that are provided with DB2. For more information about the
databases in IBM OpenPages and backing up or restoring them, see “Backing up
and Restoring IBM DB2 Databases for OpenPages” on page 387.
As part of the OPCCRestore restoration process, the following Cognos resources
are restored:
v Cognos reports
Chapter 15. Using IBM OpenPages Utilities with IBM DB2
385
v Branding and environment files
For information about refreshing a test environment, see “Refreshing a Test
Environment from Backup Files” on page 443.
Running the OPCCRestore Command
You can restore backed up Cognos data using the OPCCRestore utility as follows.
Procedure
1. Stop the Cognos service on the administrative server and any
non-administrative servers in the cluster. For details, see “Starting and Stopping
the Cognos Services” on page 623.
2. Stop the IBM Cognos Configuration tool, if it is running, on all cluster
members.
3. From a command or shell window, navigate to the bin directory as follows:
Where <CC_Home> represents the installation location of the Cognos application.
Table 79. Installation location of the Cognos application
Operating
system
Installation location
Windows
<CC_Home>\tools\bin
By default, <CC_Home> is C:\OpenPages\CommandCenter
AIX and
Linux
<CC_Home>/tools/bin
By default, <CC_Home> is /opt/OpenPages/CommandCenter
4. On the administrative Cognos server, execute the following command:
Windows
OPCCRestore <backup-file-name> <path-to-backup-location>
AIX
OPCCRestore.sh <backup-file-name> <path-to-backup-location>
Where:
<backup-file-name> is the name of the backup file (without the .zip or tar.gz
file extension).
Note: <path-to-backup-location> is the full path of the directory where the
backed up files are located on the Cognos server. The file path is optional.
Note: If no file path is specified, the OPCCRestore command uses, by default,
the backup location specified in the BACKUP_LOCATION parameter of the
<CC_Home>|tools|bin|op-cc-backup-restore.env file.
5. Start the Cognos service on the administrative server and on any
non-administrative servers in the cluster. For details, see “Starting and Stopping
the Cognos Services” on page 623.
About OPCCRestore Log Files
The restore process creates a log file identified by a unique name in the
<backup-directory-name> folder.
Each time you run the OPCCRestore command, a separate log file is created.
386
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
Backing up and Restoring IBM DB2 Databases for OpenPages
You must use the utilities that are provided with IBM DB2 to back up and restore
DB2 databases in the IBM OpenPages GRC Platform product.
For information about developing a backup and restore strategy, see the IBM DB2
Information Center at: http://publib.boulder.ibm.com/infocenter/db2luw/v10r1/
topic/com.ibm.db2.luw.admin.ha.doc/doc/c0005945.html.
Databases in IBM OpenPages
There are two databases in the IBM OpenPages GRC Platform that require backup:
v The IBM OpenPages database
This database is the main application and workflow database that is created in
the DB2 instance with Oracle Compatibility mode enabled.
v The IBM Cognos Controller database
This database is created in another normal DB2 instance without the Oracle
Compatibility feature.
IBM OpenPages Database Backup
To accomplish a complete backup of the IBM OpenPages and the IBM Cognos
Controller databases, you must back up each database from each of their instances.
The best approach is to do an offline backup of your DB2 IBM OpenPages
database.
1. Make sure that OpenPages services are running for any long running
background processes (such as, object reset jobs).
2. Open a command or shell window and connect to the DB2 database.
For Windows users only, you must use the db2cmd command in the Command
Prompt window to initialize the DB2 command line processor (CLP).
3. Quiesce the database by using the QUIESCE command. In this mode, the IBM
OpenPages application becomes unavailable to users. Only users with authority
in this restricted mode are allowed to attach or connect to the instance or
database.
For example, to immediately force off all users with connections to the
database, you could use db2 quiesce db immediate.
For information about using the QUIESCE command, see the IBM DB2
Information Center at: http://publib.boulder.ibm.com/infocenter/db2luw/
v10r1/topic/com.ibm.db2.luw.admin.cmd.doc/doc/r0008635.html
4. Do the offline backup.
For example, on a Microsoft Windows operating system, to backup a database
with the alias name of sample to c:\Db2backup, you could use db2 backup db
sample c:\Db2backup. A backup image will be created in the specified backup
location in the following format: database_name.backup_type\instance_name\
database_partition\catalog_
partition_number\backup_date_time\time_image_sequence_number. For
example, OPX.0\DB2INST1\NODE0000.\CATN0000\20121129\131259.01.
On an AIX or Linux operating system, to backup a database with the alias
name of sample to /opt/db2backup, you could use db2 backup db sample
/opt/db2backup. A backup image will be created in the specified backup
location in the following format:
database_name.backup_type.instance_name.database_partition.catalog_
Chapter 15. Using IBM OpenPages Utilities with IBM DB2
387
partition_number.backup_date_time.time_image_sequence_number. For
example, OPX.0.DB2INST1.NODE0000.CATN0000.20121129.131259.001.
For information about backing up your DB2 database, see the IBM DB2
Information Center at: http://publib.boulder.ibm.com/infocenter/db2luw/
v10r1/topic/com.ibm.db2.luw.admin.ha.doc/doc/c0006150.html.
5. Unquiesce the database by using the UNQUIESCE command. This command
restores user access to objects in the IBM OpenPages database.
For example, to restore connections to the database, you could use db2
unquiesce db.
For information about using the UNQUIESCE command, see the IBM DB2
Information Center at: http://publib.boulder.ibm.com/infocenter/db2luw/
v10r1/topic/com.ibm.db2.luw.admin.cmd.doc/doc/r0008636.html.
IBM OpenPages Database Restore
You can use a DB2 database backup from your production system to restore a DB2
database to a previous state in the same environment.
Use this process as a guide for restoring a IBM OpenPages DB2 database:
1. Stop the OpenPages servers. For information, see “Starting and Stopping
OpenPages Application Servers” on page 613.
2. Open a command or shell window and connect to the DB2 database.
For Windows users only, you must use the db2cmd command in the Command
Prompt window to initialize the DB2 command line processor (CLP).
3. Restore the DB2 database.
For example, on a Windows operating system, to restore a database with the
alias name of sample from the backup location c:\Db2backup with a backup
timestamp of 20121129131259, you could use db2 restore db sample from
c:\Db2backup taken at 20121129131259.
On an AIX or Linux operating system, , to restore a database with the alias
name of sample from the backup location /opt/db2backup with a backup
timestamp of 20121129131259, you could use db2 restore db sample from
/opt/db2backup taken at 20121129131259.
For information about restoring your DB2 database, see the IBM DB2
Information Center for details about restoring DB2 databases at:
http://publib.boulder.ibm.com/infocenter/db2luw/v10r1/topic/
com.ibm.db2.luw.admin.ha.doc/doc/c0006237.html.
Restoring Backed up Production Data in a New Environment
You can use a DB2 database backup from your production environment to restore
data to a DB2 database in a new test or development environment.
The process of restoring data involves the following tasks in this order:
1. Backing up your DB2 production databases then restoring these databases to
the new environment.
When you create the IBM OpenPages application and workflow database, you
must run scripts to enable Oracle compatibility and update configuration data.
You run these scripts before you restore the OpenPages application and
workflow production database to the new environment. These scripts are not
required for the Cognos database.
388
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
2. Backing up your production application and reporting data files then restoring
these files to the new environment.
3. Updating the storage folder location in the new environment.
For information about refreshing a test environment on an existing test system, see
“Refreshing a Test Environment from Backup Files” on page 390.
Before you begin
Make sure that your new test or development environment meets the following
prerequisites:
v IBM OpenPages GRC Platform is installed in the new test or development
environment.
v The operating system user names in the new environment match the operating
system user names in your production environment.
Procedure
1. Back up your IBM OpenPages application production DB2 database.
For more information, see “ IBM OpenPages Database Backup” on page 387.
2. Back up your IBM Cognos Controller production DB2 database.
For more information about backing up the IBM OpenPages application
database, see “ IBM OpenPages Database Backup” on page 387.
3. Create the IBM OpenPages application and workflow database instance in the
new environment.
For more information about creating a DB2 database, see the IBM DB2
Information Center at: http://pic.dhe.ibm.com/infocenter/db2luw/v10r1/
topic/com.ibm.db2.luw.admin.ha.doc/doc/c0006237.html.
4. On the new IBM OpenPages application and workflow database only, run the
enable-ora-compatibility script to enable Oracle Compatibility Mode.
v On Windows
a. From the Start menu, click All Programs > IBM DB2 > DB2COPY1 >
Command Window - Administrator.
b. Type the following command:
enable-ora-compatibility.bat
Note: If you have multiple instances of DB2 on the server, ensure that
you choose the DB2COPY of the OpenPages database instance.
v On AIX and Linux, type the following command:
./enable-ora-compatibility.sh
Restriction: DB2 compatibility features are enabled at the instance level and
cannot be disabled. Keep the selected compatibility level for the life of the
OpenPages database.
To confirm that Oracle Compatibility Mode is set, you can type the following
command: db2set -all
In the output, look for the DB2 profile variable, DB2_COMPATIBILITY_VECTOR,
with the value of ORA. For example, DB2_COMPATIBILITY_VECTOR=ORA.
5. On the new IBM OpenPages application and workflow database only, update
the database manager configuration.
a. For Windows users only, type the following command in the Command
Prompt window to initialize the DB2 command line processor (CLP):
Chapter 15. Using IBM OpenPages Utilities with IBM DB2
389
db2cmd
b. In the DB2 CLP, run the opx-dbm-cfg script:
v On Windows, type:
opx-dbm-cfg.bat
v On AIX and Linux, type:
./opx-dbm-cfg.sh
6. Use the IBM OpenPages application and workflow database backup from
your production system to restore the DB2 database to your new environment.
For more information, see “ IBM OpenPages Database Restore” on page 388.
7. Create the IBM Cognos Controller database instance in the new environment
without the Oracle Compatibility feature.
