IBM OpenPages GRC Administrator's Guide v7.4 PDF
IBM OpenPages GRC Administrator's Guide v7.4 PDF
IBM OpenPages GRC Administrator's Guide v7.4 PDF
Version 7.4.0
Administrator's Guide
IBM
Note
Before using this information and the product it supports, read the information in “Notices” on page 805.
Product Information
This document applies to IBM OpenPages GRC Version 7.4.0 and may also apply to subsequent releases.
Licensed Materials - Property of IBM Corporation.
© Copyright IBM Corporation, 2003, 2018.
US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule
Contract with IBM Corp.
Note..................................................................................................................... iii
............................................................................................................................ iv
Introduction...................................................................................................... xxv
Installation locations............................................................................................................................... xxvi
IBM OpenPages GRC Platform .............................................................................................................. xxvii
How IBM OpenPages GRC Platform can help....................................................................................... xxviii
Shared content management and common repository...................................................................xxviii
Dynamic decision support with Cognos...........................................................................................xxviii
Simple configuration and localization..............................................................................................xxviii
Flexible automation..........................................................................................................................xxviii
Web services-based integration........................................................................................................ xxix
v
Setting group application permissions......................................................................................................31
Types of application permissions.............................................................................................................. 32
Application permissions not contained under the SOX heading.............................................................. 35
Configure password requirements............................................................................................................ 36
Configuring password policies............................................................................................................. 37
Configuring password encryption........................................................................................................ 37
Modifying password encryption........................................................................................................... 38
Using the UPEA tool............................................................................................................................. 40
Chapter 4. Security.............................................................................................. 43
Role-based security model........................................................................................................................43
Security context points........................................................................................................................ 45
Extending security context points....................................................................................................... 46
Security domains..................................................................................................................................48
Moving business entities...................................................................................................................... 49
Copying business entities.................................................................................................................... 49
Role-based access control permissions.............................................................................................. 49
Role templates..................................................................................................................................... 51
Security rules............................................................................................................................................. 56
Record level security............................................................................................................................ 57
Field level security................................................................................................................................69
Paths for parent and child objects....................................................................................................... 71
Terms for data types............................................................................................................................ 72
Grammar for security rules.................................................................................................................. 74
Enabling or disabling a security rule....................................................................................................78
Validating a formula for a security rule................................................................................................78
Deleting a security rule........................................................................................................................ 78
Best practices for security rules.......................................................................................................... 78
Custom security for projects..................................................................................................................... 79
About the folder hierarchy and inheritance.........................................................................................79
Creating an Access Control List........................................................................................................... 79
Editing an Access Control List.............................................................................................................. 80
Deleting an Access Control List............................................................................................................80
Field level encryption.................................................................................................................................81
Create a file for the encryption keystore and key pair.........................................................................81
Setting up the encryption keystore......................................................................................................82
Enabling the encryption keystore........................................................................................................ 83
Disabling the encryption keystore....................................................................................................... 83
Updating the encryption keystore........................................................................................................84
LDAP user authentication.......................................................................................................................... 84
Configuring the LDAP Authentication Module..................................................................................... 84
Setting up mixed-mode authentication............................................................................................... 87
Configuring a multi-forested LDAP authentication..............................................................................88
vi
Creating a process diagram....................................................................................................................... 99
Refreshing process diagrams.................................................................................................................. 101
Modifying a process diagram...................................................................................................................102
Copying a process diagram to use as a template................................................................................... 103
Changing the status of a process diagram.............................................................................................. 104
Deleting a process diagram..................................................................................................................... 104
Modifying field properties of a process diagram.................................................................................... 105
Exporting a process diagram from an OpenPages GRC Platform environment.....................................105
Importing a process diagram to an OpenPages GRC Platform environment.........................................106
vii
Adding fields to a field group...................................................................................................................142
Data types................................................................................................................................................ 143
Adding a currency field to a field group.................................................................................................. 147
Editing currency field information..................................................................................................... 147
Viewing and editing a currency display type..................................................................................... 148
Editing currency field values in individual accounts......................................................................... 148
Modifying currency exchange rates................................................................................................... 148
Modifying field group properties............................................................................................................. 150
Modifying object field definitions............................................................................................................ 150
Making fields required or optional.......................................................................................................... 151
Encrypting field values............................................................................................................................ 151
Decrypting field values............................................................................................................................ 152
Setting a default value for an object field............................................................................................... 152
Creating computed fields........................................................................................................................ 153
Modeling a new computed field in Cognos .......................................................................................153
Defining a computed field.................................................................................................................. 155
Using computed fields with multiple namespaces........................................................................... 156
Nesting computed fields.................................................................................................................... 157
Troubleshooting: Computed fields validation................................................................................... 157
Troubleshooting: Computed field equation length limitation...........................................................157
Troubleshooting: Computed fields with cross products................................................................... 157
Troubleshooting: Optimizing report request performance............................................................... 158
Troubleshooting: Computed field query direction performance...................................................... 159
Adding enumerated string values........................................................................................................... 160
Defining a default value for an enumerated string value.................................................................. 160
Changing the order of enumerated string values.............................................................................. 160
Hiding enumerated string values.......................................................................................................161
Unhiding enumerated string values...................................................................................................161
Deleting enumerated string values....................................................................................................162
Reporting fragment fields........................................................................................................................162
Tasks for configuring reporting fragment fields................................................................................ 163
Planning considerations for reporting fragment fields..................................................................... 163
Fields requiring parameter information............................................................................................ 164
Defining a reporting fragment field....................................................................................................164
Using object fields to launch JavaServer Pages and external URLs.......................................................168
Attributes in the URL configuration string......................................................................................... 169
URL configuration string examples....................................................................................................171
Configuring application text...............................................................................................................172
Adding a URL launcher field .............................................................................................................. 173
Adding a URL launcher field to views................................................................................................ 173
Deleting field groups................................................................................................................................173
Deleting an object field definition........................................................................................................... 174
Long string fields......................................................................................................................................174
viii
Configure the Save As Draft feature for new objects........................................................................ 183
Adding the field to the object type and profile to configure the Save As Draft function ................. 184
Stand-alone object settings.................................................................................................................... 184
Enabling the creation of stand-alone objects................................................................................... 184
Enabling the ability to associate objects........................................................................................... 185
File type information................................................................................................................................186
Adding a file type................................................................................................................................186
Associating a file type with an object type........................................................................................ 186
Removing a file type from an object type.......................................................................................... 187
Tasks required to set up custom forms...................................................................................................187
Adding an object type for a custom form.......................................................................................... 188
Deleting a custom object type........................................................................................................... 189
Associating a custom form from a parent object.............................................................................. 189
Associating a custom form to a parent object...................................................................................189
Tasks to define filters for an object type................................................................................................. 190
Filter considerations.......................................................................................................................... 190
Adding filters to object types............................................................................................................. 191
Copying filters.....................................................................................................................................196
Modifying filters..................................................................................................................................197
Deleting filters.................................................................................................................................... 197
Dependent field behavior........................................................................................................................ 198
Adding dependent fields....................................................................................................................198
Copying controller conditions............................................................................................................ 200
Modifying controllers for a dependent field...................................................................................... 200
Enabling and disabling field dependency behavior...........................................................................201
Deleting dependent fields..................................................................................................................202
Configuration settings for the Add New wizard...................................................................................... 202
Controlling the availability of object types in the Add New wizard.................................................. 204
Controlling the display of tabs with no fields in the Add New wizard.............................................. 205
Controlling the ability to use a template object when using the Add New wizard...........................205
Controlling the default object type in the parent picker in the Add New wizard..............................206
Controlling the default folder for new child objects .........................................................................207
Configuring dependent picklists..............................................................................................................207
Adding dependent picklists............................................................................................................... 208
Modifying picklist dependency behavior........................................................................................... 209
Enabling and disabling picklist dependency..................................................................................... 209
Deleting a dependent picklist............................................................................................................ 210
Excluding fields from a subsystem..........................................................................................................210
Selecting the fields to exclude...........................................................................................................210
Changing the subsystem for an excluded field................................................................................. 211
Removing excluded fields.................................................................................................................. 211
ix
Excluding fields from an object type....................................................................................................... 220
Setting the display order of object types................................................................................................ 220
Setting a field in a profile to required or optional................................................................................... 221
Chapter 12. Managing the Home page, views for objects, and display types.........223
Home page...............................................................................................................................................223
The layout of tabs on a Home page................................................................................................... 224
Configuring tabs on the home page........................................................................................................ 225
Adding tabs for reports or dashboards..............................................................................................226
Setting the display order of tabs........................................................................................................226
Hiding and unhiding tabs................................................................................................................... 226
Deleting tabs...................................................................................................................................... 227
Configuring the My Work tab................................................................................................................... 227
Configuring predefined lists...............................................................................................................228
Filtered lists on the My Work tab....................................................................................................... 228
Configuring reports............................................................................................................................ 230
Removing items from the My Work tab............................................................................................. 233
Configuring users' Dashboard tabs......................................................................................................... 233
Creating content for users' Dashboard tabs......................................................................................234
Editing the content of users' Dashboard tabs................................................................................... 235
Exporting the configuration for a dashboard tab.............................................................................. 236
Configure views for objects..................................................................................................................... 236
Navigational Views............................................................................................................................. 237
Object views....................................................................................................................................... 239
Association views...............................................................................................................................240
Creation views.................................................................................................................................... 241
Enabling a view...................................................................................................................................241
Disabling a view..................................................................................................................................242
Setting a default view.........................................................................................................................242
Setting the display order of fields in a view.......................................................................................243
Copy views for an object from one profile to one or more other profiles......................................... 244
Including and excluding fields in navigation and association views................................................ 245
Including object types on an overview page..................................................................................... 247
Excluding object types from an overview page................................................................................. 247
Associating filters to Filtered List view and Grid view pages............................................................ 248
Disassociating filters from Filtered List view and Grid view Pages...................................................248
Creating a Grid view .......................................................................................................................... 248
Creating Activity Views.......................................................................................................................250
Creating a Creation view.................................................................................................................... 256
Configuring fields in Detail and Activity views...................................................................................257
Inserting section headings................................................................................................................ 258
Modifying section headings............................................................................................................... 259
Deleting section headings..................................................................................................................260
Setting object fields as read-only or editable................................................................................... 260
Spanning table columns.....................................................................................................................260
Configuring the display type for reporting fragment fields.....................................................................261
Configuring display types for simple string fields...................................................................................262
Configuring rich text display types for simple strings....................................................................... 262
Configuring the Business Entity Selector display type for simple string fields................................ 263
Configuring text and URL display types for simple strings............................................................... 264
Configuring URL link names by using the rich text display type for simple strings..........................265
Configuring text area display types for simple strings...................................................................... 266
Configure user and group selectors display types for simple strings...............................................266
Configuring display types for long string fields.......................................................................................271
Configuring the on demand display types for long string fields........................................................272
Configuring text display types for medium long string fields........................................................... 273
Configuring rich text display types for medium long string fields.................................................... 273
x
Configuring a display type for enumerated strings.................................................................................274
xi
User provisioning settings..................................................................................................................312
Configure actor table page size......................................................................................................... 314
Actor selectors: Configure the bucket size of the phonebook.......................................................... 314
Actor selectors: Configure display columns in a selector dialog box............................................... 314
Actor selectors: Configure users and group selectors for search.....................................................315
Menus: Update administration menus.............................................................................................. 315
Menus: Modify the order of menus.................................................................................................... 316
Menus: Modify submenus.................................................................................................................. 316
Object auto-naming settings............................................................................................................. 317
Configure the format of object names............................................................................................... 318
SOXDocument object auto-naming settings for duplicate file names............................................. 320
Environment migration settings.........................................................................................................320
Report fragment settings................................................................................................................... 321
Set the mail server address............................................................................................................... 322
Optimize file uploads......................................................................................................................... 323
Number of objects in listing pane...................................................................................................... 323
Set copy operations........................................................................................................................... 324
Date field display format....................................................................................................................326
Configuring large files for upload.......................................................................................................327
Disabling the Files of OPX.................................................................................................................. 327
Signature and lock settings................................................................................................................328
Object Reset settings......................................................................................................................... 332
Home page settings........................................................................................................................... 333
Filtered List View settings.................................................................................................................. 337
Custom settings....................................................................................................................................... 340
Creating a custom setting.................................................................................................................. 340
Deleting a custom setting.................................................................................................................. 340
Copying settings and folders .............................................................................................................341
Common folder settings.......................................................................................................................... 341
Use legacy associate.......................................................................................................................... 341
Exclude characters from user names................................................................................................ 341
Set the system security model.......................................................................................................... 342
Disable access control on Role groups..............................................................................................342
Configure self-contained object types.............................................................................................. 343
Enable the CodeCogs Equation Editor in Rich Text fields................................................................. 344
Platform folder settings...........................................................................................................................344
Compare Environments tool settings................................................................................................ 344
Set localization options......................................................................................................................345
Configure primary associations......................................................................................................... 346
Configure the legacy move behavior................................................................................................. 346
Configure the host setting..................................................................................................................347
Cross-context sharing........................................................................................................................ 347
Platform Reporting Framework folder settings.................................................................................348
Reporting Schema folder settings..................................................................................................... 349
Security settings.................................................................................................................................350
Workflow implementations settings..................................................................................................353
User Preferences folder settings.............................................................................................................355
Set alert notification behavior............................................................................................................355
xii
Customizing global search.......................................................................................................................363
Enabling or disabling object types or fields for global search.......................................................... 363
Example: customizing global search on initial enablement............................................................. 364
Example: adding or removing object types and fields with an already-enabled global search...... 365
Changing the database connection information for the search server............................................ 365
Displaying a custom field in global search results............................................................................ 366
Global search registry settings................................................................................................................367
Unhiding the hidden global search registry settings.........................................................................367
Setting the Query Path to the global search administration server..................................................368
Setting the URL to the global search administration server............................................................. 368
Setting the progress refresh interval................................................................................................. 368
Setting the number of records to cache............................................................................................ 369
Setting the polling interval................................................................................................................. 369
Setting the number of records to cache before sending to the server for indexing.........................369
Setting the Query Path to the Apache Solr server that handles Folder ACL indexing......................370
Setting the language analyzer that is used by search....................................................................... 370
Setting the Query Path to the Apache Solr server that handles Folder ACL indexing......................370
Setting the URL to the Apache Solr server that handles Folder ACL indexing................................. 371
Setting the number of records inserted per batch............................................................................ 371
Setting the Query Path to the Apache Solr server that handles Folder ACL search requests......... 371
Setting the URL to the Apache Solr server that handles OpenPages search requests..............372
Setting the number of attempts to fill the search results................................................................. 372
Setting the number of search results records that are cached per user session.............................372
Setting the internal page size for search results............................................................................... 372
Setting the URL to the Apache Solr server that handles search requests........................................373
Setting a time limit to search before timing out................................................................................ 373
Setting an additional field in the search result set....................................................................... 374
Setting whether to allow compression.............................................................................................. 374
Setting the network connection request timeout............................................................................. 374
Setting whether to allow URL redirects............................................................................................. 374
Setting the number of allowed connections from the platform........................................................375
Setting the number of allowed connections......................................................................................375
Setting the number of times a request is reattempted.....................................................................375
Setting the socket timeout for indexing............................................................................................ 375
Setting the socket timeout for searching.......................................................................................... 376
Setting the Apache Solr password.....................................................................................................376
Setting the Apache Solr user ID.........................................................................................................376
Setting the default number of search results to return per page..................................................... 376
The global search properties file.............................................................................................................377
Setting the error handling parameters for the indexer..................................................................... 377
Setting the maximum opsearchtool.jar heap size.............................................................................377
Setting the maximum Apache Solr heap size....................................................................................378
Setting the maximum opsearchtool.jar heap size during indexing...................................................378
Setting the maximum text extraction heap size during indexing......................................................379
Setting the text extractor timeout limit............................................................................................. 379
Setting the root path location for file attachment search................................................................. 379
Global search FAQs..................................................................................................................................380
Chapter 17. Using IBM OpenPages GRC Platform utilities with IBM DB2
databases......................................................................................................383
IBM DB2 and the OpenPages GRC Platform backup and restore utilities............................................. 383
Email notification for backup jobs...........................................................................................................383
Configuring backup job notification........................................................................................................ 384
Asynchronous background jobs and administrative functions.............................................................. 385
Enabling and disabling asynchronous background processes checking............................................... 386
The OPBackup utility............................................................................................................................... 387
Backing up custom OpenPages GRC Platform files................................................................................387
xiii
Running a live OpenPages GRC Platform backup................................................................................... 388
OpenPages GRC Platform backed-up content.................................................................................. 388
The OPBackup log file........................................................................................................................ 389
Configuring OPBackup to use GZIP................................................................................................... 389
Enabling and disabling storage backup.................................................................................................. 389
The OpenPages GRC Platform restore utility on the DB2 database...................................................... 390
Running the OPRestore command.................................................................................................... 390
OPRestore log files............................................................................................................................. 391
Using the Cognos Backup utility..............................................................................................................391
The OpenPages GRC Platform file storage directory........................................................................ 391
Running the OPCCBackup command................................................................................................ 392
The OPCCBackup log file....................................................................................................................392
Cognos backed-up content................................................................................................................392
Configuring OPCCBackup to use GZIP...............................................................................................393
Using the Cognos Restore utility............................................................................................................. 393
Running the OPCCRestore command................................................................................................ 393
The OPCCRestore log file................................................................................................................... 394
DB2 databases for OpenPages GRC Platform backup and restore........................................................394
Restoring backed up production data in a new DB2 environment.........................................................396
Refreshing a test environment from backup files...................................................................................397
Prerequisites to refreshing a DB2 test environment.........................................................................398
Backup of production databases in OpenPages GRC Platform on the DB2 server ......................... 398
Backing up and copying OpenPages GRC Platform application production files for a DB2
database........................................................................................................................................398
Backup of OpenPages GRC Platform databases on the test server................................................. 398
Backing up OpenPages GRC Platform application files on your test server.....................................398
Running the OPCCBackup command................................................................................................ 398
Drop the DB2 Database for the application on the test system....................................................... 399
Copy and restore the application production DB2 database backup file to the test DB2
database server.............................................................................................................................399
Update the OpenPages GRC Platform storage location in the DB2 database..................................400
Back up the Cognos Database on the DB2 production and test servers..........................................401
Back up Cognos configuration files on the DB2 production and test servers.................................. 401
Update DB2 database connection references for Cognos ............................................................... 402
Modify SSO and LDAP configuration in the test environment...........................................................402
Copy and restore the Cognos production database backup file to the test database server.......... 403
Drop the DB2 Database for Cognos on the Test Server.................................................................... 403
Copy custom deliverables to the test environment.......................................................................... 403
Copy custom triggers ........................................................................................................................ 403
Copy other custom deliverables to the test environment.................................................................404
Starting the OpenPages GRC Platform in the test environment....................................................... 404
Update URL host pointers for Cognos reports...................................................................................404
Utilities for filtering on long string field content in a DB2 database...................................................... 404
Install and configure DB2 text search............................................................................................... 405
Enable DB2 text search......................................................................................................................407
Create a long string index in a DB2 database....................................................................................408
Create a schedule job to synchronize a long string index in a DB2 database.................................. 410
Drop a long string index..................................................................................................................... 411
Entity Move/Rename utility..................................................................................................................... 412
Entity Move/Rename utility prerequisites......................................................................................... 413
Configuring the Entity Move/Rename utility for a DB2 database..................................................... 413
Prepare the input file for the Entity Move/Rename utility................................................................ 414
Running the Entity Move/Rename utility interactively for a DB2 database..................................... 415
Running the Entity Move/Rename utility as a scheduled task..........................................................416
Impact of the Entity Move/Rename utility on the OpenPages GRC Platform application............... 416
Improve performance of OpenPages GRC Platform application functions on a DB2 server...........416
xiv
Chapter 18. Using IBM OpenPages GRC Platform utilities with Oracle databases. 419
Oracle databases and the backup and restore utilities.......................................................................... 419
Prerequisite: Oracle Admin Client..................................................................................................... 419
Oracle Data Pump.............................................................................................................................. 419
Email notification for backup jobs...........................................................................................................420
Configuring backup job notification........................................................................................................ 420
Asynchronous background jobs and administrative functions.............................................................. 421
Enabling and disabling asynchronous background processes checking............................................... 422
Encrypting database passwords in the backup-restore utility environment files................................. 423
The OPBackup utility............................................................................................................................... 424
Modifying the backup-restore environment file................................................................................424
Backing up custom OpenPages GRC Platform files.......................................................................... 425
Running the OPBackup command..................................................................................................... 425
Backing up the OpenPages database (Oracle)..................................................................................426
Running a live OpenPages GRC Platform backup............................................................................. 427
OpenPages GRC Platform backed-up content.................................................................................. 427
Enabling and disabling storage backup............................................................................................. 428
The OpenPages GRC Platform restore utility on the Oracle database...................................................429
Running the OPRestore command.................................................................................................... 429
OPRestore log files............................................................................................................................. 430
Using the Cognos backup utility.............................................................................................................. 430
Oracle Data Pump configuration on a first time use......................................................................... 430
The OpenPages GRC Platform file storage directory........................................................................ 430
Configuring or updating the Oracle Data Pump directory................................................................. 431
Running the OPCCBackup command................................................................................................ 432
The OPCCBackup log file....................................................................................................................432
Cognos backed-up content................................................................................................................432
Configuring OPCCBackup to use GZIP...............................................................................................433
Using the Cognos restore utility.............................................................................................................. 433
Running the OPCCRestore command................................................................................................ 433
The OPCCRestore log file................................................................................................................... 434
Using Oracle online database backup (RMAN) for point-in-time recovery............................................434
Oracle online database backups....................................................................................................... 434
Running Oracle online database backups (RMAN)........................................................................... 435
Monitoring the size of the Oracle backup area..................................................................................439
Adjusting the size of the Oracle backup area.................................................................................... 440
Disabling online backup of the Oracle database instance................................................................ 441
Performing Oracle online database crash recoveries....................................................................... 441
Refreshing a test environment from backup files...................................................................................441
Backing up and copying the OpenPages GRC Platform application production files for an
Oracle database............................................................................................................................ 442
Backing up the OpenPages GRC Platform application test files on your Oracle test data...............442
Deleting data on the test database system.......................................................................................442
Copy the production database dump (.dmp) file to the test database server................................. 442
Import the production data into the test environment.....................................................................443
Update the OpenPages GRC Platform storage location in the Oracle database.............................. 444
Update the global search settings..................................................................................................... 446
Update Cognos data in the test environment....................................................................................447
Modify SSO and LDAP Configuration in the test environment.......................................................... 450
Copy custom triggers ........................................................................................................................ 450
Copy other custom deliverables to the test environment.................................................................451
Starting the OpenPages GRC Platform in the test environment....................................................... 451
Update URL host pointers for Cognos reports...................................................................................451
Utilities for filtering on long string field content in an Oracle database.................................................451
Create a long string index for an Oracle database............................................................................ 452
Enabling Oracle Text.......................................................................................................................... 453
xv
Create a schedule job to synchronize a long string index................................................................. 454
Drop a long string index..................................................................................................................... 455
Modifying the list of stop words.........................................................................................................456
String concatenation utility..................................................................................................................... 457
Running string concatenation............................................................................................................ 457
The string concatenation SQL file...................................................................................................... 458
Entity Move/Rename utility..................................................................................................................... 463
Entity Move/Rename utility prerequisites......................................................................................... 463
Configuring the Entity Move/Rename utility for an Oracle database................................................463
Prepare the input file for the Entity Move/Rename utility................................................................ 464
Running the entity move/rename utility interactively.......................................................................466
Running the Entity Move/Rename utility as a scheduled task..........................................................466
Impact of the Entity Move/Rename utility on the OpenPages GRC Platform application............... 467
xvi
Creating the keystore in the IBM WebSphere Integrated Solutions Console.................................. 496
Generating a Certificate Signing Request file the IBM WebSphere Integrated Solutions Console. 497
Submitting a CSR for Certificate Authority approval in a WebSphere Application Server
environment.................................................................................................................................. 497
Importing signed CA certificates in the IBM WebSphere Integrated Solutions Console................ 497
Importing the Certificate Authority certificate for Java Runtime Environment............................... 498
Installing certificate authority certificates........................................................................................ 499
Updating properties files so web browsers use HTTPS protocol and SSL ports..............................500
Configuring SSL by using IBM Console web application................................................................... 500
Enabling secure session cookies on IBM WebSphere Application Server....................................... 501
Updating the SSL socket factory providers....................................................................................... 502
SSL configuration for Microsoft Internet Information Services........................................................ 502
SSL configuration for Apache Web Server......................................................................................... 504
Configuring SSL in the OpenPages GRC Platform properties files....................................................506
SSL configuration on AIX and Linux load balancer server ............................................................... 507
SSL configuration for an Apache load balancer server in Windows environments.......................... 509
SSL configuration for IBM HTTP server ............................................................................................ 511
Importing root and signer certificates to the local trust store .........................................................513
Modifying the LDAP configuration file for LDAP over SSL................................................................. 514
Renewing SSL Certificates for OpenPages GRC Platform................................................................. 516
Setting up SSL for the global search service..................................................................................... 519
Enabling SSL database connection between the search server and the database server.............. 521
Disabling the SSL database connection between the search server and the database server....... 522
Oracle Transparent Data Encryption (TDE).............................................................................................522
Prerequisites and process overview..................................................................................................523
Encrypting OpenPages and Cognos table spaces............................................................................. 523
Shortening the URL for OpenPages GRC Platform..................................................................................527
Parameters for cluster members............................................................................................................ 529
Configuring HTTP compression in OpenPages GRC Platform ............................................................... 530
Enabling or disabling HTTP compression on OpenPages GRC Platform Application Servers......... 530
Enabling or disabling compression on the Cognos Server using Windows IIS................................ 531
Enabling compression on the Cognos Server using Apache Web Server......................................... 532
Disabling compression on the Cognos Server using Apache Web Server........................................ 533
Factors that affect performance of activity and grid views.................................................................... 534
Improve performance of OpenPages GRC Platform application functions on a DB2 server................ 534
Server tuning settings..............................................................................................................................535
Configuring the database................................................................................................................... 535
Configuring the reporting server........................................................................................................536
Using log files...........................................................................................................................................537
Configuring application thread-dump logs for cluster members..................................................... 537
Configuring service thread-dump logs for cluster members............................................................ 537
Configuring extended access logging on IBM WebSphere............................................................... 538
Collect log files and diagnostic data.................................................................................................. 539
OpenPages GRC Platform Standard Application Server log files......................................................541
Log file names on IBM WebSphere Application Server.....................................................................541
Deployment Manager (DMGR) Server log files.................................................................................. 541
Node agent log files............................................................................................................................542
Application cluster member log files.................................................................................................542
Changing the size and number of backups of the aurora log file......................................................543
Troubleshooting browser issues............................................................................................................. 543
Optimizing application performance in the Internet Explorer browser........................................... 543
Setting the Cognos Application Firewall for browser security..........................................................545
Browser display issues and Internet Explorer.................................................................................. 546
Internet Explorer security issues and running reports..................................................................... 546
Custom helpers and Internet Explorer 11 ........................................................................................546
Browser locale settings and messaging issues.................................................................................546
Browser best practices...................................................................................................................... 547
xvii
Chapter 20. Starting and stopping servers.......................................................... 549
Starting application servers.................................................................................................................... 549
Microsoft Windows services.............................................................................................................. 549
Microsoft Windows commands..........................................................................................................549
AIX and Linux scripts......................................................................................................................... 550
Determining application readiness....................................................................................................551
Automatically starting application servers in Windows......................................................................... 551
Starting all application services in Windows using a script....................................................................551
Starting application services individually using Windows services....................................................... 552
Starting all application servers in AIX and Linux using a script............................................................. 552
Starting application servers in AIX and Linux individually using scripts................................................552
Start or stop the global search services..................................................................................................553
Starting the global search services by using a script........................................................................ 553
Stopping the global search services by using a script...................................................................... 554
Starting the global search services on Windows...............................................................................554
Starting the global search services on Linux or AIX..........................................................................555
Stopping the global search services.................................................................................................. 555
Stopping application servers...................................................................................................................556
Stopping application servers in a Windows environment...................................................................... 556
Automatically stopping application servers in Windows.................................................................. 556
Stopping all application services in Windows using a script.............................................................557
Stopping application services individually using Windows services................................................ 557
Stopping all application servers in AIX and Linux using a script............................................................557
Stopping application servers in AIX and Linux individually using scripts.............................................. 558
Starting and stopping the Oracle database server in a Windows environment.....................................559
Starting and stopping the Oracle database server in an AIX and Linux environment........................... 559
Starting and stopping the Cognos services.............................................................................................560
Using the IBM Cognos configuration tool to start and stop the IBM Cognos service...................... 560
Using the Windows operating system to start and stop the IBM Cognos service............................561
Using the AIX or Linux operating system to start and stop IBM Cognos service............................. 561
Starting and stopping the OpenPages GRC Platform Framework Model Generator service on
Windows........................................................................................................................................ 561
Starting and stopping the OpenPages GRC Platform Framework Model Generator service on
AIX or Linux................................................................................................................................... 561
xviii
Environment migration best practices.................................................................................................... 581
The environment migration process....................................................................................................... 582
Exporting configuration items from the source environment................................................................ 583
Importing configuration items to the target environment......................................................................584
Configuring environment migration to allow special characters...................................................... 584
Validating the migration file............................................................................................................... 585
Performing the import for environment migration............................................................................ 586
Log summary migration report ............................................................................................................... 587
Log details migration report.................................................................................................................... 587
xix
Understanding import status messages............................................................................................633
Creating FastMap import templates........................................................................................................634
The data exported to a workbook by FastMap.................................................................................. 634
The FastMap import process............................................................................................................. 635
Working with data load worksheets........................................................................................................ 635
Defining paths for objects.................................................................................................................. 635
Using special column headings......................................................................................................... 636
Defining property fields for objects in FastMap templates............................................................... 637
Guidelines for entering object data into FastMap templates............................................................637
Adding custom columns and worksheets to FastMap templates.....................................................639
Sample Object worksheet for updating and creating objects...........................................................639
Sample self-contained object worksheet..........................................................................................640
Sample Business Entity worksheet for creating a new business entity structure........................... 641
Using the FastMap Definition worksheet................................................................................................ 641
Unhiding a FastMap Definition worksheet.........................................................................................642
FastMap parameters................................................................................................................................642
FastMap export templates.......................................................................................................................642
Modifying parameters in the default FastMap export template....................................................... 642
Specifying a FastMap export template.............................................................................................. 643
FastMap parameters for importing and exporting data..........................................................................644
Configuring a lookup key for FastMap .................................................................................................... 651
Modifying export settings to optimize FastMap performance................................................................653
Limiting the rows for import to optimize FastMap performance............................................................ 653
Setting a transaction timeout to optimize FastMap performance..........................................................654
Adding a processing delay to optimize FastMap performance.............................................................. 654
Securing FastMap import templates stored on the server..................................................................... 655
Cleaning up FastMap import templates stored on the server................................................................ 655
AFCON-generated FastMap template best practices............................................................................. 656
Using FastMap with questionnaire template and assessment objects..................................................656
xx
Defining a name for a reporting framework namespace...................................................................672
Defining the object model for a namespace .....................................................................................672
Setting a namespace as the default ................................................................................................. 673
Enabling a namespace....................................................................................................................... 673
Defining entity recursive object levels for a namespace.................................................................. 674
Defining whether facts and dimensions are enabled for a namespace ...........................................674
Configuring facts and dimensions........................................................................................................... 674
Enabling and disabling facts.............................................................................................................. 675
Enabling and disabling enumeration and dependent picklist dimensions.......................................675
Using date dimension types...............................................................................................................677
Configuring business entity recursive object levels............................................................................... 679
Defining business entity recursive object levels............................................................................... 679
Deleting business entity sets of recursive object levels................................................................... 680
Modifying recursive object levels...................................................................................................... 680
Configuring object type dimensions........................................................................................................681
Adding object type dimensions......................................................................................................... 681
Modifying object type dimensions.....................................................................................................682
Enabling, disabling, and deleting object type dimensions................................................................682
Generating the reporting framework ......................................................................................................683
Reporting framework permissions.................................................................................................... 684
Accessing the reporting framework...................................................................................................684
Choosing update options in the reporting framework...................................................................... 685
Updating the reporting framework.................................................................................................... 686
Viewing reporting framework details................................................................................................ 686
xxi
How to launch OpenPages Loss Event Entry ......................................................................................... 712
How confirmation emails are configured................................................................................................ 715
Using the Loss Event Entry Configuration tool........................................................................................716
xxii
Using ACLs with top-level folders........................................................................................................... 775
The object folder structure......................................................................................................................775
Using inheritance with Access Control Lists........................................................................................... 776
Breaking inheritance.......................................................................................................................... 776
Creating an ACL on a folder..................................................................................................................... 777
Editing an existing ACL............................................................................................................................ 778
Deleting an existing ACL.......................................................................................................................... 778
Using groups to establish user roles....................................................................................................... 778
The core IBM OpenPages Governance Platform 5.1x (and earlier) groups..................................... 779
Example: Using groups to establish user roles................................................................................. 779
Using groups to limit user activities........................................................................................................ 779
Using nested groups to limit user scope.................................................................................................781
Limiting user access by breaking folder inheritance.........................................................................781
Limiting user access by nesting user groups.....................................................................................781
Limiting user access by setting folder Access Control Lists............................................................. 783
Using group ACLs to traverse business entities......................................................................................783
Appendix G. Best practices for configuring the IBM OpenPages GRC Platform .....797
Use short field names and field group names........................................................................................ 797
Be aware that Java applets are not supported by the Chrome browser................................................797
Limit the number of objects in views...................................................................................................... 797
Limit the number of associations in the Overview..................................................................................798
Limit the number of portlets on the home page..................................................................................... 798
Limit activity views with field dependencies and dependent picklists.................................................. 798
Limit the number of security rules and complexity of security rules..................................................... 799
Limit the number of SOXBusEntity objects in the system...................................................................... 799
Be aware of shared field groups..............................................................................................................799
Eliminating unused object type relationships.........................................................................................799
Displaying reporting fragments only on demand....................................................................................800
Displaying Cognos reports on home page tabs...................................................................................... 800
Setting a minimal starting group for display types................................................................................. 801
xxiii
Task-oriented hyperlinking......................................................................................................................801
Notices..............................................................................................................805
Glossary............................................................................................................ 809
Index................................................................................................................ 811
xxiv
Introduction
IBM® OpenPages® GRC is an integrated governance, risk, and compliance platform that enables
companies to manage risk and regulatory challenges across the enterprise.
Audience
The IBM OpenPages GRC Administrator's Guide is intended for use with OpenPages GRC on Platform and
OpenPages GRC on Cloud. The content contains instructions for maintaining, configuring, and
administering the OpenPages GRC application. It is intended for use by administrators who have a
background in Systems Management. Topics include user and group administration, database backup and
restoration, customizing the application's look and feel, and using the data loader capabilities.
Please read the following important information regarding IBM OpenPages GRC documentation
IBM maintains one set of documentation serving both cloud and on premise IBM OpenPages GRC
deployments. The IBM OpenPages documentation describes certain features and functions which may
not be available in OpenPages GRC on Cloud. For example, OpenPages GRC on Cloud does not include
integration with IBM Business Process Manager and certain administrative functions.
If you have any questions about the functionality available in the product version that you are using,
please contact IBM OpenPages Support via the IBM Support Community.
Finding information
To find product documentation on the web, including all translated documentation, access IBM
Knowledge Center (http://www.ibm.com/support/knowledgecenter).
Accessibility features
Accessibility features help users who have a physical disability, such as restricted mobility or limited
vision, to use information technology products. OpenPages GRC documentation has accessibility features.
PDF documents are supplemental and include no added accessibility features.
Forward-looking statements
This documentation describes the current functionality of the product. References to items that are not
currently available may be included. No implication of any future availability should be inferred. Any such
references are not a commitment, promise, or legal obligation to deliver any material, code, or
functionality. The development, release, and timing of features or functionality remain at the sole
discretion of IBM.
Installation locations
The installation directory is the location of product artifacts after a package, product, or component is
installed. The following table lists the conventions that are used to refer to the installation location of
installed components and products:
Important: Directory locations that contain spaces are not supported. IBM OpenPages GRC Platform or
any software that is used by it must not be installed into a directory with spaces. For example, do not
install database server, database client, or application server software into the Program Files
directory.
Directory Description
<installation_server_home> The directory where the IBM OpenPages GRC Platform installation server
is installed.
For example:
• On Windows: c:\IBM\OPInstall\OP_<version>_Installer
• On AIX® and Linux: /home/opuser/IBM/OPInstall/
OP_<version>_Installer
<agent_home> The directory where the IBM OpenPages GRC Platform installation agent
is installed on a remote server.