For more information about creating a DB2 database, see the IBM DB2
Information Center at: http://pic.dhe.ibm.com/infocenter/db2luw/v10r1/
topic/com.ibm.db2.luw.admin.ha.doc/doc/c0006237.html.
8. Use the IBM Cognos Controller database backup from your production system
to restore the DB2 database to your new environment.
For more information, see “ IBM OpenPages Database Restore” on page 388.
9. Use the IBM OpenPages backup and restore utilities to back up your
OpenPages files on the production server then restore these files to your new
environment.
For more information about using the IBM OpenPages backup utility, see
“Using the IBM OpenPages Backup Utility” on page 378.
For more information about using the IBM OpenPages restore utility, see
“Using the IBM OpenPages Restore Utility” on page 382.
10. Use theCognos backup and restore utilities to back up your reporting files on
the production server then restore these files to your new environment.
For more information about using the Cognos backup utility, see “Using the
Cognos Backup Utility” on page 383.
For more information about using the Cognos restore utility, see “Using the
Cognos Restore Utility” on page 385.
11. Update the OpenPages storage folder location on the new test or development
database.
For more information about updating the OpenPages storage folder location,
see “Update the OpenPages Storage Location in the Database” on page 393.
Refreshing a Test Environment from Backup Files
The best method for refreshing an existing test environment is to have it replicated
from the production environment. By using your production environment's backup
files, you can update a test environment that closely matches your production
environment as of the backup date.
You can use this procedure to refresh any test server by using the backup files
from any other IBM OpenPages server.
Prerequisites:
v Make sure that you have access to both the production or "source" and test or
"target" servers.
v The operating systems must match between source and target servers.
390
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
Prerequisites
There are some prerequisites to refreshing a test environment.
The following are required:
v The test or "target" server and production or "source" server must have the same
installed version of the IBM OpenPages application — including patches.
v You must have access to the following DVD either on your installation media or
from a shared network drive:
OP_n.n.n_<Embedded|Non_Embedded>_DVD_1
Where n.n.n represents the current version number of the IBM OpenPages
release.
Back up Production Databases in OpenPages on the DB2
Server
You must use the utilities that are provided with IBM DB2 to back up the
production databases in the IBM OpenPages application. The exported
DB2production databases are used later to refresh the IBM OpenPages application
and workflow databases on the test or target server.
For more information about the databases in IBM OpenPages and backing up DB2
databases, see “Backing up and Restoring IBM DB2 Databases for OpenPages” on
page 387.
Back Up and Copy IBM OpenPages Application Production
Files
The IBM OpenPages backup utility backs up IBM OpenPages application and
workflow files. The exported data from the production backup file is used later to
refresh data on the test or target server.
Procedure
1. Log on to your production IBM OpenPages server as a user with administrative
permissions.
2. Run the IBM OpenPages backup utility (OPBackup) to back up the IBM
OpenPages application and workflow files. For more information, see “Using
the IBM OpenPages Backup Utility” on page 378.
3. Copy the IBM OpenPages backup .zip or .tar.gz file to your test server.
Back up Databases in OpenPages on the Test Server
You must use the utilities that are provided with IBM DB2 to back up the test or
target databases in the IBM OpenPages application.
For more information about the databases in IBM OpenPages and backing up DB2
databases, see “Backing up and Restoring IBM DB2 Databases for OpenPages” on
page 387.
Back Up IBM OpenPages Application Files on Your Test
Server
Run the IBM OpenPages backup utility to back up IBM OpenPages application and
workflow files on your test or target server.
Chapter 15. Using IBM OpenPages Utilities with IBM DB2
391
Procedure
1. Log on to your test IBM OpenPages server as a user with administrative
permissions.
2. Run the IBM OpenPages backup utility (OPBackup) as described in “Running
the OPBackup Command” on page 379 to backup the IBM OpenPages
application and workflow files.
Back Up Workflow Properties in the Test Environment
You must back up workflow properties in your test environment.
Procedure
1. Log on to your test IBM OpenPages server as a user with administrative
permissions.
2. Export the workflow properties on your test server for later use as follows:
a. Open a command or shell window and navigate to the following directory:
<Workflow_Home>|server|deployment|bin
Table 80. Installation location of the workflow server
Operating
system
Installation location
Windows
By default, <Workflow_Home> is C:\Fujitsu\InterstageBPM
AIX and
Linux
By default, <Workflow_Home> is /opt/Fujitsu/InterstageBPM
b. From the bin directory, execute the exportProperties command as follows:
v On Windows :
exportProperties.bat <output-file> <opworkflow_db_user>
<opworkflow_db_password>
v On AIX and Linux:
exportProperties.sh <output-file> <opworkflow_db_user>
<opworkflow_db_password>
Where:
<output-file> is the name of the file containing the exported workflow
properties. If no directory is specified, the file is created in the bin directory.
<opworkflow_db_user> is the IBM OpenPages workflow user name for
accessing the workflow database.
<opworkflow_db_password> is the IBM OpenPages workflow password for
accessing the workflow database.
Examples
Windows
exportProperties.bat ibpm.properties opworkflow opworkflow
AIX and Linux
exportProperties.sh ibpm.properties opworkflow opworkflow
Drop the DB2 Database for the Application on the Test System
You must drop the IBM OpenPages database on the test server. Dropping the IBM
DB2 database for IBM OpenPages on the test system deletes all object data.
The DB2 database includes IBM OpenPages application and workflow data.
392
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
Procedure
1. If necessary, log on to your IBM OpenPages test server as a user with
administrative permissions.
2. Open a command or shell window.
3. For Windows users only, type the following command in the Command Prompt
window to initialize the DB2 command line processor (CLP):
db2cmd
4. In the DB2 CLP, type the following command to drop the DB2 test database:
db2 drop db <DATABASE_NAME>
Where <DATABASE_NAME> is the name of the test database. For example, if
the name of the test database is op11, you would type db2 drop database op11.
For more information about using the DB2 DROP DATABASE command, see the
IBM DB2 Information Center at: http://pic.dhe.ibm.com/infocenter/db2luw/
v10r1/index.jsp?topic=/com.ibm.db2.luw.admin.cmd.doc/doc/r0001949.html.
Copy and Restore the Application Production Database
Backup File to the Test Database Server
You must use the utilities that are provided with IBM DB2 to restore the IBM
OpenPages application database on the test system.
The IBM OpenPages database backup file from the DB2 production server includes
both IBM OpenPages application and workflow data.
Before you begin
The operating system user names in the test environment must match the
operating system user names in your production environment.
Procedure
1. Copy the IBM OpenPages database backup file from the DB2 production server
to the test database server.
2. Copy the Java UDF class files from the DB2 production server folders to the
folders on the test database server. For example:
v On Windows systems, copy the class files from C:\IBM\SQLLIB\FUNCTION on
the production database server to the DB2 database server on the test system.
v On AIX and Linux systems, copy the class files from /home/db2inst1/sqllib/
function on the production database server to the DB2 database server on
the test system.
3. Restore the DB2 database to the test server. For more information, see “ IBM
OpenPages Database Restore” on page 388.
Update the OpenPages Storage Location in the Database
After you restore the openpage-storage files from the production backup, you must
update the OpenPages storage location on the test database.
Procedure
1. Log on to a system as a user with administrator privileges. You can use any
system with access to CLPPlus that can connect to the OpenPages database
server.
2. Copy all the files under the openpages-storage folder from the production
backup .zip file to the openpages-storage location on the test server.
Chapter 15. Using IBM OpenPages Utilities with IBM DB2
393
By default, the storage location is <OP_Home>|openpages-storage.
Table 81. Installation location of the IBM OpenPages GRC Platform application
Operating
system
Installation location of the IBM OpenPages GRC Platform application
Windows
By default, <OP_Home> is: C:\OpenPages
AIX and
Linux
By default, <OP_Home> is: /opt/OpenPages
3. Open a command or shell window and do the following tasks:
a. Either go to the OP_n.n.n_<Embedded|Non_Embedded>_DVD_1 on your network
drive or insert the DVD from your installation kit.
b. Go to the INSTALL_SCRIPTS directory at the following location:
OP_n.n.n_Configuration|Database|DB2|INSTALL_SCRIPTS
Where n.n.n is the version number of the IBM OpenPages product.
4. For Windows users only, type the following command in the Command Prompt
window to initialize the DB2 command line processor (CLP):
db2cmd
5. From the INSTALL_SCRIPTS directory, run the update-storage SQL wrapper
script with the following parameters to update the openpages-storage directory
location in the database:
clpplus -nw <op_db_user>/
<op_db_password>@<database_host>:<database_port>/<database_name>
@sql-wrapper update-storage <log-file> <storage-type>
<storage-server-name> <host-name> <os-type> <path-or-UNC-name>
Where:
Table 82. Update Storage Wrapper Script Parameters
Parameter
Description
op_db_user
OpenPages user name for accessing the OpenPages database.
op_db_password
The OpenPages password for accessing the OpenPages database.
database_host
Name of the DB2 server host machine that contains the OpenPages
database.
database_port
Port number of the DB2 database instance that is installed on the
database server. ForDB2, the default port is 50000.
database_name
Name of the OpenPages database.
log-file
The name of the log file that the script creates and writes
information to.
storage-type
The type of file storage to be used. Valid values are as follows:
v
LFS (local file system)
v
UNC (Universal Naming Convention)
Note: After you move from LFS to UNC, you cannot go back to
using LFS.
394
storage-server-name
The name of the storage server.
host-name
The host name of the machine.
os-type
The type of operating system. Valid values are as follows:
v
Windows
v
Unix
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
Table 82. Update Storage Wrapper Script Parameters (continued)
Parameter
Description
path-or-UNC-name
The file path or UNC of the storage location.