For example:
• On Windows: c:\IBM\OPAgent
• On AIX and Linux: /home/opuser/IBM/OPAgent
Directory Description
Introduction xxvii
Each component provides a highly configurable capability that supports your specific methodology,
without having to write custom code, whether in loss events, KRI, or any other solution component. The
result is that companies can embed risk management into the business and improve outcomes over time.
Flexible automation
• Streamlined compliance procedures and automated sub-certifications without sacrificing risk.
Introduction xxix
xxx IBM OpenPages GRC Version 7.4.0 : Administrator's Guide
Chapter 1. What's new?
New and changed features affect the administration of IBM OpenPages GRC Platform.
For information about all new features for this release, see the IBM OpenPages GRC Platform New
Features Guide.
For an up-to-date list of environments that are supported by OpenPages GRC Platform, see the IBM
Software Product Compatibility Reports (http://www.ibm.com/support/docview.wss?uid=swg27039467).
Platform enhancements
New and changed features in version 7.4.0 related to IBM OpenPages platform are described in the
following tables.
Additionally, the Reporting menu now contains Reporting > Cognos Analytics. The following menu items
were removed:
• Cognos Analysis Studio
• Cognos Connection
• Cognos Query Studio
• Cognos Report Studio
• Cognos Workspace
• Cognos Workspace Advanced
What's new? 3
Table 5: User provisioning enhancements (continued)
For information about... See topic...
The new registry settings for configuring the “User provisioning settings” on page 312
behavior of user provisioning functionality.
The new default password expiry behavior that “Default User Password Expiration” on page 313
uses the Applications > Common >
Administration > User Provisioning > Default
User Password Expiration setting rather than the
OpenPages > Platform > Security > > Password >
Policy > Default Expiry Days setting.
When you configure user and group selector Table 89 on page 267
display types for simple strings, you can now leave
the Starting Group value blank. A blank value used
in combination with an Include Disabled value of
true can result in improved search performance.
Cognitive services
Administrators can configure the cognitive services to support decision making when users associate
objects.
• Added Type and Field Association fields to Administration > Cognitive Services > Natural Language
Classifiers. For more information, see Chapter 31, “Configuring cognitive services,” on page 723.
Configuring user-friendly URL link names by using the rich text display type for simple strings
You can use the rich text display type to display a user-friendly link name as a field's default value. For
example, you can configure a field's default value to display as My Company rather than http://
www.mycompany.com. This existing feature is described in the new topic, “Configuring URL link names
by using the rich text display type for simple strings” on page 265.
Compare environments
You can find differences between two environment configuration XML files by using Compare
Environments. Use Compare Environments to identify and resolve issues before you migrate
configurations from one environment to another. For more information, see Chapter 21, “Comparing IBM
OpenPages GRC Platform environments,” on page 563.
Cognitive services
• Added the data type, Classifier. A classifier field must have this data type.
For more information, see “Data types” on page 143.
• Added the menu item, Administration > Cognitive Services > Natural Language Classifiers. Use this
task to create a classifier configuration. For more information, see Chapter 31, “Configuring cognitive
services,” on page 723.
What's new? 5
For more information, see Chapter 32, “Configuring IBM OpenPages Regulatory Compliance
Management,” on page 731.
Specify which file types are enabled for file attachment search
From the SOXDocument object type administration page, you can specify which MIME (Multipurpose
Internet Mail Extensions) types are enabled or disabled for file attachment global search.
In a new installation of OpenPages 7.3, some MIME types are enabled for searching and others not. When
you upgrade to OpenPages Version 7.3.0 from an earlier version, the same set of MIME types are enabled.
However, the Search Files switch is off so that existing customers can continue to use global search with
the existing functionality.
For more information, see “Enabling attachment file types for global search” on page 362.
What's new? 7
• Analytics bar:
– The default filter
– The filters that are displayed on the analytics bar
– The order of the filters
– The expanded or collapsed state of the analytics bar
• Grid views
– Column widths
– Sequence of fields
– Compact mode or full mode, and the fields shown or hidden for each mode
Approval app
The approval app is an optional feature that leverages the power of IBM OpenPages GRC Platform and
provides an easy-to-use interface for quickly taking action on a review, approval, or attestation request
with confidence and full knowledge of the context surrounding the request. The approval app works with
objects that are set up for the configurable lifecycle.
For more information, see Chapter 28, “Configuring the approval app,” on page 701.
What's new? 9
The My Work tab contains numerous panes with predefined lists, filtered lists, and reports that have been
set up for you by an administrator. This enhancement allows you to personalize the My Work tab to be
more specific to your role and to rearrange the panes so you can easily and quickly access what you work
on everyday.
Administrators use the new My Work Home Page Can Be Personalized setting to globally control
whether users are allowed to use this feature. For more information, see “Home page settings” on page
333.
Global search
You can now configure and use global search, an optional component that enables users to search easily
for objects across the entire application.
Administrators can set up global search for first time, customize which object types and fields can be
searched, and tune global search by using registry settings and other properties.
For more information, see Chapter 16, “Configuring the global search feature,” on page 357.
Equation editor
You can now add mathematical equations that support IBM OpenPages Model Risk Governance and other
solutions.
Administrators use the new CodeCogs Equation Editor with the Enable CodeCogs(r) Equation Editors
setting to globally control whether users are allowed to use this feature.
For more information, see “Common folder settings” on page 341.
What's new? 11
Control over the object parent information when exporting data
You can configure the FastMap export template to optionally include the object parent information when
you export data in IBM OpenPages GRC Platform.
The resulting FastMap format worksheet can be used to load the objects and their associations to another
system that does not contain these object and association instances, but has the same configured object
types and associations, fields, and profiles. The data on the loaded target system will be the same as on
the source system from which the content was exported.
For more information about the new FastMap parameters, see “FastMap parameters for importing and
exporting data” on page 644.
The OpenPages folder is opened automatically in the Administration Settings folder hierarchy
To speed navigation in the user interface, the OpenPages folder is automatically opened in the
Administration > Settings folder hierarchy.
The folder is hidden in the user interface; however, it is still part of the settings path. To author an XML
settings path, you still include the OpenPages folder after the Settings folder in the path. For example:
Administration > Settings > OpenPages > Applications.
Task-oriented hyperlinks
You can now add hyperlinks that point directly to views and filters in IBM OpenPages GRC Platform where
users need to perform tasks. The hyperlinks can be added from internal or external locations, and can
also include filters.
For example, in a notification email to a risk owner, you can include a hyperlink to the Rate This Risk
Activity View if the risk is ready to be rated, but a hyperlink to the Assess the Controls for Risks Activity
View if the risk controls need to be assessed. Additionally, an email to a person responsible for collecting
KRI values could contain a hyperlink to the Enter KRI Values Grid View with the My KRIs with Values to
be Entered public filter applied.
This new capability allows you to create hyperlinks that are task focused and applicable to the object
lifecycle stage.
You can create hyperlinks that include the following target views:
• The Detail View for a specific object instance, in read-only mode.
• A specific activity view for an object instance.
• The Filtered List View for a specific object type with a public filter applied.
• A specific grid view for an object type with a public filter applied.
You can add hyperlinks from the following locations:
• OpenPages reports.
• Notification emails.
• OpenPages JSP helper applications.
• Within the IBM OpenPages GRC Platform application, using computed fields or URL link fields.
For more information, see “Task-oriented hyperlinking” on page 801.
Visualizations
As a Risk analyst or Compliance manager, you can graphically render your business process and
communicate it to other users of risk analysis.
You can create interactive visualizations to communicate information about the process flows and the
Business Entity hierarchical structure.
The following are the new visualization object types:
• Process Diagram
• Data Input
• Data Output
For more information, see Chapter 6, “Business process visualizations,” on page 95.
Security rules
Use security rules to define a more granular control over the access to individual objects in a folder. For
example, two GRC domains share a common organizational hierarchy. They share some common object
instances, such as processes, but they do not want to share other object instances, such as risks and
controls. If you do not create security rules on objects, folder-based security applies.
For more information, see Chapter 4, “Security,” on page 43.
Grid view
The grid view allows you to select how information about an object is displayed by selecting an option
from the View selector. Options include the ability to display objects that match the selected filter or the
folder view of an object. Select a grid view to display information about more than one object. From the
grid view, you can add a new item and update one or more items.
What's new? 13
You can use the Bulk Update feature to update multiple objects in the grid view during one editing
session. For example, you can update all objects assigned to User A and assign them to User B.
Filtered List views and Folder views have been consolidated with the new grid views.
For more information, see “Grid views” on page 238.
Info Card
The Info Card is displayed when you hover over an object. The card allows you to quickly understand and
review an object definition.
The Info Card is available from the grid view.
Changes to menus
The contents of the Administration, Reporting, and MyOpenPages menus have been reorganized.
The Workflow Console is available on the Administration menu. The Workflow Console was formerly
called the IBPM Console.
Changes to the configuration of the menu bar do not take effect immediately. The next time that you log
in, you will see the changes that you have made to the menus.
Object views
You can now change the order of Detail and Activity object views.
Filters
Quick Filter and Advanced Filter have been consolidated. When you press Enter, the Quick Filter is
applied.
Paginate Actor Tables and Use Actor Search Only settings are no longer required
There are no longer two possible interfaces used for selecting user lists and group lists in the
administration user interface. Where the type-ahead search and filterable listing of users or groups were
available, you have the option of selecting users or groups.
The Paginate Actor Tables and Use Actor Search Only settings under /OpenPages/Applications/
Common/Administration/Users and Groups are now ignored and are treated as though their values are
always true.
To control the number of rows listed per page, use the Page Size setting under /OpenPages/Applications/
Common/Administration/Users and Groups.
What's new? 15
16 IBM OpenPages GRC Version 7.4.0 : Administrator's Guide
Chapter 2. System Administration Mode (SAM)
Use System Administration Mode (SAM) to restrict user access to when you apply configuration changes
or other updates to the system.
When System Administration Mode (SAM) is enabled, the following conditions are enforced:
• Only administrative users with System Administration Mode application permission can log on to the
system. All other users are restricted from logging on.
• All Write operations are restricted, with these exceptions:
– Reporting period operations if the Reporting Schema is not enabled
– Metadata (schema) changes
– Enumerated string conversions from single to multivalued selection
– Setting changes that are made through the user interface
Before you enable SAM, you may want to notify application users to log off the system. If a user is already
logged on to the system when SAM is enabled, the user will only be able to view objects and will not be
able to create new instances of objects or save any modifications made to existing objects.
Depending on your configuration, SAM mode may not start until all asynchronous background jobs run to
completion (see “Asynchronous background jobs and administrative functions” on page 385).
You must be in System Administration Mode (SAM) if you:
• Want to perform any of the actions on the Reporting Schema list view page (such as create, re-create,
enable, or drop a reporting schema). For Reporting Schema details see, Chapter 5, “Managing the
reporting schema ,” on page 89.
• Have an existing Reporting Schema and want to add, remove, or refresh a reporting period.
• Have configuration changes to make to the system, such as changes to the object model hierarchy or
modifications to object types, field groups, and object fields.
• Are converting an enumerated string value from a single selection to a multi-value selection (see “Data
types” on page 143 for multi-value conversion details).
• Set up field level security.
In all other instances you can make configuration changes without enabling SAM. However, there may be
situations where you want to enable SAM to restrict general user access. For example, if you need to
modify one or more object text labels, you may not want users to create new instances of the object type
while you are making these changes.
The link switches between Enable and Disable depending on which mode it is in.
If the system is processing operations that require System Administration Mode, you will have to wait
until processing is complete before you can disable System Admin Mode.
Procedure
1. Log on to the IBM OpenPages GRC Platform user interface as a user with the System Administration
Mode permissions.
2. Do one of the following:
• Click the Enable or Disable link.
• From the menu bar, select Administration and click System Admin Mode and click Enable or
Disable.
• Security Domains - this group is a container for the security domain groups that are automatically
created by the system when a business entity or sub-entity is added. You can use security domains to
distribute your users and organizational groups so they can be administered by administrators with
appropriate permissions. For an overview of security domains, see “Security domains” on page 48.
When you expand a security domain group, only child security domains are displayed. Any
organizational groups and users associated with that security domain can be viewed only from the detail
page of that security domain group.
To view organizational groups and users associated with a security domain, navigate to the detail page
of that security domain group.
• Workflow, Reporting and Others - this group is a container for organizational groups that are used
system-wide. Administrators often create organizational groups to organize users and other groups. You
can define all your users and groups under the Workflow, Reporting and Others group, and later
associate them to different security domains. For upgrade customers, this top-level group also includes
the groups that existed in prior releases of OpenPages GRC Platform.
To navigate to a group detail page, you must be a super administrator or a delegated administrator of
that group with at least Browse administrative permission. For information on delegating administrator
permissions, see “Delegate administrator permissions” on page 21.
Note: The term group includes both organizational and security domain groups, unless otherwise
specified.
Example
You want to designate Mary Smith as an administrator who can reset passwords for any users. You would
assign the Reset Password permission to Mary Smith.
Note:
• When administrator permissions are assigned to a user, the name of that user is no longer displayed in
the user selector list. To modify permissions for an administrator, see “Modifying administrator
permissions” on page 25.
• Security domain groups are not displayed in the User/Group selector list.
Note: Administrators with Settings application permission can configure the behavior of some user-
provisioning functions. For more information, see “User provisioning settings” on page 312.
Edit user information Manage on any security domain or any user group
that includes the user account.
Lock user accounts Lock on any security domain or any user group that
includes the user account.
Note that an administrator cannot lock their own
account.
Unlock user accounts Unlock on any security domain or any user group
that includes the user account.
Edit user passwords Reset Password on any security domain or any
This includes the Password and Confirm user group that includes the user account.
Password fields.
Configure password options and edit configured Manage on any security domain or any user group
password options that includes the user account.
This includes the following options: User must Note that an administrator can force a password
change password at next log on, User cannot change for their account and reset their password.
change password, Password never expires,
Password expires in <n> days, and Force
Password Change.
Edit a user's locale and profile information Manage on any security domain or any user group
that includes the user account.
Modify a user's group memberships Manage on the top-level user group.
Add role assignments to a user Manage and Assign Role on the root security
domain.
Remove role assignments from a user Assign Role on the root security domain.
View a user's reports access OPAdministrators group membership. Information
is read-only.
Copy direct reports access from one user to a new Manage on the top-level user group, Manage and
or existing user Assign Role on the root security domain, and
OPAdministrators group membership. Information
is read-only.
Example
Figure 1 on page 24 shows a diagram with a sample security administration structure.
Procedure
1. Click Administration > Users, Groups and Domains.
2. On the Users, Groups and Domains page, click the name of the group for which you want to assign
administrative permissions to selected users.
3. On the detail page of the selected group, go to the Administrators & Permissions tab.
4. Click Assign.
5. Select (user icon ) or search for a user (magnifying glass icon ).
6. From the Permissions column, select the administrative permissions that you want to assign to this
user (see “Types of administrator permissions” on page 21 for a list of permissions). To select all
permissions, select the Permissions box in the column heading.
7. When finished, click one of the following icons:
• Assign to return to the selected group's detail page.
• Assign & Next to assign administrative permissions to another user.
Procedure
1. Click Administration > Users, Groups and Domains.
2. On the Users, Groups and Domains page, click the name of the group for which you want to modify
administrative permissions.
3. On the detail page of the selected group, go to the Administrators & Permissions tab.
4. From the list of administrative users, click the pencil icon next to the user whose permissions you
want to edit.
5. In the Specify Permissions box, select or clear administrative permissions for this user (see “Types of
administrator permissions” on page 21 for a list of permissions).
6. Click Save.
Procedure
1. Click Administration > Users, Groups and Domains.
2. Click the appropriate group, and on the Users, Groups and Domains page, select the check box next
to the name of each user in the Adminisrators list for whom you want to revoke administrative
permissions.
3. Click Revoke. The name of the user is removed from the list of group administrators.
Procedure
1. Log on to the IBM WebSphere administrative console.
2. Expand Security and click SSL certificate and key management.
3. Under Related Items, click Key stores and certificates and click the CellDefaultTrustStore keystore.
4. Under Additional Properties, click Signer certificates and Retrieve from port.
5. Enter the host and port information.
• Host: This is the name of your LDAP server.
• Port: This is the port where your LDAP server is running, for example, 636.
• Alias: Enter a descriptive name for the certificate, for example, ldap1.
6. Click Retrieve signer information.
7. Verify that the certificate information is for a certificate that you trust.
8. Click Apply and then click Save.
9. Restart the OpenPages GRC Platform services.
Procedure
1. Click Administration > User LDAP Configuration.
2. Click Add New.
3. Type a name for the LDAP configuration and click OK.
Note: You can configure multiple LDAP servers so that the Create User wizard shows the search
results from all LDAP servers at once. The maximum number of search results, is the sum total of the
maximum results of each LDAP server configured.
4. In the Provider URL field, type the LDAP service provider that you want to use.
The value should contain a URL string, such as ldap://<hostname>:389.
Note: If you are using LDAP over SSL/TLS, there are some additional preconfiguration steps that you
must perform. An example for the Provider URL when using LDAP over SSL/TLS is the following string:
ldaps://<hostname>:636.
5. In the First name attribute field, Middle name attribute field, and Last name attribute field, type the
attribute names that you want to map to the IBM OpenPages user's first name, middle name, and last
name respectively.
Note: The middle name is not displayed in IBM OpenPages by default. To display the middle name in
the search results of the Create User wizard so that you can differentiate users who have the same
first and last name, you can add the following code to the Singular Label box of the
com.display.name.format entry under the Formats folder on the Application Text page: %MN. For
Provisioning users
Your ability to create a new user, modify user accounts, and copy access from one user to another is
based on your administrative permissions and the way user provisioning is configured in your system. The
user-provisioning options that you see in the product are determined by your permissions and
configuration.
You can delegate administrative capabilities to specific administrators to give them the ability to perform
certain user-provisioning functions. For example, you could delegate permission to two administrators to
manage user passwords, and delegate permission to three other administrators to create users and
update group memberships.
For information about which administrator permissions are required for each of the user-provisioning
functions, see Table 8 on page 22.
Procedure
1. Click Administration > Users.
2. Click Create User.
Note: If LDAP is configured with your IBM OpenPages GRC Platform application, a Search field is
displayed. This allows you to search for an LDAP user whose information you want to copy to create
the new IBM OpenPages user. You can type a user name, first name, last name, or email address into
the Search field. Select the LDAP user from the list to access the Create User page. For information
about configuring access to an LDAP server, see “Configuring LDAP access for user provisioning” on
page 26.
3. Complete the information on the User Information and Password and Security pages of the Create
User wizard.
When you create user names and passwords, the following rules apply:
5. On the Locale and Profile page, you can specify the user's locale, choose one or more profiles to
associate with the user, and select a Current Profile.
6. On the Group Memberships page, perform the following actions to assign group memberships:
• To select group memberships, click Associate Groups and select the check boxes next to the
groups to which you want the user to be a member.
• To delete group memberships, click the X next to the membership that you want to remove.
7. On the Role Assignments page, you can view the user's role assignments.
You can assign roles after the user is created.
8. On the Reports Access page, you can view the user's reports access.
9. Click Finish.
Procedure
1. Click Administration > Users.
2. In the View, Edit, or Disable User field, search for the user account that you want to modify.
When you click in the View, Edit, or Disable User, a list of users that you recently worked with is
displayed. You can select one of these users or search for a different user.
3. In the User Information section of the View, Edit, or Disable User page, you can perform one or more
of the following actions:
• Edit user details, such as email, first name, and last name. You cannot change a user name.
• Disable and enable a user account. When an account is disabled, the user of that account is
prevented from logging in, and the user is displayed as inactive and grayed out in user selector lists.
If necessary, you can re-enable a disabled user account. User accounts cannot be deleted through
the user interface in IBM OpenPages. Depending on how your system is configured, in addition to
disabling the user, you can choose to remove their locale, profile, group membership, role
assignment, or reports access.
Tip: If you want to prevent a user from logging in, but you still want the user to appear in user
selectors, disable the user and then update the user selectors to set Include Disabled to True. For
more information, see “Configure user and group selectors display types for simple strings” on page
266.
• Lock and unlock a user account. Depending on your configuration, users might be locked
automatically if they exceed a set number of unsuccessful login attempts. When an account is
locked, the user of that account is prevented from logging in. The user is displayed as active but
locked in user selector lists, and they can be selected. If you do not want the user to appear as active
and selectable in user selector lists, disable the user account instead.
• Reset the user's password or force the user to change the password the next time they log on.
Passwords can contain up to 32 characters and cannot contain spaces.
Important: If you use IBM OpenPages Loss Event Entry, do not change the dedicated users'
passwords by using OpenPages. Always use the Loss Event Entry Configuration tool to change the
passwords. If you change the passwords in OpenPages, users cannot use Loss Event Entry because
the passwords are out of sync.
4. In the Locale and Profile section, you can change the user's locale, change the Allowed Profiles, and
select a different Current Profile.
5. In the Group Memberships section, you can add and remove group membership assignments by
clicking Associate Groups.
6. In the Role Assignments section, you can add role assignments by clicking Assign Roles.
Procedure
1. Click Administration > Users.
2. In the View, Edit, or Disable User field, search for the user account that you want to modify.
Note: You can also copy access from an existing user when you are creating a new user. For more
information, see “Creating user accounts” on page 27.
3. From the left pane, click Copy Access From.
4. Search for the user that you want to use as source.
5. Click Copy.
Note: This does not include copying personal filters.
Procedure
1. Click Administration > Users, Groups and Domains.
2. Expand the list and click the name of the group to which the new group belongs. If no higher-level
group for the new group exists, select the Workflow, Reporting and Others group.
3. On the detail page of the selected group, go to the Groups tab and click Add New.
4. Complete the required information for the new group and click Create. The parent group's detail page
is displayed with the new group listed in the Groups section.
Procedure
1. Click Administration > Users, Groups and Domains.
2. Expand the list and click the name of the group to which you want to associate another group, or to
which the soon-to-be-disassociated group belongs.
3. Go to the Groups tab and select the check box next to each group to be associated or disassociated.
4. Click Associate or Disassociate.
Administration permissions
When you create an administrative-level group, you must grant them Administration permissions. If a user
or user group possesses any of these permissions, they see the Administration menu on the menu bar.
Application Text Allows users and members of user groups to view and edit locale-specific
application label values through the Application Text menu item on the
Administration menu.
CompareEnvironments Allows users and members of user groups to use the Compare Environments
tool through the Administration > Compare Environments menu item.
IBM BPM Allows users and members of user groups who work with IBM Business
Process Manager to access the following menu items on the Administration
menu: IBM BPM Process Center, IBM BPM Process Inspector, and IBM BPM
Process Admin.
ImportConfiguration Allows Super Administrators to access the environment migration tool to
import configuration items that are exported from another system. See
Chapter 22, “Migrating OpenPages GRC Platform environments,” on page 575.
Object Profiles Allows users and members of user groups to view and manage the
configuration of the profile, which includes the object types, through the
Profiles menu item on the Administration menu.
Object Reset Allows users and members of user groups to reset objects for a new reporting
period. For information on governing reset behavior, see Chapter 14,
“Reporting periods, object resets, and rulesets,” on page 289.
Object Text Allows users and members of user groups to view and edit locale-specific
object label values through the Object Text menu item on the Administration
menu.
Object Types Allows users and members of user groups to view and manage the
configuration of object types with their related field groups and associated
objects through the Object Types menu item on the Administration menu.
RCA Integration Allows users and members of user groups who work with IBM Regulatory
Compliance Analytics to access the following menu items on the
Administration menu: RCA Integration > Configure Import from RCA and
RCA Integration > Import from RCA.
Reporting Framework Allows users and members of user groups to generate and manage the
reporting framework through the Reporting Framework menu item on the
Administration menu.
Reporting Framework Allows users and members of user groups to administer and configure the
Configuration reporting framework through the Reporting Framework menu item on the
Administration menu.
Reporting Periods Allows users and members of user groups to finalize and reapply Reporting
Periods through the Reporting Periods menu item on the Administration
menu.
Finalize allows users and members of user groups to finalize the active
Reporting Period.
Reapply allows users and members of user groups to reapply the active
Reporting Period.
Reporting Schema Allows users and members of user groups to manage the Reporting Schema
through the Reporting Schema menu item on the Administration menu.
Search Allows users and members of user groups to manage and maintain global
search operations through the Global Search menu item on the
Administration menu.
Security Rules Allows users and members of user groups to manage and maintain security
rules through the Security Rules menu item on the Administration menu.
Settings Allows users and members of user groups to view and manage settings
through the Settings menu item on the Administration menu.
Issues permission
This application permission allows users and members of user groups to view the list of Issues through
the Issues menu item on the Remediation menu.
Note: This application permission is in effect only for upgrade customers who have not yet migrated their
access control to the role-based security model. For new first-time installations, this permission is not
honored.
All permission
Grants users and members of user groups all permissions and access to every functional and
administrative area within OpenPages GRC Platform (web and server).
Administration permissions
The Administration permissions grant users and members of user groups the ability to archive and restore
document versions and to enable and disable System Administration Mode.
Files permissions
This application permission grants all administrative permissions under the Files grouping that are related
to managing files and folders.
Cancel Checkout Allows group members to cancel the file check-out process for associated files
that were checked out by others. When a file check-out is canceled, the file is
checked back into the system without applying any changes and no new version
of the file is created.
Restriction: This permission applies only to file attachments (of the
SOXDocument object type).
Reassign Primary Allows members of the user group to reassign primary parent associations and
Association view the Make this object Primary icon on the Parent tab of an object, where
object is the object type.
Remove All Tree Locks Allows members of the user group to unlock resources and/or resource
subtrees.
Publishing permissions
The Add Pages permission grants administrative permissions to make Cognos and jsp reports available
from the OpenPages GRC Platform application user interface.
Enabled Sets whether the password policies are active or not. The default value for this
setting is false.
Maximum Length Sets the maximum length of the password. The default value for this setting is 32.
Minimum Length Sets the minimum length of the password. The default value for this setting is 6.
Notify Before Days Sets the number of days before a user's password expires that the user is shown a
warning message at logon about their password expiring.
Procedure
1. Log on to a machine with SQL*Plus and access to the database server.
2. Execute the following SQL statement:
Results
If the SQL statement returns the name:
• 3DES, then run the UPEA tool to change the encryption algorithm to AES.
• AES, then you already have the AES encryption algorithm. If you want, you can use the UPEA tool to
change the AES encryption key.
Procedure
Verify that the BouncyCastleProvider security provider has been added to the java.security file
as follows:
a) Open a command or shell window on the application server.
b) Navigate to:
<Java_Home>|jre|lib|security
Where:
<Java_Home> is the installation location of the Java Runtime Environment.
• Windows: C:\IBM\WebSphere\AppServer\java\jre\lib\security
• Linux and AIX: IBM/WebSphere/AppServer/java/jre/lib/security
c) Make a backup copy of the java.security file before you modify it.
d) Open the java.security file in a text editor of your choice.
e) Locate the following property in the file:
security.provider.<#>=
Where: The number sign, <#> is one increment above the last number in the list (for example, 9).
f) If the BouncyCastleProvider security provider is not present, modify the value after the equal sign
so it matches this:
security.provider.<#>=org.bouncycastle145.jce.provider.BouncyCastleProvider
Preparing passwords in the aurora.properties file and the op-backup-restore.env file for
reencryption
You can reencrypt the passwords that are in the aurora.properies and op-backup-restore.env
files. By default, the files are in the <OP_Home> directory.
For Microsoft Windows operating systems, the default installation directory of OpenPages GRC Platform is
C:\OpenPages.
For AIX and Linux operating systems, the default installation directory of OpenPages GRC Platform
is /opt/OpenPages.
Procedure
1. Open a command or shell window on the application server.
2. Go to the <OP_Home>|aurora|conf directory.
3. Edit the aurora.properties file in the conf directory.
a) Make a backup copy of the file.
b) Open the file in a text editor of your choice.
c) Search the file for properties that include the string password=.
d) Change all password values after the equal sign to plain text.
e) Save and close the file.
Note: The passwords are encrypted when you restart the servers.
4. Edit the op-backup-restore.env file in the <OP_Home>|aurora|bin directory.
a) Make a backup copy of the file.
Procedure
1. From a machine with SQL*Plus and access to the database server, log on as the openpages database
user.
2. Run the following SQL statements to update the Users table so passwords can be changed:
sqlplus openpages/openpages@<host_name>
update users set flag_can_change_password=1 where actorid !=8
Where:
• <host_name> is the name of the database server.
• actorid=8 is OPSystem.
UPEA syntax
The syntax of the UPEA tool is detailed in the following section:
UpdatePasswordEncryptionAlgorithm
-Mode [CA|CK]
-AlgorithmName [AES]
-Host <hostname>
-ProviderName CAMCryptoBC
-ProviderClass org.bouncycastle145.jce.provider.BouncyCastleProvider
-Username <OpenPagesAdministrator>
-Password <OpenPagesAdministrator password>
[-Port <portnumber>]
[-KeySize <128>]
[-?]
-ProviderName Required. Use when you change algorithms to the AES encryption algorithm only.
Has only one valid value: CAMCryptoBC.
-ProviderClass Required. Use only in conjugation with -ProviderName to specify the class for the
new encryption algorithm. Has only one valid value:
org.bouncycastle145.jce.provider.BouncyCastleProvider
-Username Required. Use to specify the user name to use when you modify the user
passwords. Must be the same as the user specified in the OpenPages|Platform|
Security|Password|Encryption|
Encryption Administrator setting.
-Password Required. Use to specify the password to the Encryption Administrator account.
-Port Optional. Use to specify the bootstrap port number.
Default value: 10101
-KeySize Optional. Use to specify the length of the AES encryption key. The only valid value
is 128.
If an invalid value is given, or no value is provided, the default value of 128 is used.
Procedure
1. Edit the <OP_root>/OpenPages/aurora/conf/aurora.properties file and the <OP_root>/
OpenPages/aurora/bin/op-backup-restore.env file and change any encrypted passwords to
plain text.
• If you are using 3DES, look for lines that contain {3DES}.
For example, suppose the aurora.properties file contains the following line:
database.PASSWORD={3DES}Rj+steg+3eU7kb8O+\=\=. The database password is encrypted
with the 3DES algorithm. Replace the encrypted password with the password in plain text, for
example, database.PASSWORD=db_password.
• If you are using OP-CUSTOM, the lines do not have an algorithm indicator. Look for encrypted
passwords and change each of them to the password in plain text.
The passwords are encrypted with the AES algorithm when you restart the OpenPages GRC Platform
services in step 3.
2. Open a command or shell window on the OpenPages GRC Platform server.
Go to the <OP_HOME>/bin directory.
• For Microsoft Windows operating systems, the default installation directory of OpenPages GRC
Platform is C:\OpenPages.
• For AIX and Linux operating systems, the default installation directory of OpenPages GRC Platform
is /opt/OpenPages.
• <port> is the bootstrap port number. If you do not specify a value, 10101 is used.
• <host> is the host name of the application server. If you do not specify a value, localhost is used.
3. Restart all OpenPages GRC Platform services.
4. If you are using OpenPages to authenticate users, notify all users that their passwords have been reset
to 0p3nP4g3s and that they must change their passwords the next time they log into the system.
Note: If you are using Single Sign-On (SSO), LDAP, or another external system to authenticate users,
passwords are not reset.
Procedure
1. Log on to the IBM OpenPages GRC Platform server as a user with administrative privileges.
2. Open a command or shell window and change directory to the <OP_Home>/bin directory.
• For Microsoft Windows operating systems, the default installation directory of OpenPages GRC
Platform is C:\OpenPages.
• For AIX and Linux operating systems, the default installation directory of OpenPages GRC Platform
is /opt/OpenPages.
3. From the command or shell window, run the following command on a single line:
Windows
Role-based security and security rules differ from profiles and field dependencies because security is
applied everywhere rather than in the OpenPages GRC Platform application only.
Based on the type of security context points defined in your security model, such as Business Entity,
Process, Control Objective or Risk Assessment, you can use a role template to define a set of permissions
for a set of object types.
For each role template that you define, you can set the following:
• Access control (Read, Write, Delete, Associate) for each object type included in that role. For details, see
“Role-based access control permissions” on page 49.
• Application permissions for the role. For information about the various application permissions, see
“Defining application permissions” on page 31.
Important: These application permissions do not include administrative group and user security
management permissions, such as resetting passwords, assigning roles, adding users, and so forth. To
learn more about assigning group and user security management permissions to administrators, see
“Delegate administrator permissions” on page 21.
By assigning a role (an instance of a role template) to a user or group at specific security context point in
the object hierarchy, you can control access to objects. Roles represent the usual or expected function
that a user or group plays within an organization. Some examples of roles are: Finance Reviewer, Tester,
External Auditor, System Administrator, Control Owner, Risk Assessor.
When you assign a role to a group or user, the security settings of that Role Template are acquired by that
group or user and permissions are automatically granted, per the role template definition, to all objects
below the specified security point.
For example, if a role were assigned to a user for a business unit (security context point), access control
for specific object types under that security point would be set in the object hierarchy. Object types that
were excluded from the role would be hidden from view, object types that were included would be visible
and could be accessed by users and groups assigned to that role.
Example
You have a regional office called North America and a sub-regional office called United States. When you
create the business entity, the folder structure /BusinessEntity/North America/United States
would automatically be created.
You also created a Role Template called Entity Owners that has access defined for the following object
types:
• Business Entity
• Process
• Sub-process
• Control Objective
• Risk
• Control
When you assign the Entity Owners Role Template to the United States business entity, the following
structure is automatically generated under the root folder of each object type:
Note: that the folder structure /BusinessEntity/North America/United States does not have to
be generated since it already exists (was automatically created when the business entity was initially
created).
Figure 4 on page 46 shows how access permissions (R=Read, W=Write, D=Delete, A=Associate) can be
granted to specific objects in the hierarchy under the United States business entity security context point.
Security 45
Figure 4: Business entity security context points
For details on assigning security management permissions to security domain group administrators, see
“Delegate administrator permissions” on page 21.
Example
You extended the security context points to include Business Entity-Process. In this scenario,
administrators could assign, for example, a "Process Role Template" to one or more users or groups on
one or more Processes.
Permissions (Read, Write, Delete, Associate) in the "Process Role Template" could then be assigned to
that Process security context point. The permissions in that template are applied to every object created
beneath that point in the object hierarchy and to any object that is created in the future below that point.
Security 47
Figure 6: Triangle relationship between different object types
In the reporting framework, fields from parent objects within a triangle relationship (for example, Process
and Sub-Process) are stored in the same Query Subject along with the ID of the shared child object (such
as, Risk ID). When both Process and Sub-Process fields are part of the same Query Subject, a user would
require Read permission on both Process and Sub-Process object types to view these fields in a report.
When a triangle relationship exists among objects, avoid the use of the Sub-Process (or similar) object
type as a security point in your system unless you are willing to always grant Read access to the parent
object type (such as Process).
Note: For information about configuring triangle object relationships in the reporting framework, see
“Triangle object relationships” on page 663.
Sample scenario
A user has Read access for Sub-Process object types, so they can view details for Sub-Process objects in
the application user interface.
If the same user does not have Read or Write access to the parent Process and Business Entity, that user
will still have an implicit Navigate permission to the Process and Business Entity object types. The implicit
Navigate permission allows users to navigate through the object hierarchy from, for example, an Overview
page to object types that are lower in the hierarchy (such as Sub-Process) for which they have explicit
permission (in this case, Read access).
If a triangle relationship exists among these object types, the same user would not have permission to
view the Sub-Process detail in a report unless the user was also granted explicit Read access on the
Process object type (as SUBPROCESSES and PROCESSES reside in the same Query Subject).
Security domains
In IBM OpenPages GRC Platform, special user groups, called "security domain groups", are automatically
created when a Business Entity or Sub-entity object is created.
Security domain groups act as containers for users and organizational groups associated with that
business entity.
Each security domain group is identified by a people hierarchy icon under a top-level (root) Security
Domains folder on the Users, Groups and Domains page, and the name of the group corresponds to the
name of the business entity to which it belongs.
Users in a security domain group are generally assigned roles to work on the objects under that entity. You
can also delegate specific security management activities to administrators in a security domain group for
managing users and groups within that business entity.
Note: When you expand a security domain group, only child security domains are displayed. Any
organizational groups and users associated with that security domain can be viewed only from the detail
page of that security domain group.
Security 49
Access control permissions for role-based security
For each object type that you want to include in a Role Template, you can set access control (ACL)
permissions on the object's folder structure.
• Read - when you select an object type for inclusion in a role, the value of the Read permission is
automatically set to Granted on the object's folder structure. This means that any groups or users
assigned to this role can navigate to, and view the details of objects (parent and child) contained in the
folder and the folder itself, but cannot modify any object data unless other permissions are explicitly
set.