Examples
v LFS
Windows clpplus -nw openpages/[email protected]:50000/opx
@sql-wrapper update-storage c:\temp\upd-storage-output.log LFS eng11
eng11 Windows c:\OpenPages\openpages-storage
AIX and Linuxclpplus -nw openpages/[email protected]:50000/opx
@sql-wrapper update-storage /home/op/upd-storage-output.log LFS aix11
aix11 Unix /usr/opdata/openpages-storage
v UNC
Windows clpplus -nw openpages/[email protected]:50000/opx
@sql-wrapper update-storage c:\temp\upd-storage-output.log UNC eng11
eng11 Windows c:\OpenPages\openpages-storage
AIX and Linux clpplus -nw openpages/[email protected]:50000/opx
@sql-wrapper update-storage /home/op/upd-storage-output.log UNC aix11
aix11 Unix /usr/opdata/openpages-storage
Update Workflow Properties in the Test Environment
After you restore the DB2 database on the test system, you must update workflow
properties on the test environment.
Procedure
1. If necessary, log on to your test IBM OpenPages server as a user with
administrative permissions.
2. Delete all rows from the workflow ibpmproperties table as follows:
a. Log on to CLPPlus as a workflow database user into the target database
server.
b. Run the following SQL statements to delete all rows from the
ibpmproperties table:
delete from ibpmproperties;
commit;
3. From the command or shell window, import the workflow properties that were
exported in the “Back Up Workflow Properties in the Test Environment” on
page 392 task:
a. Go to the <Workflow_Home>|server|deployment|bin directory.
b. Run the importProperties command as follows:
v On Windows:
importProperties.bat <full-path>\
<output-backup-filename> <opworkflow_db_user> <opworkflow_db_password>
v On AIX and Linux:
importProperties.sh <full-path>/
<output-backup-filename> <opworkflow_db_user> <opworkflow_db_password>
Where:
<full-path> is the path to the location of the output file.
<output-backup-filename> is the name of the output file that contains the
exported workflow properties from the “Back Up Workflow Properties in
the Test Environment” on page 392 task.
Chapter 15. Using IBM OpenPages Utilities with IBM DB2
395
<opworkflow_db_user> is the IBM OpenPages workflow user name for
accessing the workflow database.
<opworkflow_db_password> is the IBM OpenPages workflow password for
accessing the workflow database.
Examples
v On Windows:
importProperties.bat c:\Fujitsu\InterstageIBPM\temp\
ibpm.properties opworkflow opworkflow
v On AIX and Linux:
importProperties.sh /opt/Fujitsu/InterstageBPM/temp/
ibpm.properties opworkflow opworkflow
Import Properties Specific to Cluster Members in Your Test
Environment
You must import properties that are specific to cluster members in your test
environment.
Procedure
1. If necessary, log on to your test IBM OpenPages server as a user with
administrative permissions.
2. In the Command Prompt window or AIX shell, navigate to the cluster member
directory:
Windows:
<Workflow_Home>\server\deployment\WLS-Cluster<server_name>
-InterstageBPMCS<#>
AIX and Linux:
<Workflow_Home>/server/deployment/WAS-Cluster<server_name>
-IBPMNode<#>Server
Where:
<Workflow_Home> is the directory where Fujitsu Interstage BPM is installed, by
default:
Windows
c:\Fujitsu\InterstageBPM
AIX and Linux
/opt/Fujitsu/InterstageBPM
<server_name> is the name of the IBM OpenPages application server.
<#> represents the number of the cluster member. In a clustered environment,
the number for each managed server increments by one.
3. Execute the importProperties command as follows:
v Oracle WebLogic:
importProperties.bat <Workflow_Home>\server\deployment\
WLS-Cluster<server_name>-InterstageBPMCS<#>\
ibpm.properties <opworkflow_db_user> <opworkflow_db_password>
Where:
<Workflow_Home> represents the installation location of the Fujitsu Interstage
BPM server. By default, this is: c:\Fujitsu\InterstageBPM.
<server_name> is the name of the IBM OpenPages application server.
<#> represents the number of the cluster member. In a clustered environment,
the number for each managed server increments by one.
396
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
<opworkflow_db_user> is the IBM OpenPages workflow user name for
accessing the workflow database.
<opworkflow_db_password> is the IBM OpenPages workflow password for
accessing the workflow database.
Example
importProperties.bat c:\Fujitsu\InterstageBPM\server\deployment\
WLS-Clusterop-app-InterstageBPMCS1\ibpm.properties opworkflow opworkflow
v IBM WebSphere:
a. Open the setIBPMenv.sh file (AIX and Linux) or the setIBPMenv.cmd file
(Windows) in a text editor.
b. Replace the masked password in the DATABASE_PASSWORD parameter with
the workflow database password.
The password has been automatically masked using asterisks (***) during
the installation. You need to replace the mask with clear text.
c. Save the file.
Note: On AIX and Linux, before executing importProperties.sh, make
sure that the user performing the installation has the permission to
execute the script. If the user does not have the permission to execute
importProperties.sh, enter the following command:
chmod 755 importProperties.sh
d. On AIX and Linux run ./importProperties.sh. On Windows, run
importProperties.bat.
e. Mask the password in the DATABASE_PASSWORD parameter with asterisks.
For example, DATABASE_PASSWORD=*****
f. Save and close the setIBPMenv.sh or setIBPMenv.cmd file.
4. Repeat the steps 2 and 3 for each cluster member.
Update Cognos Data in the Test Environment
You must update the IBM Cognos Controller database and Cognos files in the test
environment.
Before You Begin
Before begin, make sure to verify these things.
Before you run the Cognos backup utility (OPCCBackup) make sure to verify the
following:
v You have access to both the source and target database servers.
v Full permission is granted to the CommandCenter|tools|bin folder on the target
Cognos server.
Back up the Cognos Database on the DB2 Production and Test
Servers
You must use the utilities that are provided with IBM DB2 to back up the IBM
Cognos Controller database on both the production and test servers. The exported
DB2 production database is used later to refresh the IBM Cognos Controller
database on the test or target server.
For more information about the databases in IBM OpenPages and backing up DB2
databases, see “Backing up and Restoring IBM DB2 Databases for OpenPages” on
page 387.
Chapter 15. Using IBM OpenPages Utilities with IBM DB2
397
Back Up Cognos Configuration Files on the Production and Test
Servers
You must run the Cognos backup utility to back up Cognos configuration files on
both the production and test servers. The Cognos configuration file backup from
the production server is used later to refresh Cognos configuration on the test
server.
Procedure
1. If necessary, log on to your production Cognos server as a user with
administrative permissions.
2. Run the Cognos backup utility (OPCCBackup) to back up the Cognos
configuration files on the production server.
For more information, see “Using the Cognos Backup Utility” on page 429.
Tip: If the mail server for notification email is not set up for running Cognos
backups, the output from the OPCCBackup command might end with the
following error:
BUILD FAILED
c:\machine3\CommandCenter\tools\bin\op-cc-backup-email-notification.xml:31:
Problem while sending mime mail:
This error can be safely ignored if the step above the error says BUILD
SUCCESSFUL.
3. Copy the production Cognos server backup .zip or .tar.gz file to the Cognos
backup-restore directory on the test server.
4. Run the Cognos backup utility (OPCCBackup) to back up the Cognos
configuration files on your test server.
For more information, see “Using the Cognos Backup Utility” on page 429.
Drop the DB2 Database for Cognos on the Test Server
You must drop the IBM Cognos Controller database on the test server. Dropping
the IBM Cognos Controller database on the test system deletes all object data.
Procedure
1. If necessary, log on to your IBM OpenPages test server as a user with
administrative permissions.
2. Open a command or shell window.
3. For Windows users only, type the following command in the Command Prompt
window to initialize the DB2 command line processor (CLP):
db2cmd
4. In the DB2 CLP, type the following command to drop the DB2 test database:
db2 drop db <DATABASE_NAME>
Where <DATABASE_NAME> is the name of the test database. For example, if
the name of the test database is op11, you would type db2 drop database op11.
For more information about using the DB2 DROP DATABASE command, see the
IBM DB2 Information Center at: http://pic.dhe.ibm.com/infocenter/db2luw/
v10r1/index.jsp?topic=/com.ibm.db2.luw.admin.cmd.doc/doc/r0001949.html.
Copy and Restore the Cognos Production Database Backup File
to the Test Database Server
You must use the utilities that are provided with IBM DB2 to restore the IBM
Cognos Controller reporting database on the test system.
398
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
Before you begin
The operating system user names in the test environment must match the
operating system user names in your production environment.
Procedure
1. Copy the IBM Cognos Controller database backup file from the DB2 production
server to the test database server.
2. Restore the DB2 database to the test server. For more information, see “ IBM
OpenPages Database Restore” on page 388.
Update Database Connection References for Cognos
You must update the database connection references for the server on the Cognos
portal.
Procedure
1. Open a browser window and log on to the Cognos portal as a user with
administrative privileges.
By default, the URL is http://<server_name>/ibmcognos
Where: <server_name> is the name of the Cognos server
2. Do one of the following to launch IBM Cognos Administration:
v If the Cognos splash page appears, then click the Administer IBM Cognos
Content link.
v If the IBM Cognos Connection page appears, then click Launch and select
IBM Cognos Administration.
3. On the Configuration tab, click Data Source Connections in the left pane (if
not already selected).
4. On the Directory > Cognos page, click the link for the OpenPages DataSource.
5. On the Directory > Cognos > OpenPages DataSource page, do the following:
a. Under the Actions column, click the Set properties - OpenPages
.
DataSource icon
b. On the Set properties - OpenPages DataSource page, click the Connection
tab.
6. On the Connection tab, next to the Connection String box, click the pencil icon
to edit the field.
7. On the CLI tab, do the following:
a. In the DB2 database name box, change the DB2 database name to the
Catalog Database Name of the OpenPages database on the target
environment.
b. Click OK.
8. Click OK again.
Modify SSO and LDAP Configuration in the Test Environment
If you are using SSO and/or LDAP in the test environment, modify the
configuration for each if needed. Otherwise, skip this task.