• Write - the groups or users assigned to this role can read and modify the details of objects within the
selected folder, but cannot delete objects. Write access to a folder is required for creating new objects
within the folder.
• Delete - the group or user assigned to this role can read, modify, and delete objects within the folder
structure.
• Associate - the group or user assigned to this role can create associations between objects.
For each ACL permission, you can set an explicit value. These values or settings are propagated
downward and inherited by any child object storage folders under that parent object's folder structure.
For each ACL permission, you can set one of the following values:
Note: For usage examples, see “Scenarios: Using access control settings” on page 50.
• Unspecified - by default, no access is explicitly granted to the user or group for the corresponding
object through this role. The "Unspecified" setting does not override any access that is granted on this
object through other roles or access inherited through a role on higher level security context points. This
value should be used instead of "Denied" since it is less restrictive.
• Granted - this explicit setting gives a user or group full access to the specified action (Write/Delete/
Associate). The user can modify, or delete the file or folder, depending on the permission.
• Denied - this explicit setting does not allow a user or group to perform the specified action (Write/
Delete/Associate). The "Denied" setting overrides any access that is granted on this object through
other roles or access inherited through a role on higher level security context points.
Role templates
Role Templates are global to the application and are available for role assignment by any administrator of
a security domain who has the Assign Roles administrator permission.
Because the Assign Roles permission is a global permission, it is not constrained by the hierarchy of the
role. Users who are granted this permission can manage any role in the system.
When you perform an action on a Role Template (such as creating, editing, assigning, enabling or
disabling), the Role Template is automatically locked by the system to prevent other users from
simultaneously accessing the template. After you save your changes (or cancel the operation), the Role
Template is unlocked.
Role Templates are the preferred method for granting users or groups application permissions.
Note:
• Both application permissions and ACLs are included in the role definition process. When a role is
assigned to a user or a group on any business entity or security context point, that user or group
automatically acquires the application permissions defined in that Role Template.
• When a user or group is assigned multiple roles, the user or group accumulates the application
permissions that are defined in the various roles. Application permissions are granted by the role (not
the security context point) and apply in all situations where the user has the correct ACL access. For
example, users with Read permission to Business Entities and the Audit Trail application permission
will be able to view the Change History (audit trail) for those Business Entities.
Procedure
1. Log on to the IBM OpenPages GRC Platform application user interface as a user with the Role
Templates application permission set.
2. Click Administration > Role Templates. From the Role Templates page, you can add, view, and
modify role templates.
Security 51
Adding a role template
Procedure
1. Ensure that System Administration Mode is disabled.
2. Click Administration > Role Templates.
3. On the Role Templates tab, click Add to open the Add Role Template wizard.
4. On the Specify Role Details page:
a) In the Name box, type a name for the role. For example, Tester01.
b) In the Description box, optionally type a brief description of this role.
c) Click the Role Type arrow, and select the type of security context point you want from the list.
Note: If only one security context point type (such as Business Entity) is defined for your system,
this is the only value in the list. Security context point types are derived from the security model in
effect for your installation.
d) Click Next.
5. On the Specify Access Controls page:
a) Select the check box next to each object type for which you want to configure folder permissions.
For example, if you wanted to configure permissions for Risk and Test objects, you would select
SOXRisk and SOXTest.
Note: To select all object types, select the check box in the Name column.
b) In the row for each selected object type, select a setting value for each permission (Write, Delete,
and Associate). By default, Read is always set to Granted, and all other permissions are set to
Unspecified.
For setting details, see “Role-based access control permissions” on page 49.
c) Click Next.
6. On the Specify Permissions page:
a) Select the application permissions that you want to assign to this Role Template. For a description
of the various application permissions, see “Types of application permissions” on page 32.
b) Click Finish. The new role is listed on the Role Templates page.
7. To assign the role to a user or group, see “Assigning a role to a user or group” on page 54.
When you modify a Role Template after you assign it to users and/or groups, any changes you make to
access control (ACLs) and application permissions are automatically propagated to those users and
groups.
You can use this propagation feature to grant additional access control or revoke access control on certain
object types to existing users and/or groups, by modifying the role template.
Typically, a Super Administrator or a top-level security domain administrator (with Assign Roles
administration permission and Role Templates application permission) are able to modify, disable or
Procedure
1. Click Administration > Role Templates.
2. From the list on the Role Templates tab, click the name of the role you want to modify.
3. On the detail page of the selected role, click Edit.
4. Make the required changes.
5. Click Save.
Procedure
1. Click Administration > Role Templates.
2. From the list on the Role Templates tab, click the name of the role you want to enable or disable. The
detail page of the selected role is displayed.
3. On the Role Information tab, click Disable or Enable.
Results
When you disable a role, the following occurs:
• Depending on the Disable Role Group application setting, any users and groups, who were previously
assigned that role, either retain or lose their access control and application permissions. By default, the
setting allows users and groups to retain access after a role is disabled.
• The disabled role template is removed from the role assignment selection list and cannot be used for
further role assignments.
• The status of the role on the Role Templates list page changes from Active to Inactive.
When you enable a role, the following occurs:
• Any users or groups who are assigned that role are able to perform activities on objects that are
associated with that role.
• The enabled role template is included in the role assignment selection list and can be used for further
role assignments.
• The status of the role on the Role Templates list page changes from Inactive to Active.
To automatically revoke all role assignments, you can delete a role template.
An administrator (or Super Administrator) with Role Templates application permission and the Assign
Roles administrator permission can assign and/or revoke roles on any entity in the system. Only a Super
Administrator or a top-level entity administrator is able to delete role templates, since this action
automatically revokes all role assignments that were made using the selected Role Template on any
business unit in the application.
When you delete a role, the following occurs:
Security 53
• Any users or groups who were assigned that role are no longer able to perform the activities on objects
that are associated with that role.
• The role is permanently removed from the list of roles on the Role Templates tab and cannot be
restored.
If you want to remove a role without deleting it, you can disassociate the role instead by revoking the role
from the user or group.
Procedure
1. Click Administration > Role Templates.
2. You can delete a role from either the Role Templates list page or from the detail page of the role.
• From the Role Templates page:
a. From the list on the Role Templates tab, select the check box next to each role you want to
delete.
b. Click Delete.
• From the detail page of the selected role:
a. Click the name of the role you want to delete from the list on the Role Templates tab to open its
detail page.
b. On the Role Information tab, click Delete.
Example
You have a business entity with the following hierarchical structure:
Company ABC > North America > Boston
The business entity has the following processes:
Company ABC > North America > Boston > P1
Company ABC > North America > Boston > P2
If the administrator of the Boston office assigns a "Process Owner" role to user "Mary" granting Read
access only to Processes associated with the Boston entity, then user "Mary" can navigate to processes
associated with the Boston entity only, even though "Mary" cannot view the details of the entities
Company ABC, North America and Boston.
Procedure
1. Click Administration > Users, Groups and Domains.
2. Under the Security Domains group, click the name of the security domain group to which you want to
add a role assignment for a user.
3. On the detail page of the selected security domain group:
a) Go to the Role Assignments tab.
b) Click Assign to display the Assign Roles wizard.
4. On the Select User(s)/Group(s) page:
a) Click Add.
b) In the selection box, select the check box next to each group or user you want.
Tip: To expand the group/user hierarchy, click the plus (+) sign.
c) Click Next.
5. On the Select Role Type and Role(s) page:
a) Click the Role Type arrow and select a security point from the list, and then click Go. If only one
security point (such as Business Entity) is defined for your system, this is the only value in the list.
b) In the Roles box, select one or more roles from the list.
c) When finished, click Next.
6. On the Select Security Domain(s) page:
a) Optionally, in the Name box, type a security context point name or portion of a name and then click
Filter. If the list of security context points is large, the filter reduces the scope of the list by
returning only those items that match the text you typed.
b) In the Security Domains box, select one or more security context points from the list.
c) Click Finish.
Procedure
1. Click Administration > Users, Groups and Domains.
2. Under the Security Domains root group, click the name of the business entity security domain group
from which you want to revoke a role.
3. On the detail page of the selected security domain group:
a) Go to the Role Assignments tab.
b) Select the check box next to the name of each group or user you want to revoke.
c) Click Revoke. The name of the selected group or user is removed from the list.
Security 55
Viewing roles assigned to users or groups
You can use several methods to view which roles are assigned to users and groups.
• Running reports
• Navigating to a user or group detail page and see the list of all roles that are granted to that user or
group.
• Navigating to the detail page of a business entity security domain group as described in the following
steps.
Note: Role Templates that were assigned directly to a parent or child business entity security domain
group can be only viewed from the detail page of that parent or child. Role assignments that are made
on a security domain are only displayed for that domain.
In the case of an extended security context model, for example, SOXBusEntity/SOXProcess or
SOXBusEntity/SOXProcess/SOXSubprocess security models, role assignments on processes and
subprocesses that are associated with the current security domain are also displayed.
• Selecting Users from the Administration menu and searching for a user in the View, Edit, or Disable
User field. On the View, Edit, or Disable User page, click Role Assignments from the left panel. For
more information, see “Modifying user accounts” on page 28.
Procedure
1. Click Administration > Users, Groups and Domains.
2. Under the Security Domains root group, click the name of the business entity security domain group
whose role assignments you want to view.
3. On the detail page of the selected security domain group, go to the Role Assignments tab.
4. To view role assignments that are made directly to another business entity security domain group,
repeat Steps 2 and 3.
Security rules
You can create two levels of security by using security rules:
• “Record level security” on page 57 allows administrators to control access to individual objects in a
folder.
• “Field level security” on page 69 allows administrators to control access to individual fields within an
object.
Security rules do not replace role-based security. Instead, they provide an extra level of security that can
work with role-based security.
Consider this example of record level security. A folder contains 10 tasks. The role-based security grants
the Read and Write access controls to all users in a certain role. You define a record level security rule to
limit the access for one user who is in that role so that this one user has Read access for Task 1 and Task 8
only.
You can extend the example to field level security. Task 1 contains 10 fields. You can define a field level
security rule to limit the access for one user in a certain role. This user has Read access for Field 3 and
Field 7 only.
You define security rules for individual object types. After you have defined them, they are applied to all
system components, including Reporting, FastMap, Triggers, Reporting Periods, and all available views.
A security rule comprises two parts:
• A formula that determines the conditions for granting the access controls.
– The formula can be based on these field values: Actor fields, Enumerated fields, Text fields, Date
fields, Numeric fields, and Currency fields.
– The formula can be based on a user who is a member of particular user group or profile.
If no record level security is defined for an object, only role-based security is applied to the object.
When you define a record level security rule, the way that access is restricted depends upon whether the
outcome of the formula is true or false when it is applied to an object:
• True: Access to the object is granted, and you can restrict or extend the existing role-based security for
that object.
• False: Access to the object is not granted, and role-based security is applied.
When users open the Detail View for an object, they can see associated child objects only under the
following circumstances:
• The associated child objects are included in a role template.
• The associated child objects are not included in a role template, but a record level security rule that
extends role-based security is applied to the parent object.
Security 57
RESTRICT and EXTEND rules
When you define a record level security formula, you define RESTRICT rules and EXTEND rules.
A RESTRICT rule is applied after role-based security (RBS). A RESTRICT rule further restricts access to an
object. The following formula illustrates how a RESTRICT rule is evaluated:
Notice the AND operator. Role-based security must grant access, and the result of the RESTRICT rule
must be true. The result is that users get access to the object if role-based security grants them access
and the RESTRICT rule result is also true.
For example, suppose role-based security grants all users in the Finance group READ and UPDATE access
on Control objects. But, you want users to be able to do an UPDATE only if they are also the owner of the
control object. In this case, you can add a RESTRICT rule on UPDATE that checks the END_USER against
the owner field of the object.
Figure 8: A RESTRICT rule grants UPDATE access if users are in the Finance group and are owners of the
control
For a more detailed example, see the record level security scenarios, such as “Scenario: Objects that are
shared across GRC domains” on page 64.
Notice the OR operator. Either role-based security must give access or the EXTEND rule result must be
true. The result is that users get access to the object if role-based security gives them access or if the
EXTEND rule result is true. Which means users gain access to the object in all of the following scenarios:
• Role-based security is granted and the EXTEND rule result is true, OR
• Role-based security is granted and the EXTEND rule result is false, OR
• Role-based security is not granted and the EXTEND rule result is true.
For example, suppose role-based security grants all users in the Finance group READ and UPDATE access
on Control objects. However, you also want users to be able to READ and UPDATE if they are the owner of
the control object, regardless of whether they belong to the Finance group. In this case, you can add an
EXTEND rule on READ and UPDATE that checks the END_USER against the owner field of the object.
Figure 9: An EXTEND rule grants access to users who are owners of a control, regardless of their group
membership
For a more detailed example, see the record level security scenarios, such as “Scenario: Access for
business administrators” on page 69.
Whether you are using a RESTRICT rule or an EXTEND rule, the rule is evaluated within the context of
role-based security.
Security 59
Multiple security rules
You can use multiple RESTRICT and EXTEND rules. Before you combine rules, ensure that you understand
how security rules work in combination with each other. Incorrect assumptions about the behavior of
security rules can lead to insecure models.
Since each rule grants READ access, the two rules are combined whenever the READ access for a user
needs to be determined. Each rule is evaluated on its own within the context of role-based security and
access is granted if either of the rules evaluates to true. The means that the formula for this example is
evaluated in the following manner:
The result is that a user gets READ access in the following scenarios:
• Role-based security is granted and the RESTRICT rule 1 result is true, OR
• Role-based security is granted and the RESTRICT rule 2 result is true.
Attention: Do not use the same access privilege in both rules. This can lead to results that might
not be-in-line with the behavior that you expect.
Here is an example of combined RESTRICT and EXTEND rules to help illustrate the point:
The result is that a user gets READ access in all of the following scenarios:
The result would be that a user gets access in the following scenarios:
• Role-based security is granted and the RESTRICT rule result is true, OR
• The EXTEND rule result is true.
But this is not the case. Each rule is evaluated within the context of role-based security, and then an OR
condition is applied:
Let's expand on this example to more clearly see the potential misunderstanding. Suppose that you have
a user with the following set of circumstances:
• Role-based security access is granted to the user
• The RESTRICT rule for this user evaluates to FALSE
• The EXTEND rule for this user evaluates to FALSE
Using the formula from the assumed behavior the result of this scenario would be False:
Procedure
1. Click Administration > Security Rules.
2. Click the name of the object type for which you want to define a security rule.
3. Click Add next to Record Level Security Rules.
4. Add a name and description for the security rule.
Security 61
5. Add the formula for the security rule.
You can type the formula or use the Path, Field, and Terms to define parts of the formula. You can also
use a combination of both. For more information, see “Grammar for security rules” on page 74.
a) To reference another object, either a parent or child, complete the following actions.
For more information, see “Paths for parent and child objects” on page 71.
1) Click Path.
2) In the Parent or Child field, specify whether the path follows parent objects or child objects.
3) Select the object type that is the starting point for the path.
4) Select the object type that is the ending point for the path.
5) Click Search to view the possible paths.
6) Select one or more paths. If you select more than one path, use the Combine Paths field to
specify how to use the multiple paths. Select Any Path if you want to use any of the paths or
select All Paths if you want all paths to be used for the rule to be applied.
7) Click Insert.
b) To define a field condition, complete the following actions.
For more information, see “Terms for data types” on page 72.
1) Click Field.
2) Select an object type.
3) Select the field that you want to use.
4) Select an operator. The list of operators changes depending on the field data type.
5) Enter the value of the field condition.
6) Click Insert to add the field condition into the rule formula.
If you type the field condition, ensure that you use system names. If you do not specify an object
type, the rule uses the object type for the object to which the rule applies. If you specify an object
type, the object type must be either the subject of the rule or be specified in a path expression that
contains the field reference.
Optionally, you can use square brackets to ensure that when elements of field references contain
spaces or other special characters, these field references are parsed.
c) To add operators or keywords, use the Terms menu.
6. In the Security property, specify how the security rule is combined with role-based security.
• Select Restrict to apply both the role-based security and the security rule.
This option configures more restricted security. For example, if role-based security is set to Read
and the security rule is set to Update, the Restrict setting provides read only access.
• Select Extend to bypass role-based security when the outcome of the formula is true.
For example, if the role-based security is set to Read and the security rule is set to Update, the
Extend setting allows a user to update information.
7. Specify the access controls.
For more information, see “Minimum access controls for object operations” on page 63.
Note: Security rules for Create access are defined separately from rules for Read, Update, Delete, and
Associate access.
Create
Users can create objects.
When a rule allows users to create objects, the formula cannot include fields within the object. It
can include fields from the parent hierarchy, and other conditions that do not include fields. If you
select Create, you cannot select any other access control for the rule.
Create operation
The following table shows the minimum access controls that a user requires to create an object. Access
controls are required for both the parent object and the child object.
Some access controls must defined using role-based security rather than record level security (as
indicated in the table). In these instances, the access control for the parent object can be defined using
either type of security, but for the child object, it must be defined using role-based security.
Read operation
The following table shows the minimum access controls that a user requires to read an object.
These access controls can be defined in the role-based security or the record level security.
Update operation
The following table shows the minimum access controls that a user requires to update an object.
These access controls can be defined in the role-based security or the record level security.
Security 63
Table 19: Access controls required to update an object
Read Write Delete Associate
Object Yes Yes
Associate operation
The following table shows the minimum access controls that a user requires to associate an object.
Access controls are required for both the parent object and the child object.
Some access controls must defined using role-based security rather than record level security (as
indicated in the table). In these instances, the access control for the parent object can be defined using
either type of security, but for the child object, it must be defined using role-based security.
Delete operation
The following table shows the minimum access controls that a user requires to delete an object. Access
controls are required for both the parent object and the child object.
These access controls can be defined in the role-based security or the record level security.
The following table shows the minimum access controls that a user requires to delete an object type that
is self-contained or recursive, such as a Business Entity or Sub-Process. Access controls are required for
both the parent object and the child object.
Some access controls must defined using role-based security rather than record level security (as
indicated in the table). In these instances, the access control for the parent object can be defined using
either type of security, but for the child object, it must be defined using role-based security.
To satisfy the security requirements for these two user groups, role-based security is not changed. You
add a security rule that further restricts the security that you already defined for the folder.