Copy Custom Deliverables to the Test Environment
If you are using custom deliverables, you must copy any custom files to the test
environment.
Chapter 15. Using IBM OpenPages Utilities with IBM DB2
399
Copy Custom Triggers and Custom Workflow Java Actions
You must copy any custom Java actions and triggers that have been deployed on
the production server to the test environment. These custom actions and triggers
are added to a zip file, openpages-ext.jar , by the OPBackup utility.
If you have any questions about the location of your custom data, contact IBM
representative.
Procedure
1. If necessary, log on to your test IBM OpenPages server as a user with
administrative permissions.
2. Update the openpages-ext.jar in the test environment as follows:
a. From the production backup .zip files in “Back Up and Copy IBM
OpenPages Application Production Data” on page 444, navigate to the
openpages-ext.jar in the <OP_Home>|aurora|lib directory.
Where <OP_Home> represents the installation location of the IBM OpenPages
application.
Table 83. Installation location of the IBM OpenPages application
Operating
system
Installation location
Windows
<OP_Home>\aurora\lib\openpages-ext.jar
By default <OP_Home> is C:\OpenPages
AIX and
Linux
<OP_Home>/aurora/lib/openpages-ext.jar
By default <OP_Home> is /opt/OpenPages
b. Copy the openpages-ext.jar from the production backup file into the
<OP_Home>|aurora|lib directory on your test machine and overwrite the
existing .jar file there.
3. Update the .class files in the test environment so all custom Java Action sets
can be opened from the Workflow console as follows:
a. From the production backup openpages-ext.jar, extract all custom Java
Action .class files using the jar command from the
<Workflow_Home>|server|instance|default|attachments directory.
Table 84. Installation location of the workflow server
Operating
system
Installation location
Windows
By default, <Workflow_Home> is C:\Fujitsu\InterstageBPM
AIX and
Linux
By default, <Workflow_Home> is /opt/Fujitsu/InterstageBPM
For example:
jar xvf openpages-ext.jar
The result is that all of the class files are extracted into the current folder.
b. Copy the extracted .class files, while preserving the full package folder
structure, into the <Workflow_Home>|server|instance|default|attachments
directory on your test machine.
These .class files are needed to open Java action sets from the Workflow
Console.
400
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
c.
Copy the .class files, while preserving the package folder structure, to the
following directory on each client machine used by workflow authors where
Interstage BPM Studio is installed.
These .class files are needed to open Java action sets from the Workflow
Console:
<Workflow_Studio_Home>\InterstageBPM_studio\ibpm\Data\attachments
Where:
<Workflow_Studio_Home> represents the installation location of Fujitsu
Interstage BPM Studio on the client machine. By default, this is
c:\Fujitsu\InterstageBPM.
Copy Other Custom Deliverables
If you have other custom deliverables, such as UI helpers and JSP reports, copy
these custom deliverables to their respective folders on the test or target machine.
If you have any questions about the location of your custom data, contact your
IBM representative.
Procedure
1. From your application production backup .zip files, extract all custom files
such as:
v JAR files
v JSP files
v JavaScript files
v Image files
2. Copy these files into their respective folders on the target machine. The target
folders should match the folders on the source installation.
Start OpenPages and Workflow Servers in the Test
Environment
When finished, start IBM OpenPages services on the servers in your test
environment.
For details, see “Starting and Stopping OpenPages Application Servers” on page
613.
Update URL Host Pointers for Cognos Reports
Modify the URL host pointer settings and then propagate these changes to the
reporting schema on the application server (does not require services to be
restarted).
For more information, see “Updating URL Host Pointers for Reports” on page 504.
Utilities for Filtering on Long String Field Content
You can filter based on the content of long string fields if the IBM DB2 Text Search
feature is enabled. This feature is also known as full text searching.
Long string fields allow users to enter values over 4 KB in length. To apply filters
on the content of these long string fields, you must install and configure the DB2
Text Search feature, see “Install and Configure DB2 Text Search” on page 402.
Chapter 15. Using IBM OpenPages Utilities with IBM DB2
401
If the DB2 Text Search feature is not enabled, attempts to filter on the content of
long string fields will not work. For details on setting up long text fields, see
“Working with Long String Fields” on page 181.
The following SQL scripts are provided to help manage full text searching:
Note: Before running these scripts, make sure the DB2 Text Search feature is
installed and configured.
v “Enable DB2 Text Search” on page 404
v “Create a Long String Index” on page 405
v “Create a Schedule Job to Synchronize a Long String Index” on page 407
v “Drop a Long String Index” on page 409
To apply filters with long string fields, you must change the OpenPages |
Platform | Database | Text Indexes setting to true.
Table 85. Values and what they mean
If the value is set to...
Then...
true
Filtering is enabled on long string fields.
false
Filtering is disabled on long string fields.
The default is false.
For details on working with settings, see “Accessing the Settings Page” on page
313.
Install and Configure DB2 Text Search
Install and enable the optional IBM DB2 Search Text feature to filter based on the
contents of fields with long string data types. Scripts are provided for Windows,
AIX, and Linux.
About this task
DB2 Text Search is an optionally installable component in a DB2 Server installation.
Procedure
1. To install DB2 Text Search:
a. Run the custom installation type from the DB2 Server setup CD.
b. Select Work on existing system.
Note: For other DB2 Text Search installation methods, see:
http://publib.boulder.ibm.com/infocenter/db2luw/v10r1/topic/
com.ibm.db2.luw.admin.ts.doc/doc/c_installation.html.
2. After the component is installed, log on to the operating system as the instance
owner.
3. Stop the DB2 instance by running the following commands:
402
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
Table 86. Commands for stopping the DB2 instance
For this operating system...
Do this...
Windows
1. Open a command window, then run db2cmd.
2. In the DB2 CLP window, run:
db2 force applications all
db2stop
AIX and Linux
Run:
db2 force applications all
db2stop
4. Navigate to the DB2 Text Search installation folder.
An example folder on a Windows system is:
D:\Program Files (x86)\IBM\SQLLIB\db2tss\bin
5. To configure the DB2 Text Search feature by using the default setting, run one
of the following commands.
Table 87. Commands for configuring the DB2 Text Search feature by using the default
setting
For this operating system...
Do this...
Windows
db2iupdt DB2
/u:DB2_INSTANCE_OWNER_NAME,DB2_INSTANCE_
OWNER_PASSWORD /j:TEXT_SEARCH
Where DB2_INSTANCE_OWNER_NAME is the
database instance owner account. Usually db2admin
user.
Where DB2_INSTANCE_OWNER_PASSWORD is the
password for instance owner account.
For example, db2iupdt DB2 /u:db2admin,dbpassword
/j:TEXT_SEARCH
AIX and Linux
db2iupdt -j "TEXT_SEARCH,TEXT_SEARCH_Port"
DB_Instance_Name
Where TEXT_SEARCH_Port is the port number of the
DB2 Text Search services. For DB2 Text Search, the
default port is 55000.
Where DB_Instance_Name is the name of the DB2
database instance where you want to add the Text
Search service.
6. To manually configure the DB2 Text Search feature, do the following.
a. Navigate to the <DB2_Home>\db2tss\bin directory.
b. Run this command to generate the authentication token:
configTool generateToken -configPath "<DB2_Home>\cfg\db2tss\config"
-seed <DB2_INSTANCE_NAME>
Note: The default value of <DB2_INSTANCE_NAME> is DB2COPY1.
c. From the <DB2_Home>\db2tss\bin directory, run the following command to
print the status and properties of text search collections:
adminTool status -configPath ""<DB2_Home>\cfg\db2tss\config"
Chapter 15. Using IBM OpenPages Utilities with IBM DB2
403
For more details, refer to the IBM DB2documentation in the following link:
http://publib.boulder.ibm.com/infocenter/db2luw/v9r7/topic/
com.ibm.db2.luw.admin.ts.doc/doc/t0052968.html.
Note: If you must reconfigure the DB2 Text Search feature, stop the text search
service first. You can run this command to stop the service: db2ts STOP FOR
TEXT
7. Start the DB2 database:
a. Log on to the operating system with the account that was used to create the
database.
b. If you have multiple databases on the server, use these commands to set the
default database:
Windows
set DB2DBDFT==<DATABASE_NAME>
AIX and Linux
export DB2DBDFT=<DATABASE_NAME>
c. Start the database by running the following command:
db2start
8. Start DB2 Text Search services:
a. Log on as the database instance owner.
b. Run the following command:
db2ts START FOR TEXT
Note: If you restart the DB2 server, the DB2 Text Search service does not start
automatically. To automatically start the DB2 Text Search service:
Windows
From the Start menu, click Run, and type services.msc, and then
change the DB2TS services to start automatically.
AIX and Linux
Edit one of the startup scripts to start db2ts when you restart the
service. The command to start db2ts is db2ts start for text.
Enable DB2 Text Search
Enable the IBM DB2 Text Search feature to filter based on the contents of fields
with long string data types.
Procedure
1. Log on to a system as a user with Administrator privileges. You can use any
system with access to CLPPlus that can connect to the OpenPages database
server.
Note: For SQL tool information, see “Database tool information” on page 1.
2. Open a command or shell window, navigate to the text-indexing directory as
follows:
Windows
<OP_Home>\aurora\bin\full-text-index
AIX and Linux
<OP_Home>/aurora/bin/full-text-index
404
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
For details on the variable OP_Home, see the section on “Documentation
conventions” on page 1.
Note: If the database server is not on the same machine as the IBM OpenPages
server, you must copy the script and the SQL files that the script invokes to the
database server.
3. Run the following SQL script:
clpplus -nw @sql-wrapper CustomIndexing_Step1_AddTextIndexing_to_DB.sql
<LOG_FILE_NAME> <DB2_SERVER_NAME> <DB2_PORT_NUMBER> <DATABASE_NAME>
<DB2_INSTANCE_OWNER_NAME> <DB2_INSTANCE_OWNER_PASSWORD> <OP_DB_USER>
Table 88. Enable DB2 Text Search required script parameters
Required Parameter
Description
<LOG_FILE_NAME>
Name of the log file.
<DB2_SERVER_NAME>
Name of the DB2 server.
<DB2_PORT_NUMBER>
Port number of the DB2 database service
<DATABASE_NAME>
Name of the OpenPages database.
<DB2_INSTANCE_OWNER_NAME>
Database instance owner account. Usually
db2admin user.
<DB2_INSTANCE_OWNER_PASSWORD>
Password for instance owner account.
<OP_DB_USER>
OpenPages user name for accessing the
OpenPages database.
Note: For SQL tool information, see “Database tool information” on page 1.
For example,
clpplus -nw @sql-wrapper CustomIndexing_Step1_AddTextIndexing_to_DB.sql
CustomIndexing_Step1_AddTextIndexing_to_DB.log server1 50000 op1
db2admin dbpassword OPENPAGES
Results
The database is now enabled for indexing. Use “Create a Long String Index” script
to create the index.
Create a Long String Index
Create a long string text index to support filtering based on the contents of fields
with long string data types. Scripts are provided for Windows, AIX, and Linux.
Before you begin
The DB2 Text Search feature must be enabled. See “Enable DB2 Text Search” on
page 404.
About this task
Important: In AIX or Linux operating systems, when using asterisks (*) as
parameter values in long string search scripts, the asterisks must be properly
escaped with a double quote, single quote combination: "'*'".
Chapter 15. Using IBM OpenPages Utilities with IBM DB2
405
Procedure
1. Log on to a system as a user with Administrator privileges. You can use any
system with access to CLPPlus that can connect to the OpenPages database
server.
Note: For SQL tool information, see “Database tool information” on page 1.
2. Open a command or shell window, navigate to the text indexing directory as
follows.
For details on <OP_Home>, see the section on “Documentation conventions” on
page 1.
Table 89. Installation location of the full-text-index directory
Operating system
Installation location
Windows
<OP_Home>\aurora\bin\full-text-index
AIX and Linux
<OP_Home>/aurora/bin/full-text-index
Note: If the database server is not on the same machine as the IBM OpenPages
server, you must copy the script and the SQL files that the script invokes to the
database server.
3. Run the following script:
clpplus -nw @sql-wrapper CustomIndexing_Step2_IndexCreate.sql
<LOG_FILE_NAME> <DB2_SERVER_NAME> <DB2_PORT_NUMBER> <DATABASE_NAME>
<OP_DB_USER> <OP_DB_PASSWORD> <UPDATE_FREQUENCE_WEEKDAY>
<UPDATE_FREQUENCE_HOUR> <UPDATE_FREQUENCE_MINUTE> <MINIMUM_UPDATES>
Table 90. Create DB2 long string index required script parameters
Required Parameter
Description
<LOG_FILE_NAME>
Name of the log file.
<DB2_SERVER_NAME>
Name of the DB2 server.
<DB2_PORT_NUMBER>
Port number of the DB2 database service
<DATABASE_NAME>
OpenPages database name.
<OP_DB_USER>
OpenPages user name for accessing the
OpenPages database.
<OP_DB_PASSWORD>
OpenPages password for accessing the
OpenPages database.
<UPDATE_FREQUENCE_WEEKDAY>
Weekday update frequency.
Accepted values are between 0 and 6;
multiple values can be separated with a
comma. For all weekdays use * (asterisk).
<UPDATE_FREQUENCE_HOUR>
Hourly update frequency.
Accepted values are between 0 and 23;
multiple values can be separated with a
comma. For all hours use * (asterisk).
406
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
Table 90. Create DB2 long string index required script parameters (continued)
Required Parameter
Description
<UPDATE_FREQUENCE_MINUTE>
Minute update frequency.
Accepted values are between 0 and 59,
multiple values can be separated with a
comma.
Typically, values are specified as top of the
hour (0), or in multiples of 5 minute
increments after the hour, for example, 0, 5,
10, 15, 20, 25, 30, 35, 40, 45, 50 or 55.
Minimum number of updates in the base
table before a scheduled index updates is
run.
<MINIMUM_UPDATES>
For example,
clpplus -nw @sql-wrapper CustomIndexing_Step2_IndexCreate.sql
CustomIndexing_Step2_IndexCreate.log server1 50000 op1 OPENPAGES
opxpassword "'*'" "'*'" "0,5,10,15,20,25,30,35,40,45,50,55" 1
This example creates an index with updates that start every 5 minutes of every
hour of every weekday if there is a minimum of one update to the
PROPERTYVALS_CLOB table.
Results
An index is created for long string fields.
Create a Schedule Job to Synchronize a Long String Index
Create a schedule to synchronize and refresh the long string index. Scripts are
provided for Windows, AIX, and Linux.
Procedure
1. Log on to a system as a user with Administrator privileges. You can use any
system with access to CLPPlus that can connect to the OpenPages database
server.
Note: For SQL tool information, see “Database tool information” on page 1.
2. Open a command or shell window, and navigate to the bin directory as
follows.
Table 91. Installation location of the IBM OpenPages GRC Platform application
Operating system
Installation location
Windows
<OP_Home>\aurora\bin
AIX and Linux
<OP_Home>/aurora/bin
For details on <OP_Home>, see the section on “Documentation conventions” on
page 1.
Note: If the database server is not on the same machine as the IBM OpenPages
server, you must copy the script and the SQL files that the script invokes to the
database server.
3. Run the following script:
Chapter 15. Using IBM OpenPages Utilities with IBM DB2
407
clpplus -nw @sql-wrapper CustomIndexing_Step3_IndexRefresh.sql
<LOG_FILE_NAME> <DB2_SERVER_NAME> <DB2_PORT_NUMBER> <DATABASE_NAME>
<OP_DB_USER> <OP_DB_PASSWORD> <UPDATE_FREQUENCE_WEEKDAY>
<UPDATE_FREQUENCE_HOUR> <UPDATE_FREQUENCE_MINUTE> <MINIMUM_UPDATES>
Table 92. Refresh DB2 index required script parameters
Required Parameter
Description
<LOG_FILE_NAME>
Name of the log file.
<DB2_SERVER_NAME>
Name of the DB2 server.
<DB2_PORT_NUMBER>
Port number of the DB2 database service
<DATABASE_NAME>
OpenPages database name.
<OP_DB_USER>
OpenPages user name for accessing the
OpenPages database.
<OP_DB_PASSWORD>
OpenPages password for accessing the
OpenPages database.
<UPDATE_FREQUENCE_WEEKDAY>
Weekday update frequency.
Accepted values are 0 - 6; multiple values
can be separated with a comma. For all
weekdays, use * (asterisk).
<UPDATE_FREQUENCE_HOUR>
Hourly update frequency.
Accepted values are 0 - 23; multiple values
can be separated with a comma. For all
hours, use * (asterisk).
<UPDATE_FREQUENCE_MINUTE>
Minute update frequency.
Accepted values are 0 - 59, multiple values
can be separated with a comma.
Typically, values are specified as top of the
hour (0), or in multiples of 5-minute
increments after the hour, for example, 0, 5,
10, 15, 20, 25, 30, 35, 40, 45, 50 or 55.
<MINIMUM_UPDATES>
Minimum number of updates in the base
table before a scheduled index updates is
run.
For example,
clpplus -nw @sql-wrapper CustomIndexing_Step3_IndexRefresh.sql
CustomIndexing_Step3_IndexRefresh.log server1 50000 op1 OPENPAGES
opxpassword "*" "*" "0,5,10,15,20,25,30,35,40,45,50,55" 1
This example schedules index synchronization to start every 5 minutes of every
hour of every weekday if there is a minimum of one update to the
PROPERTYVALS_CLOB table.
Results
Index synchronization jobs run at the interval specified.
Note: Changes to long string fields are not available for filtering until the next
scheduled index job runs.
408
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
Drop a Long String Index
Remove the long string index. An index must be dropped before it can be
re-created. Scripts are provided for Windows, AIX, and Linux.
Procedure
1. Log on to a system as a user with Administrator privileges. You can use any
system with access to CLPPlus that can connect to the OpenPages database
server.
Note: For SQL tool information, see “Database tool information” on page 1.
2. Open a command or shell window, and navigate to the text-indexing directory
as follows:
Windows
<OP_Home>\aurora\bin\full-text-index
AIX and Linux
<OP_Home>/aurora/bin/full-text-index
For details on the variable OP_Home, see the section on “Documentation
conventions” on page 1.
Note: If the database server is not on the same machine as the IBM OpenPages
server, you must copy the script and the SQL files that the script invokes to the
database server.
3. Run the following SQL script:
clpplus -nw @sql-wrapper CustomIndexing_Step5_IndexDrop.sql
<LOG_FILE_NAME> <DB2_SERVER_NAME> <DB2_PORT_NUMBER> <DATABASE_NAME>
<OP_DB_USER> <OP_DB_PASSWORD> <FORCE_DROP_INDEX>
Table 93. Enable DB2 drop index required script parameters
Parameter
Description
<LOG_FILE_NAME>
Name of the log file.
<DB2_SERVER_NAME>
Name of the DB2 server.
<DB2_PORT_NUMBER>
Port number of the DB2 database service
<DATABASE_NAME>
Name of the OpenPages database instance.
<OP_DB_USER>
OpenPages user name for accessing the
OpenPages database.
<OP_DB_PASSWORD>
OpenPages password for accessing the
OpenPages database.
<FORCE_DROP_INDEX>
Drops the index without regard to the status
of any associated scheduled task.
Values are Y (for Yes) or N (for No)
Note: For SQL tool information, see “Database tool information” on page 1.