You define a security rule on the Control object type with the following information:
The formula is:
[SOXControl].[OPSS-Ctl].[Domain] IN ('Financial Management') AND END_USER IN
GROUP('SOXUsers'))
OR
[SOXControl].[OPSS-Ctl].[Domain] IN ('Operational Risk') AND END_USER IN
GROUP('ORMUsers'))
When the Security property is set to Restrict, both role-based security and the security rule are applied,
and the Access controls are set to Read and Update.
Procedure
1. Click Administration > Security Rules.
2. Click the name of the Control object type.
3. Click Add adjacent to Record Level Security Rules.
4. Add a name and description for the security rule.
5. Add the formula:
• Click Field and select the SOXControl object in the Object Type field.
• In the Field box, select Domain and select the Financial Management domain for the compliance
team.
• Click Insert.
• Click Field and select AND, then END_USER, and IN GROUP from the Terms.
• Type ('SOXUsers').
• Repeat for the Operational Risk domain.
6. In the Security property, select Restrict to have role-based security and the security rule both apply.
Restrict prevents Compliance users from being able to view or work with the Operational Control.
Security 65
7. Select the Read and Update access control check boxes.
8. Click Save.
Role-based security is already defined to grant Read and Write access controls to all users in these roles.
All users in these profiles have access to all objects in the folder. Access controls must be set on the
status of the Process object so that users work with only the object when they are responsible for it.
You define the following security rule for the Process object type that restricts when users can update the
Process object. When users who belong to a role login, they can update the Process object at the correct
point in the lifecycle of the Process object.
The formula is:
[SOXProcess].[OPSS-Process].[Status] IN ('Under Development') AND END_USER
IN([SOXProcess].[OPSS-Process].[Owner])
OR
[SOXProcess].[OPSS-Process].[Status] IN ('Ready for Review') AND END_USER
IN([SOXProcess].[OPSS-Process].[Reviewer])
OR
[SOXProcess].[OPSS-Process].[Status] IN ('Ready for Approval') AND END_USER
IN([SOXProcess].[OPSS-Process].[Approver])
The Security property is set to:
Restrict
Both role-based security and the security rule are applied. For example, when the status of the object
is set to New, only a user in the Administrator profile can work with the object.
The Access control is set to:
Update
Procedure
1. Click Administration > Security Rules.
2. Click the Process object type.
3. Complete the following actions to define the security rule that grants the Update access control:
• Click Add adjacent to Record Level Security Rules.
• Add a name and description for the security rule.
• Use Path, Field, and Terms to define the formula.
• Select the Update check box.
• In the Security property, select Restrict to have role-based security and the security rule both apply.
4. Click Save.
Procedure
1. Click Administration > Security Rules.
2. Click the name of the SOX Issue object type.
3. Click Add adjacent to Record Level Security Rules.
4. Add a name and description for the security rule.
5. Use Path, Field, and Terms to define the formula.
6. Select the Read check box.
7. In the Security property, select Extend to have the security rule extend the security that is set on the
folder.
8. Click Save.
9. Click the name of the SOXTask object type.
Security 67
10. Click Add.
11. Add a name and description for the security rule.
12. Use Path, Field, and Terms to define the formula.
13. Select the Read and Update check boxes.
14. In the Security property, select Extend to have the security rule extend the security that is set on the
folder.
15. Click Save.
Jim Lead (In-charge) Jim can edit the Audit A instance of the Audit
object and its descendants, Audit Sections,
and Audit Workpapers.
Jim's access controls are Create, Read,
Update, and Associate.
Ellen Field Ellen can read and update specific areas of the
Audit Sections and Audit Workpapers in the
Audit A instance.
Ellen's access controls are Read and Update
for these areas.
However, in Audit B, Susan is the lead auditor while Jim is a field auditor.
Susan Lead (In-charge) Susan can edit the Audit B instance of the Audit
object and its descendants, Audit Sections, and
Audit Workpapers.
Jim's access controls are Create, Read, Update,
and Associate.
Jim Field Jim can read and update specific areas of the
Audit Sections and Audit Workpapers in the
Audit B instance.
Jim's access controls are Read and Update for
these areas.
Ellen Not involved in this audit Ellen has no access controls set for her.
Exception management
One example is exception or waiver management.
In general, exceptions from a requirement, control, or process are granted on a project basis. The project
is a child of a business entity and is implemented as a risk entity. The project can have secondary
associations to a process, a subprocess, or a requirement. Exceptions are child objects of the project and
define the requirement, control, or process from which the exception is seeking relief. The project is
granted the exception. If no specific project is involved in the exception, the business entity is granted the
exception
All users can create exceptions but they can view only the exceptions that they created. The exception
process custodians in IT have the job of reviewing and approving exceptions. You must extend role-based
security to grant the exception process custodians in IT the ability to read and update all exceptions.
Privacy incidents
Another example involves the employees who are responsible for privacy incidents.
Specific individuals across the enterprise have responsibility for entering and maintaining information
about Privacy incidents. In addition to other access that they have, they are designated as Privacy users
and they might be in a Privacy Group or a Privacy Profile. The Privacy users can see all privacy incidents
regardless of where the Privacy users are in the business hierarchy. They have access to additional fields
on privacy incidents.
Similar functionality can be provided on other object types, such as audit findings, incidents, and waivers.
Scenario: All users can view objects and some users can update objects
Objects can be stored in a common area and shared across GRC domains. In this scenario, only a few
users are allowed to update the objects. All other users have read access only.
This scenario is a variant of “Scenario: Objects that are shared across GRC domains” on page 64.
Role-based security is defined for all users to be able to read the objects in the folder. You want a small
group to be able to create and another group to be able to update and associate.
Security 69
Figure 10: Field level security applies to object fields
When you define a field level security rule, you must consider all the scenarios that are required to access
the field. If any scenarios are not defined, a user's access to the field is denied. This is known as
redaction.
For example, one rule might specify that if a user is not an Owner, they have Read access only to a field. If
a user is an Owner, they have Read and Update access. When the outcome of the formula is true, then
Read access or Read and Update access is granted to a user. When the outcome of the formula is false,
the field is redacted.
The way that access is restricted depends upon whether the outcome of a formula is true or false when it
is applied to a field.
• True: The field is available to users as Read Only or Read and Update.
• False: The field is redacted. Users can see the field label, but not its value. Instead, the value is
redacted, and the user sees some text, such as "Confidential" in place of the field value.
Restrictions:
• System fields are not supported.
The system fields are "Name", "Description", "Location", "Creation Date", "Created By", "Last
Modification Date", "Last Modified By", and "Comment".
• Computed fields are not supported.
• If more than one rule applies to a field, each is rule is combined by using an OR condition.
• If more than one rule is defined for the same field, and one grants Read access to the field and another
grants Read and Update access, then a user is granted Read and Update access if the outcome of the
formula for each rule is true.
Redacted fields
When you define a field level security rule, if the outcome of the formula is false, the field is redacted.
Users can see the field label, but not its value. Instead, the value is redacted, and the user sees some
text, such as "Confidential" in place of the field value.
You can change label of the text that is used to obscure the field value. For more information, see
“Localizing application text” on page 281.
Procedure
1. Click Administration > Security Rules.
2. Click the name of the object type for which you want to define a security rule.
Security 71
teacher. Other teachers have the role of any parent. If you want to use the path from a teacher to the
students in the teacher's classroom, you use Primary Parent or Primary Child as the path qualifier.
Parent objects
You can use the following parent objects in the path.
Primary Immediate Parent
Paths follow only to the lowest level primary parent. Use Primary Immediate Parent for recursive
object types only.
Primary Parent
Paths follow only to the primary parent. There can be only one primary parent.
If a primary parent is specified, the path follows only primary parent relationships.
Any Immediate Parent
Paths follow only to the lowest level parent. Use Any Immediate Parent for recursive object types
only.
Any Parent
Paths follow to any level of parent, such as grandparent or parent, within recursive object types. For
example, a control has a parent that is a subprocess and the subprocess has a parent. When you use
Any Parent in the path for the control, the parent can be the subprocess or the subprocess's parent.
Child objects
You can use the following child objects in the path.
Primary Immediate Child
Paths follow only to the immediate, highest level child or to the immediate primary child. Use Primary
Immediate Child for recursive object types only.
Primary Child
Paths follow only to the primary child, which is a child of a primary parent. A primary parent can have
several primary children. A child can have only one primary parent.
If a primary child is specified, the path follows only primary child relationships.
Any Immediate Child
Paths follow only to the immediate, highest level children, if the child is a recursive object type.
Grandchildren are excluded.
Any Child
Paths follow to any level of child, grandchildren or children, within recursive object types.
Security 73
Terms that are used with date data types
TODAY
Returns today's date.
TOMORROW
Returns tomorrow's date.
NOW
Returns the current date and time.
You can specify a date in the future or in the past. For example:
• NOW(5) specifies a date five days from now.
• NOW(2,'m') specifies a date two months from now.
• NOW(-5) specifies a date five days ago.
• NOW(-2,'y') specifies a date two years ago.
You can use year, month, week, day, hour, minute, or second.
YESTERDAY
Returns yesterday's date.
DATE
Specifies the date and time as a string in the ISO format: YYYY-MM-DD and hh:mm:ss.sTZD.
You can also specify the date and its format as a string: DATE('09/05/2013','MM/dd/yyyy')
condition
Condition is the basic building block for a security rule formula.
path-condition
predicate
scalar-value
field-reference
end-user-profile
Security 75
function
like-predicate
starts-with-predicate
contains-predicate
ends-with-predicate
in-predicate
in-group-predicate
path
v----------------------.
|-- object-type ----- / -- object-type --+--|
path-direction
intended-parent
Rules
• Combining multiple paths with AND or OR is semantically equivalent to specifying multiple path
expressions with the same condition combined by AND or OR.
• For combined paths, the end point of all paths in the path expression must have the same object type.
The condition can contain references only to the shared starting points and ending points as well as any
references to outer paths that lead up to the subject.
• A path expression for a given path of object types is considered true if the condition is true for any
instantiation of the path.
• Except for combined paths described earlier, the condition can depend on any object type along the
path of the path-expression.
• The condition may also depend on object types along the path of containing path-expressions or the
subject object type of the rule.
• When using intended-parent, the condition can depend on the object-type referenced as
intended parent as well as the subject object-type of the rule. A path expression that uses the
intended parent clause is considered false if the indented parent is not of the specified object-type
or the operation is not Associate or Create.
• Depending on the path-direction specified, the path lists a connected series of object types relative to
the current context either following parent or child relationships.
• The outermost path must start with the rule's subject type. Nested paths must start with the endpoint of
the immediately containing path.
• If IMMEDIATE is specified and the end point of the path is a recursive object type, the path stops at the
bottom most parent of that type or the top most child.
• If PRIMARY is specified, the path will follow only primary parent relationships.
Security 77
Enabling or disabling a security rule
You can work on a security rule without making it available to your users. When the security rule is ready,
you can enable it. Conversely, you can withdraw a security rule by disabling it so that you can make all
required changes to it.
Procedure
1. Click Administration > Security Rules.
2. Select the object type that contains the security rule that you want to enable or disable.
3. Enable or disable the security rule.
Procedure
1. Click Administration > Security Rules.
2. Select the object type that contains the security rule that you want to validate.
3. Click on the security rule, and then click Edit.
4. Click Validate for the formula that you want to validate.
5. When you see a message that the formula has successfully validated, click Save.
Procedure
1. Click Administration > Security Rules.
2. Select the object type that contains the security rule that you want to delete.
3. For the security rule that you want to delete, click Delete.
Where:
Rule_ObjectType is the object type in which the Read rule is created.
PATH is the path of the Read rule, starting from the Rule_ObjectType.
The following example shows the security rule for LossEvent to control the Read operation for LossEvents
under BusinessEntity.
Procedure
1. Log on to IBM OpenPages GRC Platform as a Super Administrator user with the Access Control Lists
application permission set.
2. Click Administration > Custom Security.
Security 79
3. Click Default > Plan and do the following:
• For Project Milestones - click the Milestone link.
• For Project Action Items - click the Task link.
4. On the Access Control tab, click Actions > Add.
5. On the access control entry page:
a) Search for the user or group you want to add.
b) For each permission (Read, Write, Delete, Associate), select a setting value (Granted, Inherited,
Denied).
c) Click Add.
Note: Read permission is required for Write and Associate access, and Write access is required in
order for Delete access to be granted. You can select any combination of permissions, but when you
save the ACL, it will be modified to be a valid combination of permissions.
Procedure
1. Log on to IBM OpenPages GRC Platform as a Super Administrator user with the Access Control Lists
application permission set.
2. Click Administration > Custom Security.
3. Expand the folder hierarchy and click the folder that has the Access Control List you want to modify.
4. On the Access Control List tab:
a) Select the check box next to the user or group for which you want to modify access control.
b) Click Edit.
c) Make the necessary changes.
d) Click Save.
Procedure
1. Log on to IBM OpenPages GRC Platform as a Super Administrator user with the Access Control Lists
application permission set.
2. Click Administration > Custom Security.
3. Expand the folder hierarchy and click the folder that has the Access Control List you want to modify.
4. On the Access Control List tab:
a) Select the check box next to the user or group for which you want to delete access control.
b) Click Actions > Remove.
In the following example, the command generates a keystore that uses the supported Java format (jceks).
The encryption key uses a 3DES encryption algorithm with a key size of 168.
In the following example, the command generates a keystore that uses the supported Java format (jceks).
The encryption key uses an AES encryption algorithm with a key size of 128.
Security 81
In the following example, the command generates a keystore that uses the supported Java format (jceks).
The encryption key uses an AES encryption algorithm with a key size of 192.
In the following example, the command generates a keystore that uses the supported Java format (jceks).
The encryption key uses an AES encryption algorithm with a key size of 256.
Special encryption files for 192 bit and 256 bit encryption
By default, applications that are based on Java technology include an IBM JRE that does not support
Advanced Encryption Standard 192-bit (AES-192) or Advanced Encryption Standard 256-bit (AES-256)
encryption.
The United States export administration regulations for strong cryptography prohibit including such
software support. Administrators can enhance an IBM JRE to work with AES-256 and AES-192 encryption
by obtaining the IBM Java Cryptography Encryption (JCE) unrestricted policy files from IBM Unrestricted
SDK JCE policy files.
Note:
You must have a universal IBM ID to download the files. If you do not have an IBM ID, click the
registration link on the page and perform the following steps:
1. Log in.
2. Select Java 5.0 SR16, Java 6 SR13, Java 6 SR5 (J9 VM2.6), Java 7 SR4, Java 8 GA, and all later
releases.
3. Click Continue.
4. In the new page, check I Agree and select I confirm.
5. In the new page, click the Download now link.
6. Extract the download and copy the JAR files to the <JAVA_HOME>/jre/lib/security directory,
overwriting those already there.
Attention: For the changes to take effect, you must restart the OpenPages application servers.
For more information, see Chapter 20, “Starting and stopping servers,” on page 549.
The encryption keystore is a file that stores the key that you use to encrypt data in the IBM OpenPages
GRC Platform repository.
The keystore file must be on the admin server.
In a horizontal environment, the keystore file must also be available to each application server There are
two options:
• Each application server must have access to the file location on the admin server.
• The file must be available in the same location on each application server.
What to do next
You must now enable the key to encrypt the repository.
Procedure
1. Click Administration > Encryption Keystore.
2. Click Enable.
Depending on the size of the repository, encryption can take a long time. Encryption runs as
background event. You can view the progress by clicking Refresh.
Procedure
1. Click Administration > Encryption Keystore.
2. Click Disable.
Security 83
Depending on the size of the repository, decryption can take a long time. Decryption runs as
background event. You can view the progress by clicking Refresh.
Procedure
1. Click Administration > Encryption Keystore.
2. Click Edit.
3. Enter the current encryption keystore password to access it.
4. Update the details in the keystore.
For more information, see “Setting up the encryption keystore” on page 82.
5. Click Update.
Depending on the size of the repository, updating the encryption can take a long time. Encryption runs
as background event. You can view the progress by clicking Refresh.
To successfully use an LDAP Directory Server with IBM OpenPages GRC Platform, you must configure the
LDAP Authentication Module to recognize the presence of the LDAP server.
To configure OpenPages GRC Platform to work with an external LDAP authentication source, complete the
following tasks:
• “Adding existing users to the LDAP server” on page 85
• “Changing the OPSystem password” on page 85
• “Modifying the LDAP configuration file” on page 85
Procedure
1. Start all services.
2. Open a command or shell window on the application server.
3. Navigate to the <OP_Home>|bin directory.
For Microsoft Windows operating systems, the default installation directory of OpenPages GRC
Platform is C:\OpenPages.
For AIX and Linux operating systems, the default installation directory of OpenPages GRC Platform
is /opt/OpenPages.
4. Execute one of the following commands to open the chng-sys-pswd tool:
For Windows, run chng-sys-pswd.bat
For AIX and Linux, run chng-sys-pswd.sh
You will be prompted for the old OPSystem password and then the new password.
5. Follow the on-screen prompts.
6. When directed, stop all services.
7. Restart all services to enable the new password.
Security 85
The only module that the IBM OpenPages GRC Platform system pays attention to is the module that is
named Openpages. Therefore, you need to make a backup of the Openpages module, rename the
OpenpagesIP or OpenpagesAD to Openpages, and then change the settings to reflect the settings of
your LDAP server.
Procedure
1. Stop all OpenPages GRC Platform services.
2. Open and edit the <OP_Home>/aurora/conf/aurora_auth.config file in a text editor.
Where:
<OP_Home> is the installation location of the OpenPages GRC Platform application.
3. Find the Openpages module and change its name to OpenpagesDefault.
4. Modify either the OpenpagesIP or OpenpagesAD module name to Openpages.
• If you are using a Microsoft Active Directory server, change the name of the OpenpagesAD module to
Openpages.
• If you are using a Sun One Directory Server, change the name of the OpenpagesIP module to
Openpages.
• If you are using a different LDAP server, you can use either of these modules. Choose a module to
use as a template and change its name to Openpages.
5. Specify the correct values for the following properties in the module that you named Openpages:
provider.url
Change the value to the hostname and port number for the LDAP authentication server. For LDAP,
the protocol is ldap and the port is the LDAP port number (by default, 389).
base.dn
The top level of the LDAP directory tree structure (Domain Name) on the LDAP server. If the users
to be authenticated are located in multiple locations within your Active Directory structure, list all
of the locations explicitly by using the distinguished names of the locations, each separated by a
semi-colon.
For example:
base.dn="DC=LDAPTesting,DC=local;CN=Users,DC=LDAPTesting,DC=local;
OU=Auditors,OU=External Auditors,OU=Staff,DC=LDAPTesting,DC=local"
user.attr.id
The attribute name of the user identifier (for example, uid, cn, etc.)