For example,
clpplus -nw @sql-wrapper CustomIndexing_Step5_IndexDrop.sql
CustomIndexing_Step5_IndexDrop.log server1 50000 op1 OPENPAGES opassword
Y
Chapter 15. Using IBM OpenPages Utilities with IBM DB2
409
Results
You must re-create the index before you filter on the content of long string fields
again. For details on creating a long string index, see “Create a Long String Index”
on page 462.
Entity Move/Rename Utility
The IBM OpenPages Entity Move/Rename utility allows batch processing of
multiple Business Entities for overnight or weekend execution without running the
risk of operations that time out. You can run the utility interactively or as a
scheduled job.
Using the IBM OpenPages Entity Move/Rename utility, you can do the following:
v Rename a Business Entity hierarchy
v Simultaneously rename and move a Business Entity hierarchy
A single batch job can contain multiple independent operations, multiple
dependent operations, or any combination thereof.
Each operation provides transactional consistency. If an operation fails, all the
pending changes for this operation are rolled back. If an operation succeeds, all the
changes are persisted.
Each rename, move, or combined operation runs in its own transactional context.
So, failure in one operation does not result in the failure of the entire batch job.
Important: This version of the tool is for use with IBM OpenPages GRC Platform
6.0.1 or later. If you have an earlier version of OpenPages installed on your system,
contact your IBM Support representative to obtain the applicable version of the
tool.
Prerequisites
Before you use the IBM OpenPages Entity Move/Rename utility, consider these
prerequisites.
v A physical computer or VM that meets the IBM OpenPages GRC Platform
installation requirements. For detailed specifications, see the IBM OpenPages GRC
Platform Installation Guide.
v An application that produces either CSV (comma-separated value) files or
Unicode tab delimited files. This application can be installed on any computer in
your environment and is used to prepare the input data for the utility.
v User name and password for the Oracle or DB2 account that owns the
OpenPages application database schema (for example, OPENPAGES).
Configuring the Entity Move/Rename utility
You must configure parameters in the IBM OpenPages Entity Move/Rename utility
before you use it in a DB2 database environment.
Procedure
1. Go to the Entity Move/Rename utility installation location as follows:
OP_Home|aurora|bin|batch_entity_move_rename_relative
2. Open the batch-entity-move-rename.ini configuration file for editing.
410
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
3. Specify appropriate values for the following parameters for a DB2 database
environment:
Table 94. Parameters for a DB2 database in the batch-entity-move-rename.ini file:
Parameter Name
Description
server_name
DB2 database server.
port_number
DB2 service port number.
db_Name
OpenPages database name on DB2.
user_name
OpenPages database user name.
password
OpenPages database user password.
data_format
Format of the input file to the utility.
Example: csv or unicode-text.
input_file
Name of the input file (including extension).
Example: ‘Sample-batch-entity-move-rename.txt’
code_page
Code page that is used in the DB2 database.
If the data_format parameter is set to the following value:
v csv saved from Microsoft Excel, it is encoded in ANSI, then the code
page must be set to 1252.
v unicode-text and encoded in UTF-8 without BOM, then the code page
must be set to 1208.
skip_rows
The number of rows in the input files to skip on load.
Example
If the first row of the file:
v Contains a list of column names, set the value to '1'.
v Does not contain a list of column names, set this value to '0'.
4. Save and close the batch-entity-move-rename.ini configuration file.
5. Prepare the input file. See “Prepare the input file for the Entity Move/Rename
utility.”
Prepare the input file for the Entity Move/Rename utility
The input file for the Entity Move/Rename utility can be in CSV or Unicode tab
delimited format. You can use any editor to create the input files. Included in the
utility installation folder is a sample Unicode text file (.txt format).
Important: On AIX and Linux, the text input file must be saved or converted to be
encoded in UCS-2 Little Endian and have UNIX end of line (LF) characters.
Tip: If you are using Microsoft Excel, you must save the spreadsheet as a CSV or
tab delimited file.
The input file must have the following five columns of data:
Table 95. Columns in the input file
Column Name
Description
Sample Value
Source entity
location
The entity on which the operation is run.
/The Bank/USA/North
East/Providence
Chapter 15. Using IBM OpenPages Utilities with IBM DB2
411
Table 95. Columns in the input file (continued)
Column Name
Description
Sample Value
Target entity
location
The new parent entity for ‘move’ and
‘move and rename’ operations only.
Note:
For ‘move’ and ‘move and
rename’ operations:
v For Oracle 'rename' operations only (no
move), the value must be "-" (dash).
/Worldwide/Americas/USA/
NE
v For DB2 ‘rename’ operations only (no
move), the value must be "" (blank).
Run as user
Application user name, whose identity is
used to run the operation.
New entity
name
For ‘rename’ and ‘move
The new name after the operation for
‘rename’ and ‘move and rename’ operations and rename’ operations:
Boston
only.
Note:
OpenPagesAdministrator
v For Oracle 'move' operations only (no
rename), the value must be "-" (dash).
v For DB2 ‘move’ operations only (no
rename), the value must be "" (blank).
Execution order
Establishes the operation execution order as 1
follows:
v Operations that specify the execution
order are run before operations that do
not.
v Operations that have a numeric value in
the execution order column are run in
regular ascending ordering.
If set, the value must to be a valid number;
Otherwise, leave the field blank.
The following is a short description of the data in the sample .txt file that is
included in the utility directory.
v The first line illustrates moving entity /The Bank/USA/North East/Providence to
new location /Worldwide/Americas/USA/NE. Operation is to be run as the user
SOXAdministrator. This operation is run first in the batch.
v The second line illustrates in place rename of the entity /Worldwide/Americas/
USA/NE/Providence. Entity name changes to Boston. Target location does not
apply and is set to '-'. This entry has a dependency on the previous move
operation and has higher number in the execution order column. Also, it
references to the new entity location that will be in effect after the first operation
completes.
v If the first operation fails for any reason, this operation fails as well and the
entity location would be incorrect.
v The third line illustrates simultaneous move of the entity /The
Bank/USA/Midwest/Chicago to new location /Worldwide/Americas/USA/MW and
rename to ‘Detroit’. This operation has no dependencies and will be run after the
first two complete.
When finished,
v If you have an Oracle database with the 32-bit SQL*Loader utility and an IBM
AIX or Linux environment, see the topic: “Avoid error 0509-036 when you use
the 32-bit SQL*Loader” on page 475.
412
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
v Otherwise, run the IBM OpenPages Entity Move/Rename utility.
Running the Entity Move/Rename utility interactively
Use the following steps to run the IBM OpenPages Entity Move/Rename utility
interactively in a DB2 database environment.
Before you begin, make sure that you prepared the input file. See “Prepare the
input file for the Entity Move/Rename utility” on page 411 for instructions.
Procedure
1. Move the input file into the utility installation directory, which is at:
OP_Home|aurora|bin|batch_entity_move_rename_relative
2. Validate that the input_file parameter in the batch-entity-move-rename.ini
configuration file is correctly set to the input file name. For more information,
see “Configuring the Entity Move/Rename utility” on page 410.
3. For Windows operating systems only: Start the DB2 command line processor
first by opening a command window and entering the db2cmd command.
4. From the location where the utility is installed, run the batch command file and
review the output on the screen.
Windows
batch-entity-move-rename.cmd
AIX or Linux
batch-entity-move-rename.sh
5. Upon completion, review the following log files for any errors:
v batch-entity-move-rename-load.log
v batch-entity-move-rename-proc.log
If any errors are reported and you are unable to fix them, contact your IBM
Support representative. Mare sure you supply a copy of the screen that contains
the error messages and all the log files that are generated by the tool.
Running the Entity Move/Rename utility as a scheduled task
You can set up a scheduled task to run the IBM OpenPages Entity Move/Rename
utility.
Depending on your environment, you can run the batch-entity-move-rename batch
command file by using any scheduling application. For example, in Windows, you
might use the built-in Windows scheduler. In IBM AIX or Linux, you might set up
a cron job.
Important: If you are using a DB2 database in a Windows environment, you must
run the batch command file within the DB2 Command Line Processor.
If the job fails, the batch command returns a non-zero exit code. You can redirect
the console output to a log file. For example, in Windows:
batch-entity-move-rename.cmd >> batch-entity-move-rename.log
The batch-entity-move-rename-load.log and batch-entity-move-rename-proc.log
files are overwritten on each run. These files can be saved, either manually or
through a script, if log archives are needed.
Chapter 15. Using IBM OpenPages Utilities with IBM DB2
413
Impact of the Entity Move/Rename utility on the OpenPages
application
The Entity Move/Rename utility works directly against the OpenPages database
repository. As a result, the Java based OpenPages application is unaware of the
changes made to the entity hierarchy and folder structure.
As a result, internal application caches might become out of sync with the data in
the repository and lead to discrepancies in the application user interface.
It is required that after you run the tool you restart application services, or run the
tool when application services are stopped.
Also, ensure that the OPBackup command is not running during execution, and that
all batch rename and move operations are completed before you run a backup.
414
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
Chapter 16. Using Utilities with Oracle Database
You can use these utilities with your Oracle Database for backing up and restoring
IBM OpenPages and Cognos files and databases, setting up a test environment,
and purging the workflow database.
About Oracle Database and the OpenPages Backup and Restore
Utilities
The Backup and Restore utilities are installed during the IBM OpenPages
installation procedure.
They are available for backing up and restoring the IBM OpenPages environment:
v IBM OpenPages backup (OPBackup) and restore (OPRestore) — these utilities
are used to backup and restore the IBM OpenPages application and database
(see “Using the IBM OpenPages Backup Utility” on page 421 for details).
Cognos backup (OPCCBackup) and restore (OPCCRestore) — these utilities are
used to backup and restore IBM OpenPages Cognos files and Content Store (see
“Using the Cognos Backup Utility” on page 429 for details).
v Users can choose to execute a live OPBackup. When running live OPBackup,
OpenPages services are not restarted on the application server allowing for
maximum uptime of OpenPages application. By default, OpenPages services will
be restarted.
v
Note: Customers with database servers that are running the Oracle 11g Enterprise
Edition must contact Oracle support and request the p8795792_112010_Generic.zip
patch file before running the OPBackup and OPRestore and/or OPCCBackup and
OPCCRestore utilities.
If this patch is not applied, the data import will fail with the following error
messages:
ORA-39083: Object type INDEX failed to create with error:
ORA-14102: only one LOGGING or NOLOGGING clause may be specified
If you have already run your backup and need to restore data using that backup,
contact your IBM representative for assistance.
Prerequisite: Oracle Admin Client
To use the IBM OpenPages -supplied backup and restore utilities, you must have
the Oracle Admin Client software installed on both the IBM OpenPages application
server and IBM OpenPages Cognos server machines.
Note: For the currently supported version of the Oracle Admin Client, see the IBM
OpenPages Release Notes or refer to the IBM OpenPages Installation or OpenPages
Upgrade Guide on your installation media.
About Oracle Data Pump
Oracle Data Pump provides a server-side infrastructure for very high-speed
loading and unloading of data and metadata to and from the database.
415
Oracle Data Pump is used by the IBM OpenPages -supplied application and
Cognos backup and restore utilities and was automatically configured during the
IBM OpenPages Version 6.2.1 installation or upgrade process. If necessary, you can
modify Oracle Data Pump settings.
Important:
v The Oracle Data Pump utility creates database backups on the database server.
To ensure the database backups are available in the event of a server failure,
make sure to copy these backup (dump) files to a different server or external
device (such as a tape drive) once the OPBackup or OPCCBackup tool has
completed.
v Before you use the Cognos backup utility for the first time, you must configure
the Oracle Data Pump ‘datapump’ directory. You do this by running an SQL
script. For details, see “Configuring or Updating the Oracle Data Pump
Directory” on page 430.
If you change the name or location of the ‘datapump’ directory, you can also use
this script to update the configuration information.
v Oracle Data Pump commands IMPDP and EXPDP should be used as the IMP
and EXP commands are not supported.
Configuring Email Notification for Backup Jobs
If wanted, you can configure email notification upon the completion of an IBM
OpenPages application backup or Cognos backup job.
About Email Notification
You can configure email notification (which includes an attached log file) upon the
completion of an IBM OpenPages application backup or Cognos backup job.
Note:
v Log files for email notification are stored in the logs folder in the following
location:
– For OPBackup ( IBM OpenPages application backup):
<OP_Home>|aurora|bin|logs with the timestamp on the log files.
– For OPCCBackup (Cognos backup):
<CC_Home>|tools|bin|logs with the timestamp on the log files.
v Make sure to set rules in your email client to never send emails from the IBM
OpenPages application server to the Spam or Junk mail folders.
Configuring Backup Job Notification
The following steps provide instructions for configuring email parameters for IBM
OpenPages application and Cognos backup jobs.
Procedure
1. Open a command or shell window and do one of the following.
a. For an OPBackup ( IBM OpenPages application backup):
Navigate to the op-backup-restore.env file in the bin directory as follows.
Table 96. Installation location of the IBM OpenPages GRC Platform application
416
Operating system
Installation location
Windows
<OP_Home>\aurora\bin
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
Table 96. Installation location of the IBM OpenPages GRC Platform application (continued)
Operating system
Installation location
AIX and Linux
<OP_Home>/aurora/bin
For details on <OP_Home>, see the section on “Documentation conventions”
on page 1.
b. For a OPCCBackup (Cognos backup):
Navigate to the op-cc-backup-restore.env file in the bin directory as
follows.
Where <CC_Home> represents the installation location of the Cognos
application.
Table 97. Installation location of the Cognos application
Operating
system
Installation location
Windows
<CC_Home>\tools\bin
By default, <CC_Home> is C:\OpenPages\CommandCenter
AIX and
Linux
<CC_Home>/tools/bin
By default, <CC_Home> is /opt/OpenPages/CommandCenter
2. Open the selected .env file in a text editor of your choice.
3. To configure email notification, specify a value after the equal sign (=) for the
following parameters (shown in Table 67 on page 374) in the selected .env file:
Table 98. Backup email Parameters
Parameter Name
Description
BACKUP_EMAIL_NOTIFICATION
_SERVER=
The host name of the outgoing mail server.
BACKUP_EMAIL_NOTIFICATION
_TO_EMAIL_ID=
The name of one or more recipients that will
receive the email notification. The names
appear in the To: field of the email address.
Multiple email addresses must be delimited
with a comma (,).
Note: Do not enter a comma after the last
email address.
Example
[email protected],emailid2
@yourdomain.com
BACKUP_EMAIL_NOTIFICATION
_FROM_EMAIL_ID=
The name that will appear as the sender of
the notification email in the From: field of
the email.
The email address is also used as the
personal name.
Chapter 16. Using Utilities with Oracle Database
417
Table 98. Backup email Parameters (continued)
Parameter Name
Description
BACKUP_EMAIL_NOTIFICATION
_SUCCESS_MSG_
FILE=BACKUP_SUCCESS_MSG.txt
The BACKUP_SUCCESS_MSG.txt is the default
file containing the message text that will be
used if the OPBackup.cmd completes
successfully.
You can modify the message text in the
BACKUP_SUCCESS_MSG.txt file as wanted.
The first line of the file is used as the email's
subject.
BACKUP_EMAIL_NOTIFICATION
_FAIL_MSG_FILE=
BACKUP_FAIL_MSG.txt
The BACKUP_FAIL_MSG.txt is the default file
that contains the message text that is used if
the OPBackup.cmd fails with errors.
You can modify the message text in the
BACKUP_FAIL_MSG.txt file as wanted.
The first line of the file is used as the email's
subject.
4. Save the changes to the file and exit the editor.
Running Asynchronous Background Jobs and Administrative
Functions
The IBM OpenPages GRC Platform supports asynchronous execution of processes
in the background.
The most common examples of these type jobs are FastMap web-based data import
jobs, object resets, and reporting schema generation.
For example, after a user submits a data import file, that file is queued for loading
and the import process occurs in the background. Since it is important that
asynchronous background jobs run to completion, certain administrative operations
in the application are suspended until all background jobs complete.
By default, the following administrative functions will not start until background
jobs are completed:
v OPBackup command
v OPRestore command
v System Administrative Mode (SAM)
Note: To disable the default setting that checks for background jobs before you
start OPBackup or OPRestore, see “Enabling and Disabling Asynchronous
Background Processes Checking” on page 377.
If asynchronous processes are found, error messages are written to the OPBACKUP
restore log.
Example
The following is a sample error log message that occurred when an OPBackup
command was initiated while the reporting schema was still being generated.
418
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
Note: The .log file name has the format op_backup_<yyyy_mm_dd_hh_mm_ss>.log
Where:
<yyyy_mm_dd_hh_mm_ss> represents the year_month_day_hour_minute_second. For
example:
Windows
C:\OpenPages\openpages-backup-restore\
op_backup_2010_07_26_09_35_42.log
AIX and Linux
/opt/OpenPages/openpages-backup-restore/
op_backup_2010_07_26_09_35_42.log
Sample error log messages follow.
v For Oracle Database environments, a sample error log message might look
similar to this text:
– can-proceed:
[exec] declare
[exec] *
[exec] ERROR at line 1:
[exec] ORA-20001: There are existing processes running.
[exec] Please let them finish or terminate them before proceeding.
[exec] ORA-06512: at line 7
[exec]
– can-proceed:
[exec] declare
[exec] *
[exec] ERROR at line 1:
[exec] ORA-20001: There are existing object reset operations running.
[exec] Please let them finish or terminate them before proceeding.
[exec] ORA-06512: at line 7
[exec]
v For IBM DB2 environments, a sample error log message might look similar to
this text:
– can-proceed:
[exec] ERROR near line 26:
[exec] SQL0438N Application raised error or warning with diagnostic
[exec] text: "There are existing processes running. Please let them
[exec] finish or termi".
– can-proceed:
[exec] ERROR near line 26:
[exec] SQL0438N Application raised error or warning with diagnostic
[exec] text: "There are existing object reset operations running.
[exec] Please let them finish or termi".
Enabling and Disabling Asynchronous Background Processes
Checking
By default, the IBM OpenPages GRC Platform does not allow a backup
(OPBackup) or restore (OPRestore) operation to start until all asynchronous
background jobs run to completion.
Although we strongly recommend that all jobs run to completion before you start a
backup or restore operation, this check can be enabled or disabled as follows.
Chapter 16. Using Utilities with Oracle Database
419
Procedure
1. Open a command or shell window on the IBM OpenPages server.
2. Navigate to the op-backup-restore.env file in the bin directory as follows.
Table 99. Installation location of the IBM OpenPages GRC Platform application
Operating system
Installation location
Windows
<OP_Home>\aurora\bin
AIX and Linux
<OP_Home>/aurora/bin
For details on <OP_Home>, see the section on “Documentation conventions” on
page 1.
3. Open the op-backup-restore.env file in a text editor of your choice.
4. Set the CHECK_BACKGROUND_PROCESSES parameter in the file to one of the
following values:
Table 100. CHECK_BACKGROUND_PROCESSES parameter values and their meanings
If the value is set to...
Then...
true
The validation check for asynchronous
background jobs is enabled and
OPBackup/OPRestore will not start if
background processes are still running.
This value is the default.
false
The validation check for asynchronous
background jobs is disabled and
OPBackup/OPRestore will start even if
background processes are still running.
5. When finished, save the changes to the file and exit the editor.
Encrypting Database Passwords in the Backup-Restore Utility
Environment Files
Passwords used by the IBM OpenPages, workflow, and Cognos database user
accounts within the backup-restore environment files are encrypted, by default,
during installation. If you change the value of the password parameters within the
following environment files, the new value will be in plain text until it is
encrypted.
op-backup-restore.env database password parameters (file resides on the
application server):
v DB_SYSTEM_PWD=
v DB_SYS_PWD=
v DB_OP_PWD=
v DB_WF_PWD=
op-cc-backup-restore.env database password parameters (file resides on the
reporting server):
v DB_SYSTEM_PWD=
v DB_CC_PWD=
For security purposes, we strongly recommend that you encrypt the changed
passwords by performing the following procedure.