Additional custom parameters
You can add additional custom parameters that are supported by the Java Naming and Directory
Interface (JNDI). Precede a JNDI property with the ctx.env. prefix.
For example, if you want to use the JNDI property com.sun.jndi.ldap.connect.timeout,
use ctx.env.com.sun.jndi.ldap.connect.timeout="<value>" in the
aurora_auth.config file.
For information about JNDI properties, see the Java SE documentation (http://docs.oracle.com/
javase/7/docs/technotes/guides/jndi/jndi-ldap.html#JNDIPROPS).
For example:
Openpages
{
com.openpages.aurora.service.security.namespace.LDAPLoginModule
required debug=false
provider.url="ldap://myserver.company.com:389"
security.authentication="simple"
security.search.user.dn="cn=Directory Manager"
security.search.user.credentials="openpages"
base.dn="ou=people,o=IBM,c=US"
user.attr.id="uid"
6. When you are finished editing the file, save your changes and exit.
7. Restart all services.
Results
You have configured the OpenPages GRC Platform system to use an external LDAP user authentication
server.
Use mixed-mode authentication when not all users can use a single namespace for authentication.
This solution should be used by customers who do not want to create the OPSystem, SOXAdministrator,
OpenPagesAdministrator, or OPAdministrator user accounts on their LDAP server but do want all their
users to be authenticated by LDAP. The following procedure creates a new namespace and modifies user
names (such as OPSystem) to authenticate against the OpenPages GRC Platform authentication module
rather than LDAP.
Procedure
1. To create the namespace modules in the aurora_auth.config file, log on to the application server.
2. Find and open the aurora_auth.config file.
3. Create or update the namespace modules in the file as follows:
OpenpagesDefault
{
com.openpages.aurora.service.security.namespace.AuroraLoginModule
required debug=false;
};
Openpages
{
com.openpages.aurora.service.security.namespace.LDAPLoginModule required
debug=false
provider.url="ldap://192.168.0.169:30429"
security.authentication="simple"
base.dn="DC=LDAPTesting,DC=local;OU=People,DC=LDAPTesting,DC=local"
user.attr.id="uid"
;
};
4. To create the namespace in the database, log into the database instance with the database id, such as
OPENPAGES.
5. Run the following SQL to create the OpenpagesDefault namespace:
For example, the following SQL will have the OPSystem use the OpenpagesDefault namespace for
authentication:
Security 87
Configuring a multi-forested LDAP authentication
IBM OpenPages GRC Platform supports the use of multiple LDAP authentication servers in a multi-
forested configuration. If the application cannot find the user in the first authentication server, it will
check the next server in the list and repeat until it finds the user or checks all listed authentication
servers.
When listing multiple LDAP servers, the aurora_auth.config file must be modified to contain multiple
sets of server information.
This file is located in the <OP_Home>\aurora\conf directory, where <OP_Home> is the installation
location of the OpenPages GRC Platform application. By default, this is c:\OpenPages.
This is accomplished by grouping the server information by index key, as in the following example:
com.openpages.aurora.service.security.namespace.LDAPLoginModule required
debug=true
provider.url.1="ldap://10.128.22.106:389"
security.authentication.1="simple"
security.search.user.dn.1="CN=Administrator,CN=Users,DC=parent,DC=parentchil
d,DC=localdomain"
security.search.user.credentials.1="Op3nPag3s"
base.dn.1="DC=parent,DC=parentchild,DC=localdomain"
user.attr.id.1="CN"
provider.url.2="ldap://10.128.22.107:389"
security.authentication.2="simple"
security.search.user.dn.2="CN=Administrator,CN=Users,DC=child,DC=parent,DC=p
arentchild,DC=localdomain"
security.search.user.credentials.2="Op3nPag3s"
base.dn.2="DC=child,DC=parent,DC=parentchild,DC=localdomain"
user.attr.id.2="CN"
By adding a ".1" key to the end of each parameter, OpenPages GRC Platform can parse the settings
correctly and differentiate between separate LDAP server information sets. You would append a ".2" to
the keys for the second LDAP server, and so on.
For single LDAP server implementations, you do not need to append an identifier to the end of the
parameter names.
You can create, recreate, disable, drop, and view the status of a reporting schema from the Reporting
Schema detail page.
Important: The system must be in System Administration Mode (see “Enabling and disabling System
Administration Mode” on page 17) to modify the reporting schema.
Procedure
1. Log on to the IBM OpenPages GRC Platform application user interface as a user with the Reporting
Schema application permission set.
2. From the menu bar, select Administration and click Reporting Schema.
Procedure
1. Access the Reporting Schema. Log on to the IBM OpenPages GRC Platform application user interface
as a user with the Reporting Schema application permission set.
a) From the menu bar, select Administration and click Reporting Schema.
2. Enable System Administration Mode (for details, see “Enabling and disabling System Administration
Mode” on page 17).
3. Perform one of the following actions:
• If a reporting schema already exists, click Re-Create to drop the existing schema and create a new
schema.
• If no reporting schema exists, click Create.
4. When the creation task (or re-creation task) is complete, update the Reporting Framework so that the
Cognos reports can access the new schema. For more information, see “Updating the reporting
framework” on page 686.
You can control whether data from previous reporting periods is included in the reporting schema.
By default, the reporting schema is only populated with the data from the current reporting period. Use
the following procedure to populate the reporting schema with past periods:
Procedure
1. From the menu bar, select Administration and click Settings.
2. Expand the Platform | Reporting Schema folder hierarchy.
3. Click the Populate Past Periods setting to open its details page.
false The reporting schema is populated with the data from the current reporting
period.
This value is set by default.
5. Click Save.
6. Recreate the reporting schema (see, “Changes that require the reporting schema to be regenerated”
on page 89).
Creating a new reporting schema automatically enables the reporting schema, while dropping the
reporting schema automatically disables it.
When the reporting schema is enabled, the database tracks changes to the application data and allows
the reporting engine to access the updated data. When the schema is disabled, the database no longer
tracks changes to the application data, but is still aware of changes to the schema (such as new fields).
Note: You must be in System Administration Mode (SAM) to enable the icons that allow you to perform
these tasks.
Procedure
1. Enable System Administration Mode (for details, see “Enabling and disabling System Administration
Mode” on page 17).
2. From the menu bar, select Administration and click Reporting Schema.
3. Enable or disable the reporting schema:
• Click Enable to enable the reporting schema. If the schema does not exist, click the Create icon to
create the reporting schema. Creating the reporting schema will automatically enable the new
schema.
• Click Disable to disable the reporting schema. If you want to reclaim the database space taken by
the reporting schema tables, you must click the Drop icon. This will automatically disable the
reporting schema.
Types of visualizations
Built-in visualizations are provided as a starting point for designing new process diagrams or viewing the
organizational chart for a Business Entity.
By default, the following visualization templates are installed on all IBM OpenPages GRC Platform
systems:
• Business Process Flow visualization
• Business Entity Organizational Charts
Level Description
1 Company name
3 Regions
Because the chart is a rendering of the Business Entity objects and the parent-child associations, users
cannot modify or author a Hierarchy diagram.
Procedure
1. Complete one of the following actions:
• To use a hierarchical view of the Business Entity, click Organization > Business Entity Overview
and select a Business Entity.
• To use the Filtered List View of Business Entities, click Organization > Business Entities and select
a Business Entity.
2. In the details pane, in the Business Entity Chart field, click the Hierarchy Diagram link.
A new browser window shows the organization chart as a visualization of the Business Entity. To view
the legend, click the down arrow.
3. To view a different level of the organizational chart, from the Level list, click the level that you want.
In general, level 1 is the company name, level 2 is the divisions and subsidiaries, and level 3 is the
regions and branches. If an element includes a child level that you can expand further, the element
includes an ellipsis in a small circle.
4. To make a branch within the root level, right-click the element in the chart, and select Make Root.
6. To refresh the chart and retrieve the most recent data from the database, click Refresh .
Procedure
1. Click Organization > Processes and enter a filter.
2. In the Filtered List View, select a Process.
3. On the Process Detail page, under Associations, click Process Diagrams.
4. On the Process Diagram List page, under Name, click the diagram that you want to view.
5. In the form page, click the Process Diagram link.
The Process Diagram editor is opened in Read-only mode or Edit mode, depending on your access
permissions to the process.
6. To view more information about the diagram, choose one of the following actions:
• To view detailed information about an element, click the element to display its details.
• To open the corresponding Detail page or Activity View for any subprocess, risk, control, input, or
output node, right-click the element, and click Open Detail Page.
The Detail page is opened in a new browser window, and you can view the data for the selected
object, including fields and any associations it has to other objects.
• If the connections and nodes in the diagram represent a complex flow and you want to optimize the
visualization, click Auto Layout.
When Auto Layout is turned off, the objects and nodes are pinned to the canvas as you interact
with the diagram. Existing nodes do not move as you add connecting links to the diagram. As a
result, you might have complex routing that is difficult to understand. Click Relayout Diagram.
to automatically move objects and connecting links to show a less complex diagram.
Window .
7. To remove an element from the diagram, right-click the element and click Remove.
8. To update the diagram with any objects that were added since the diagram was last saved, click
Refresh .
Restriction: If you modified the diagram, and you do not complete the refresh step, and if there is a
discrepancy between the current diagram and the diagram when it was last saved, you cannot save the
changes until you resolve the conflict between the two versions.
9. Click Save.
If the editor is in Read-only mode, you do not have permission to save the changes to your diagram.
You can create a process diagram as a child association of the selected Process. Because the process
diagram is a child object of the Process, the diagram is displayed under Associations in the Process
Details page.
You can apply labels to flows or directional links. However, flow data, such as reporting or logic, must be
available to use in the diagram.
Procedure
1. Click Organization > Processes.
2. Select the process for which you want to graphically show the flow.
3. On the Detail page, under Associations, click Process Diagram.
The Process Diagram list page is displayed.
4. From the Actions menu, click Add a new Process Diagram.
5. In the Name and Description fields, enter information about the process diagram.
6. In the Status field, click Draft, and then click Save.
The new process diagram is now available for selection for modifying. In the Process Diagram detail
pane, the Process Diagram link field contains the URL to the process diagram.
7. In the Process Diagram detail pane, in the Process Diagram link field, click the link.
When the Process Diagram canvas is opened, the IBM OpenPages GRC Platform objects that are
available for your diagram, and to which you were granted access permission, are listed. Objects that
were removed from the repository or data model are marked with an X. You cannot save diagrams
that include objects that are marked for deletion.
Window .
11. To save the process diagram that is associated with the process, click Save.
Related concept
“Business process visualizations” on page 95
As a Risk analyst or Compliance manager, you can graphically render your business process and
communicate it to other users of risk analysis. By visualizing the business process, which can include the
subprocesses, activities, risks, and controls, you can speed the risk management process and data
analysis.
Procedure
1. Open a process diagram.
a) Click Organization > Processes.
b) Under the Folder View, expand the folders and select the parent process that contains the
associated process diagram that you want to refresh.
c) Under Associations, click Process Diagrams.
The Process Detail page shows the process diagrams that are associated to the process object.
d) Click the diagram that contains the process flow you that you want to update.
e) In the field pane, in the Process Diagram Link property, click the Process Diagram link.
The Process Diagram canvas is opened in a separate window.
Results
The refresh process manages the GRC objects in one or more of the following ways:
• If the GRC object is not in the current diagram, the object and the child objects are added.
• If the GRC object is in the current diagram but was deleted from the system, it is marked as deleted with
a red symbol.
• If the GRC object in the current diagram was modified (for example, a change in name, description, or
status), the GRC object data is updated.
A GRC object might not be available for use in the diagram because the object was deleted from the
OpenPages GRC Platform system or you do not have Read access to the object.
Procedure
1. Click Organization > Processes.
2. Under Folder View, expand the folder that contains the parent process that is associated with the
process diagram that you want to revise.
3. Under Associations, click Process Diagrams.
The Process Detail page shows the process diagrams that are associated to the process object.
4. Click the diagram that contains the process flow you that you want to change.
The field pane is displayed after the list of diagrams.
5. In the field pane, in the Process Diagram Link property, click the Process Diagram link.
When the Process Diagram canvas is opened, the OpenPages GRC Platform objects that are available
for your diagram, and to which you were granted access permission, are listed. Objects that were
removed from the repository or data model are marked with an X. You cannot save diagrams that
include objects that are marked for deletion.
Diagram To automatically move objects and connecting links to show a less complex
diagram.
If Relayout Diagram is the default setting and you change the diagram, the diagram is recast to
provide optimal visualization.
• To show the diagram so that it is zoomed to fit entirely into your browser window, click Fit to
Window
8. To modify the process flow, complete the following actions:
• To connect objects, select the first object that you want, press Ctrl, and click the next object in the
flow. When all the objects that you want are selected, right-click the selection, select Add Link, and
select whether the flow of objects is to the left, right, top, or bottom of the first object.
When the objects are selected, they are removed from the available list of objects in the pane.
• To add a label for the connecting line between two objects, right-click the link, and select
Properties. In the Label field, type the description for the connector.
• To add a decision node, right-click the object, click Add Decision, and then click the direction in
which you want to place it.
Remember: To change the label for the Decision node, right-click the node and click Properties. In
the Label field, enter the condition that must be met at this stage of the flow.
• To remove a connector or an object, right-click the element, and select Delete.
Note: You cannot remove controls or risks that are associated with a subprocess element.
9. To save the process diagram that is associated with the process, click Save.
Procedure
1. Click Organization > Processes.
2. Select the process that contains the associated process diagram that you want to copy.
3. On the Process Detail page, under Associations, click Process Diagrams.
The Process Diagrams list page is displayed.
4. From the Actions menu, click Copy an existing Process Diagram.
The Copy Process Diagrams - Select Process Diagrams page is displayed.
5. On the Folder View tab, select the diagram whose process flow you want to copy, and click Next.
6. Under Copy Options, select whether you want to copy associated files or associated issues.
7. Under Resolving naming conflicts, choose how you want to copy and later identify the new process
diagram.
Results
A copy of the process diagram is included in the list of diagrams on the Process Detail page.
Procedure
1. Click Organization > Processes.
2. Under Folder View, expand the folders to locate the process for which you want to change the status.
3. On the Process Detail page, under Associations, click Process Diagrams.
4. From the Process Diagrams detail page, under Name, click the process diagram whose status you
want to change.
5. In the field pane, from the Actions menu, click Edit this Process Diagram.
6. In the Status field, select one of the following states for your diagram:
• If work on the diagram is in progress, click Draft.
• If the diagram is ready for approval, click Published.
• If the diagram is out-of-date and no longer reflects your current process flow, click Obsolete.
If the diagram has a status of Obsolete, it is not removed from the IBM OpenPages GRC Platform
system. However, users cannot refer to it for decision making because it does not contain updated
process flows for the Business Entity.
7. Click Save.
Procedure
1. Click Organization > Processes.
2. Under the Folder View, expand the folders to locate the process diagram that you want to delete.
3. On the Process Detail page, under Associations, select Process Diagrams.
4. Under Name, select the check boxes next to the process diagrams that you want to delete.
5. From the Actions menu, click Delete selected Process Diagrams.
Procedure
1. Click Organization > Processes.
2. Under Folder View, expand the folders to go to the process for which you want to modify the details.
3. On the Process Detail page, under Associations, click Process Diagrams.
4. Under Name, click the process diagram whose details you want to change.
5. In the Fields pane, from the Actions menu, click Edit this Process Diagram.
6. Make the necessary modifications and click Save.
Procedure
1. Verify that the OpenPages GRC Platform application is running.
2. On the source OpenPages GRC Platform system, in a text editor, open the
ObjectManager.properties file and set the following properties where full_path is the full path of
the process object that you want to use as the scope for the export:
configuration.manager.dump.associated.resources.root.node.1=full_path
Change the values of the parameters whose names begin with the pattern
configuration.manager.dump.from true to false
configuration.manager.dump.associated.resources=true
Tip: The ObjectManager.properties file is in the root_installation_folder/bin directory
where root_installation_folder is the folder of your OpenPages GRC Platform installation.
3. At the command line, go to the bin installation directory.
For example, cd C:\OpenPages\bin
4. At the command line, type one of the following commands on a single line:
What to do next
On the target OpenPages GRC Platform server, extract the files from the output file.
“Running ObjectManager commands” on page 590
“Modifying the ObjectManager properties file” on page 601
Procedure
1. On the target server, copy the two dump files that contain the process diagram and related data to an
extract_folder.
2. In a text editor, open the ObjectManager.properties file and set the following property:
configuration.manager.load.resource.ignore.undefined.property.value=true
Tip: The ObjectManager.properties file is in the root_installation_folder/bin directory
where root_installation_folder is the folder of your OpenPages GRC Platform installation.
3. At the command line, go to the bin installation directory.
For example, cd C:\OpenPages\bin
4. At the command line, type one of the following ObjectManager commands on a single line:
• On a computer that is running a Microsoft Windows operating system:
ObjectManager l c Super_Administrator_Account Super_Administrator_Password
extract_folder_name dump_file_name
• On a computer that is running an AIX or Linux operating system:
ObjectManager.sh l c Super_Administrator_Account
Super_Administrator_Password extract_folder_name dump_file_name
Results
The following rules are observed when you import the process diagram objects:
• If the objects with matching data exist on the target environment, the objects are not overwritten.
• If the objects with different field values exist on the target environment, new versions of the objects are
created with data from the import file.
Supplied reports
The OpenPages GRC Platform application comes with a selection of predefined and supplied reports that
allow you to quickly view important information about your project.
Note: The list of reports in this documentation is for a fresh installation of the OpenPages GRC Platform
application. If you have additional reports tailored to your particular business needs or have upgraded
from an earlier version of the application, the classification of the supplied reports may differ from the
classification documented here.
Disassociated Objects Listing of objects that do not have associated parent objects in the current
reporting period. You can filter for specific object types and can sort by:
• Name of object.
• Full Path of the folder where the object is stored.
You can access reports from the IBM OpenPages GRC Platform application user interface.
They are typically found in the /openpages folder.
Procedure
1. From a browser window, log on to OpenPages GRC Platform.
2. Select Reporting on the menu bar and choose a report from the list. A separate browser window opens
with the selected report.
If you selected the All Reports option, the Reports page is displayed. From the list on the Reports page,
click the name of the report you want to launch.
Note: Depending on your configuration, application, and permissions, you may see different reports
and folders.