420
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
Important: In a horizontal clustered environment, you must perform this
procedure on each OpenPages Application Server in the horizontal cluster.
Procedure
1. To encrypt changed database password parameters in the op-backuprestore.env environment file, do the following:
a. Open a command or shell window on the IBM OpenPages server.
b. Navigate to the bin directory as follows:
Table 101. Installation location of the IBM OpenPages GRC Platform application
Operating system
Installation location
Windows
<OP_Home>\aurora\bin
AIX and Linux
<OP_Home>/aurora/bin
For details on <OP_Home>, see the section on “Documentation conventions”
on page 1.
c. Execute the following backup command:
v On a Windows operating system: OPBackup.cmd secure
v On an AIX and Linux operating systems: ./OPBackup.sh secure
2. To encrypt changed database password parameters in the op-cc-backuprestore.env environment file, do the following:
a. Open a command or shell window on the reporting server.
b. Navigate to the bin directory as follows:
Where <CC_Home> represents the installation location of the Cognos
application.
Table 102. Installation location of the Cognos application
Operating
system
Installation location
Windows
<CC_Home>\tools\bin
By default, <CC_Home> is C:\OpenPages\CommandCenter
AIX and
Linux
<CC_Home>/tools/bin
By default, <CC_Home> is /opt/OpenPages/CommandCenter
c. Execute the following backup command:
v On Windows: OPBackup.cmd secure
v On AIX and Linux: ./OPBackup.sh secure
Using the IBM OpenPages Backup Utility
OPBackup is the IBM OpenPages backup utility that backs up the necessary
OpenPages files and Oracle Database content on the server where it is run. The
OPBackup utility creates a backup file that can be used by the OpenPages restore
utility (OPRestore).
When you use the OPBackup utility, the following IBM OpenPages resources are
backed up:
v The IBM OpenPages application and workflow databases
v The IBM OpenPages storage folder and its content
v The IBM OpenPages application environment files
Chapter 16. Using Utilities with Oracle Database
421
Important: In a horizontal environment, if the IBM OpenPages Backup Utility is
run on a non-administrative server, application and workflow databases will not be
included in the backup. To include application and workflow databases in a
backup file, run the IBM OpenPages Backup Utility on an administrative server.
Depending on your configuration, if any asynchronous background jobs are
detected, an OPBackup job will exit and possibly display errors (see “Running
Asynchronous Background Jobs and Administrative Functions” on page 375).
Optionally, you can configure e-mail notification (with an attached log file) upon
the completion of an OPBackup. For details, see “Configuring Email Notification
for Backup Jobs” on page 373.
Modifying the Backup-Restore Environment File
The IBM OpenPages storage location is set during the installation process. Use the
following scenarios to determine if you need to modify the OPSTORAGE_LOCATION
parameter in the op-backup-restore.env file.
By default, the op-backup-restore.env file is located in the bin directory as
follows: <OP_Home>|aurora|bin
Table 103. Installation location of the IBM OpenPages GRC Platform application
Operating
system
Installation location of the IBM OpenPages GRC Platform application
Windows
By default, <OP_Home> is: C:\OpenPages
AIX and
Linux
By default, <OP_Home> is: /opt/OpenPages
Scenario 1: The Root Installation Path of the IBM OpenPages
Storage Location Changed After Installation
If you modify the root path of the IBM OpenPages storage location in the
storageservers table after installation, make sure you update the
OPSTORAGE_LOCATION parameter in the <OP_Home>|aurora|bin|op-backuprestore.env file to match the new root path ( IBM OpenPages storage location).
If these locations do not match, the OPBackup utility will capture incorrect or stale
storage folders.
Scenario 2: The OPBackup Utility is Running on a
Non-Administrative Server
If you are running the OPBackup utility on a non-administrative server, you must
update the OPSTORAGE_LOCATION parameter in the <OP_Home>|aurora|bin|opbackup-restore.env file on the non-administrative server to point to the remote
location of the openpages_storage folder on the administrative server.
Make sure to use forward slashes as the path separator in this UNC path.
Example
//<host_server>/openpages_storage
Where:
<host_server> is the name of the administrative server.
422
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
Backing Up Custom OpenPages Files
Custom OpenPages files, such as SiteSync or scheduled job files that are custom to
your environment, can be included in the backup using an OpenPages manifest
file. A manifest file is a text file that contains the full path name to any directory or
file that needs to be included in the backup.
Important:
v You must list all of your custom directories and files in a manifest. If you have
any questions about the location of your custom data, contact OpenPages
Customer Support.
v In a horizontal clustered environment, you must perform this procedure on each
OpenPages Application Server in the horizontal cluster.
Procedure
1. Log on to the current OpenPages application server.
2. Navigate to the <OP_Home>|aurora|bin directory and open the
op_backup.manifest file in a text editor.
Table 104. Installation location of the IBM OpenPages GRC Platform application
Operating system
Installation location
Windows
<OP_Home>\aurora\bin
AIX and Linux
<OP_Home>/aurora/bin
For details on <OP_Home>, see the section on “Documentation conventions” on
page 1.
3. Enter the full path name to all custom directory name or a specific file. Each
directory or file must be on a separate line in the file.
4. Save the manifest file using the current location and name.
Running the OPBackup Command
When you use the IBM OpenPages application backup utility, you run the
OPBackup command in a command or shell window.
The OPBackup command does the following:
v Stops all IBM OpenPages services before performing any backup operation
v Backs up IBM OpenPages application and environment files
v Exports the IBM OpenPages application database
v Restarts the services when the backup activities are complete
Note: Oracle Data Pump backup files are created on the database server.
See “Running a Live OpenPages Backup” on page 424 if you want to perform a
backup without stopping services.
Procedure
1. Open a command or shell window on the IBM OpenPages server.
2. Navigate to the bin directory as follows:
Table 105. Installation location of the IBM OpenPages GRC Platform application
Operating system
Installation location
Windows
<OP_Home>\aurora\bin
Chapter 16. Using Utilities with Oracle Database
423
Table 105. Installation location of the IBM OpenPages GRC Platform application (continued)
Operating system
Installation location
AIX and Linux
<OP_Home>/aurora/bin
For details on <OP_Home>, see the section on “Documentation conventions” on
page 1.
3. Execute the following backup command:
Windows
OPBackup <path-to-backup-location>
AIX
OPBackup.sh <path-to-backup-location>
Where:
Note: <path-to-backup-location> is the full path of the directory where the
backed up files are located on the IBM OpenPages GRC Platform application
server.
If a file path is not specified, the OPBackup command uses, by default, the
backup location specified in the BACKUP_LOCATION parameter of the
<OP_Home>|aurora|bin|op-backup-restore.env file.
The following table lists the default database export location for .dmp files
specified in the environment file.
Where <SID> is the Oracle System Identifier (for example, OP or OP11G).
Table 106. Default database export locations
If you purchased Oracle
Database from...
IBM
For this operating system...
Windows
(Oracle embedded installer)
AIX
A vendor other than IBM
Windows
AIX
Then the default backup
location on the database
server is...
c:\openpages_data\
repository\
server112_se_x64\admin\
<SID>\dpdump
/opt/openpages_data/
repository/
server112_se_x64/admin\
<SID>/dpdump
<oracle_base>\admin\<SID>\
dpdump
<oracle_base>/admin/<SID>/
dpdump
Running a Live OpenPages Backup
A live OpenPages backup means that the OpenPages application can continue
running while the backup is in progress. OpenPages services are not stopped
during the backup.
Note: Run live OpenPages backups during off-peak hours as the backup consumes
processing resources.
It is possible to encounter the errors such as the following during the database
export portion of the live OP backup:
424
IBM OpenPages GRC Platform Version 7.0.0: Administrator's Guide
[exec] ORA-31693: Table data object "OPENPAGES"."table_name"
failed to load/unload and is being skipped due to error:
[exec] ORA-02354: error in exporting/importing data
[exec] ORA-01555: snapshot too old: rollback segment number #
with name "rollback_segment_name" too small
This might happen if there is a relatively high level of data modification
transactional activity on the system during the backup. Run live OP backup when
transactional activity is low. If this is not possible or not desirable, or if the error
keeps happening, it maybe possible to avoid this error by setting UNDO_RETENTION
initialization parameter to a higher (possibly much higher) value, at least for the
duration of the backup. Setting UNDO_RETENTION to a higher value, may result in a
growth of UNDO table space, so it should be done by an experienced database
administrator or with the assistance of IBM Support.
To use the IBM OpenPages application backup utility live, you run the OPBackup
command with the nosrvrst option. This does the following:
v Backs up IBM OpenPages application and environment files
v Exports the IBM OpenPages application database
Note: Oracle Data Pump backup files are created on the database server.
Procedure
1. Open a command or shell window on the IBM OpenPages server.
2. Navigate to the bin directory as follows:
Table 107. Installation location of the IBM OpenPages GRC Platform application
Operating system
Installation location
Windows
<OP_Home>\aurora\bin
AIX and Linux
<OP_Home>/aurora/bin
For details on <OP_Home>, see the section on “Documentation conventions” on
page 1.
3. Execute the following backup command:
Windows
OPBackup <path-to-backup-location> nosrvrst
AIX
OPBackup.sh <path-to-backup-location> nosrvrst
Where:
Note: <path-to-backup-location> is the full path of the directory where the
backed up files are located on the IBM OpenPages GRC Platform application
server.
If a file path is not specified, the OPBackup command uses, by default, the
backup location specified in the BACKUP_LOCATION parameter of the
<OP_Home>|aurora|bin|op-backup-restore.env file.
The following table lists the default data