3. If this is a "scoped" report, at the prompt, choose the object where you want the report to run from.
For example, if you select a business entity, then the report will use the selected business entity as the
starting point and limit the scope of the report to all objects contained below that entity.
If the report is not scoped, it will run as soon as you click the name of the report.
Adding reports
To run a report from the IBM OpenPages GRC Platform user interface, the report must have a
corresponding report page published to the OpenPages GRC Platform server.
A report page does the following:
• Adds a link on the Reporting menu and All Reports page to launch the Cognos report from the
OpenPages GRC Platform user interface
• Specifies the parameters for launching the report
• Specifies the keys used for localizing the report name and description in the OpenPages GRC Platform
user interface
All Studio report pages are based on the Cognos Report Redirect page template, and all Cognos
Workspace report pages are based on the Cognos Dashboard Redirect page template. Additionally,
all Cognos Analytics dashboard and story pages are based on the Cognos Analytics Dashboard Redirect
page template. These templates are located at the root of the Reporting publishing channel on the
OpenPages GRC Platform server.
You can add a report from the IBM OpenPages GRC Platform user interface.
When you add a report, the following process occurs:
• A corresponding report page is automatically generated on the OpenPages GRC Platform server that is
based on the CommandCenter Report Redirect page template.
• The report is published, by default, to the U.S. English locale.
• If the report name and description are not specified for a locale, the values in the U.S. English locale are
used by default.
• Report name and description application text keys are automatically created in the "Miscellaneous"
folder on the Application Text page and populated with the specified values.
These key values are used for localizing the report name and description on the "My Reports" section of
the home page and on the Reporting menu and page. To modify these key values, see “Localizing
application text” on page 281.
Example
A new unpublished report was created called "My Control Summary" in the OPENPAGES_SHARED folder
on the Cognos server. Publish the report to make it available for users in the US English and Japanese
locales.
From the Reports page in the OpenPages GRC Platform application, you click Add and select the report
from the listing. For the US English locale (this locale is automatically selected by default), type in "My
Control Summary" for the report name, and "All controls assigned to me" as the description for the report.
You then select the Japanese locale and type in a localized name and description.
The application text keys for the "My Control Summary" report that are automatically generated under the
"Miscellaneous" folder on the Application Text page may look similar to these:
report.name.openpages.shared.my.control.summary and
report.description.openpages.shared.my.control.summary.
You can use these keys to modify the report name or description that is displayed on the application user
interface for a locale.
Procedure
1. From a browser window, log on to the OpenPages GRC Platform user interface as a user with the Add
Pages application permission set.
2. From the menu bar, select Reporting and click All Reports.
3. Click Add to go to the Publish Report page.
Procedure
1. Access the Publish Report page (see “Accessing the publish report page” on page 115).
2. Select a report from the Report list.
3. Select the check box for each locale in which you want the report to display. For example, German. The
U.S. English locale is selected by default.
4. In the Name field for each selected locale, type the display name of the report.
This name will be displayed to users in the report selection list and on the Reports page, and, if
configured on the Home page, in a tab or in a pane on the My Work tab.
5. In the Description field for each locale, type a description of the report. This description will be
displayed to users on the Reports page.
Note: Any locale for which you do not specify a localized name and description will, by default, contain
the U.S. English name and description.
6. When finished, click Save.
After the report is published, a link to launch the report is displayed on the Reports page along with a
description of the report, and the report name is added to the list of selections on the Reporting menu.
Procedure
1. Ensure 32-bit Java 8 is installed and launch Internet Explorer.
2. When you navigate to pages in OpenPages GRC Platform server that require the Java applet, a
message is displayed requesting that the applet be run. Complete the following steps to run the
applet:
a) Click Run.
b) If Java is not installed on the client, when you navigate to pages in OpenPages GRC Platform that
require the Java applet, you are prompted to install Java Runtime Environment 7 Update 60. Click
Install.
Note: Internet Explorer Enhanced Security Configuration must be disabled to allow the installation
of Java.
Understanding reports
Reports are generated by combining report pages and page templates that provide necessary information
about the filtering and sorting of the report contents, as well as the displayed name and description of the
report.
Reports (both Cognos and JSP) are represented in a publishing channel by a page template which lists the
parameters that the source file needs in order to create a report. A report page is an instance of a page
template, and contains a set of values for the parameters specified in the page template.
In this manner, a single page template can be supplied with multiple sets of values for its parameters.
This allows the IBM OpenPages GRC Platform application to create multiple reports based on the same
layout and internal logic. Each report page represents a report as viewed in OpenPages GRC Platform.
Report pages and page templates reside on the OpenPages GRC Platform server.
Note:
• Cognos reports can be published through the application user interface. This method automatically
generates a corresponding report page and application text keys for localizing the selected report. For
details, see “Adding reports” on page 113.
• Reports that are placed under the Reporting/SOX folder structure on the application server are
published to the U.S. English locale. To publish to a different locale, choose the /SOX folder under the
locale you want (for example, ja_JP/SOX for the Japanese locale).
• All Cognos report pages are based on the Cognos Report Redirect page template, which is located
at the root of the Reporting publishing channel on the IBM OpenPages server.
Procedure
1. From a browser window, log on to the IBM OpenPages GRC Platform server (typically /opx) as a user
with the correct Reporting permissions).
2. Click the Browse channels link under the Publishing heading in the Action menu. This displays a list
of the available publishing channels.
Note: If you cannot see the Publishing heading, you do not have the correct permissions. See your
OpenPages GRC Platform Administrator.
3. Click the Reporting folder. A list of files and folders is displayed.
Each folder represents a report grouping in the IBM OpenPages user interface. Each page file
represents an OpenPages GRC Platform report.
To manually create an instance of a report, you must log on to the IBM OpenPages GRC Platform server,
and create a report page based on a copy of an existing page template.
The new report page will display clickable links in the OpenPages GRC Platform user interface for running
the new report.
Note:
• Cognos reports can be published through the application user interface. This method automatically
generates a corresponding report page and application text keys for localizing the selected report. For
details, see “Adding reports” on page 113.
• Reports that are placed under the Reporting/SOX folder structure on the application server are
published to the U.S. English locale. To publish to a different locale, choose the /SOX folder under the
locale you want (for example, ja_JP/SOX for the Japanese locale).
• All Cognos report pages are based on the Cognos Report Redirect page template, which is located
at the root of the Reporting publishing channel on the IBM OpenPages server.
Procedure
1. From a browser window, log on to the IBM OpenPages GRC Platform server (typically /opx) as a user
with the correct Reporting permissions.
2. If you already know which page template you want to use, skip to the next task.
Otherwise, do the following to determine which existing report page you want to copy from or use as
the basis of the new report page:
a) Click the Browse channels link under the Publishing heading in the Action menu.
b) Click the Reporting channel link and navigate through the folder structure to the OpenPages GRC
Platform report you want to copy or use and modify as the basis of a new report.
c) Click the name of the report page to open its detail page.
d) In the General Information table on the detail report page, note the value of the Template field.
You will need to either reference this template or make a copy of the referenced template.
Procedure
1. Click the Browse channels link in the Action menu.
2. Click the Reporting channel link and navigate to the folder where you want the report page to be
created.
For example, a report page for a new Cognos report in the U.S. English locale would be placed in the
Reporting/SOX/OpenPages V6 folder.
Optionally, create a category folder for grouping the reports under the appropriate /SOX folder. For
example, to create a new report grouping titled "My Custom Reports" on the Reporting menu and
Reports page in the OpenPages GRC Platform application for the U.S. English locale, you could create
a folder with the path Reporting/SOX/My Custom Reports. Any report pages placed in the folder
will appear under that grouping in the reporting sections of the OpenPages GRC Platform application.
3. Click the Add Page icon.
4. In the Describe page step of the Add a Page wizard, do the following:
a) Type an informative name and description for the report.
Note: You will not be able to change the name of a report after it is created.
b) Choose the page template you will use to create the report.
For reports from IBM Cognos Analysis Studio, IBM Cognos Query Studio, or Cognos Analytics -
Reporting, or IBM Cognos Workspace, use the CommandCenter Report Redirect page
template.
c) Click Next.
5. If this is a JSP report, skip to Step 7. Otherwise, for a Cognos Studio report based on the
CommandCenter Report Redirect page template, in the Specify page contents step in the Add
a Page wizard, do the following.
a) Select a value for each of the following fields:
Show prompt page Determines whether or not a prompt page is always displayed for a
report.
If the value is set to:
• Yes - a prompt page is always displayed even if the report has no
required prompts.
• No - a prompt page only displays if it is required by the report design.
This value is set by default.
Report Folder The report folders must be syntactically correct and separated by
forward slashes. The Team content folder is assumed, and does not
need to be included in the Report Folder field. For example, the report
folder could be Vision 2013/Workspaces.
Report Name The report name must be the name that you want to appear in Cognos
Analytics.
b) Skip to Step 8.
6. For a report based on the CommandCenter Dashboard Redirect page template, in the Specify
page contents step in the Add a Page wizard, do the following:
Note: You can use the values in the Report Name Key and Report Description Key fields on the
report page to manually create custom application text keys to localize the name and description of a
report after it is created. For details, see “The Custom folder” on page 286.
9. Click Apply to save the modifications.
10. Click Finish to create the new report page and exit the wizard.
Results
When you log on to the OpenPages GRC Platform application user interface, the new report should be
visible in the selections on the Reporting menu and on the Reports page.
Procedure
1. From a browser window, log on to the OpenPages GRC Platform server (typically /opx) as a user with
the correct Reporting permissions.
2. Click the Browse Channels link under the Publishing heading in the navigation Action menu.
3. Navigate to the report you want to modify and click the report name to display the detail page.
4. Find the section containing the information you want to change, and click the Edit... icon before the
section. An editable version of the information is displayed.
5. Change the desired settings. For JSP reports, if you are changing the parameter sorting information,
you will need to click Apply before clicking Save.
Deleting a report
You can delete an instance of a JSP report or report page for a Cognos report.
Procedure
1. From a browser window, log on to the IBM OpenPages GRC Platform server (typically /opx) as a user
with the correct Reporting permissions.
2. Click the Browse Channels link under the Publishing heading in the navigation Action menu.
3. Navigate to the report page to delete and select the report name.
Attention: Do not delete a page template. If a page template is deleted, all report pages based
on that template are deleted as well.
4. Click Delete at the top of the table.
5. Click OK to delete the report page (or JSP report instance).
To manually create an instance of a Cognos dashboard or story, you must log on to the IBM OpenPages
GRC Platform server, and create a dashboard or story page based on a copy of an existing page template.
The new dashboard or story page will display clickable links in the OpenPages GRC Platform user
interface for running the new dashboard or story.
Note:
• Dashboards and stories that are placed under the Reporting/SOX folder structure on the application
server are published to the U.S. English locale. To publish to a different locale, choose the /SOX folder
under the locale you want (for example, ja_JP/SOX for the Japanese locale).
• All Cognos dashboard and story pages are based on the Cognos Analytics Dashboard Redirect
page template, which is located at the root of the Reporting publishing channel on the IBM OpenPages
server.
Procedure
1. From a browser window, log on to the IBM OpenPages GRC Platform server (typically /opx) as a user
with the correct Reporting permissions.
2. If you already know which page template you want to use, skip to the next task.
Otherwise, do the following to determine which existing dashboard or story page you want to copy
from or use as the basis of the new dashboard or story page:
a) Click the Browse channels link under the Publishing heading in the Action menu.
Procedure
1. Click the Browse channels link in the Action menu.
2. Click the Reporting channel link and navigate to the folder where you want the dashboard or story
page to be created.
For example, a dashboard page for a new Cognos dashboard in the U.S. English locale would be placed
in the Reporting/SOX/OpenPages V6 folder.
Optionally, create a category folder for grouping the dashboards or stories under the appropriate /SOX
folder. For example, to create a new dashboard grouping titled "My Custom Cognos Dashboards" on
the Reporting menu in the OpenPages GRC Platform application for the U.S. English locale, you could
create a folder with the path Reporting/SOX/My Custom Cognos Dashboards. Any dashboard
pages placed in the folder will appear under that grouping in the reporting sections of the OpenPages
GRC Platform application.
3. Click the Add Page icon.
4. In the Describe page step of the Add a Page wizard, do the following:
a) Type an informative name and description for the dashboard or story.
Note: You will not be able to change the name of a dashboard or story after it is created.
b) Choose the page template you will use to create the dashboard or story.
Cognos dashboards and stories use the Cognos Analytics Dashboard Redirect page
template.
c) Click Next.
5. In the Specify page contents step in the Add a Page wizard, select a value for each of the following
fields:
Note: You can use the values in the Dashboard (or) Story Name Key and Dashboard (or) Story
Description Key fields on the dashboard or story page to manually create custom application text keys
to localize the name and description of a dashboard or story after it is created. For details, see “The
Custom folder” on page 286.
7. Click Apply to save the modifications.
8. Click Finish to create the new dashboard or story page and exit the wizard.
Results
When you log on to the OpenPages GRC Platform application user interface, the new dashboard or story
should be visible in the selections on the Reporting menu.
Procedure
1. From a browser window, log on to the OpenPages GRC Platform server (typically /opx) as a user with
the correct Reporting permissions.
Procedure
1. From a browser window, log on to the IBM OpenPages GRC Platform server (typically /opx) as a user
with the correct Reporting permissions.
2. Click the Browse Channels link under the Publishing heading in the navigation Action menu.
3. Navigate to the dashboard or story page to delete and select the dashboard or story name.
Attention: Do not delete a page template. If a page template is deleted, all dashboard or story
pages based on that template are deleted as well.
4. Click Delete at the top of the table.
5. Click OK to delete the dashboard or story page.
Procedure
1. From a browser window, log on to the OpenPages GRC Platform server (typically /opx) as a user with
the correct Reporting permissions.
2. Click the Browse channels link in the navigation Action menu and navigate to the page template for
the report you want to modify.
3. Click the name of the page template you want to modify. The detail page is displayed.
4. Click the Edit... icon before the list of report parameters. The Edit Parameters applet is displayed.
5. Click the name of the parameter that you want to make interactive. The parameter information is
displayed.
6. Select the check box marked "Interactive Value" and click the Apply icon.
7. Repeat steps 5 and 6 for each parameter you want to make interactive.
8. When you are finished, click Save.
The IBM OpenPages GRC Platform application allows administrative-level users with the option to create
interactive reports to prompt a user at run-time for parameter values.
Note: Although any parameter type can be defined as an interactive parameter that requires a user to
provide information at run time, IBM OpenPages only supports the following four modes of entering
values into the value fields when the report is run:
• Date fields
• Text entry fields
• Enumerated drop-downs
• File browsers
Unsupported types may still be marked as interactive. However, the value for these fields must be entered
manually, using a text string at run-time. A valid value must be entered into the value field for the report to
return the correct set of information.
Procedure
1. From a browser window, log on to OpenPages GRC Platform (such as /openpages).
2. Select Reporting on the menu bar, and select the name of the report you want to run. If the report
contains interactive parameters, a prompt page is displayed.
3. Type information into the required fields.
4. Click Next to generate the report based on the supplied information. The report is displayed in a new
window.
Procedure
1. From a browser window, log on to the OpenPages GRC Platform server (typically /opx) as a user with
administrative privileges.
2. Click the Browse channels link under the Publishing heading in the navigation Action menu. This
displays a list of the available publishing channels.
Note: If you cannot see the Publishing heading, you do not have the correct permissions.
3. Click Reporting. A list of files and folders is displayed.
4. Expand the folder, if necessary, and select the /SOX folder you want.
Note:
• Each folder represents a report grouping in the OpenPages GRC Platform user interface.
• Reports that are under the Reporting/SOX folder structure are published to the U.S. English locale.
To select a different locale, choose the /SOX folder under the locale you want (for example,
ja_JP/SOX for the Japanese locale).
5. Under the selected /SOX folder, do the following:
a) Select the box next to the name of the folder containing the reports to which you want to limit
access through the OpenPages GRC Platform application user interface.
b) Click Properties to open the Folder Details page.
6. In the Access Controls pane, select Add from the Actions menu.
a) Select a group or user to whom you want to grant permission.
b) Select the permissions you want to allow or deny the group or user (Read, Write, Delete, Manage).
c) Click Add. The selected group or user appears in the list.
d) To select another group or user, repeat Steps a-c.
e) To remove a group or user, select the group or user then select Remove from the Actions menu.
7. Break inheritance on the folder so other groups or users cannot access these reports from the
OpenPages GRC Platform user interface:
a) On the Folder Details tab, click Edit to open the edit window.
b) In the edit window, clear the Inherit access controls from parent folder? box.
The status of the Inherit access controls row on the Folder Details tab displays changes from Yes to
No.
Procedure
1. From a browser window, log on to the IBM OpenPages GRC Platform application as a user with
administrative privileges.
2. Create a group in to which you want to give CommandCenter administrative rights, or use an existing
group, such as OpenPagesAdministrators.
Note: For information on creating groups, see the "Creating a New Organizational Group" section in the
IBM OpenPages GRC Administrator's Guide.
Procedure
1. From a browser, log on to the Cognos Analytics portal as a user with administrative privileges, for
example, OpenPagesAdministrator.
By default, the URL is:
http://<hostname>/ibmcognos/bi (if you are using port 80 for Cognos)
Where <hostname> is the name of the Cognos server.
2. Click Manage > Administration Console to launch the IBM Cognos Administration page.
3. On the Security tab, click the Cognos link in the Directory list.
4. On the Directory > Cognos page:
a) Locate the System Administrators group in the list.
b) Click the More link in the same row as the System Administrators group.
5. Under Available Actions on the Perform an Action page, click the Set members link.
6. On the Members tab of the Set Properties page, click the Add link.
7. On the Select entries (Navigate) page, do the following:
a) Click the OpenPagesSecurityRealm link to find the IBM OpenPages GRC Platform group or role to
access CommandCenter administrative functions.
b) Select a group. For example, OPAdministrators.
c) Click the green arrow to add the role.
8. On the Members tab of the Set Properties page,restrict access to the administrative functions.
a) Select the Everyone group.
b) Click the Remove link.
Procedure
1. From a browser, log on to the Cognos Analytics portal as a user with administrative privileges, for
example, OpenPagesAdministrator.
By default, the URL is:
http://<hostname>/ibmcognos/bi (if you are using port 80 for Cognos)
Where <hostname> is the name of the Cognos server.
2. Click Manage > Administration Console to launch the IBM Cognos Administration page.
3. Select the Security tab, and click the Cognos link in the Directory list.
4. On the Directory > Cognos page, click the More link in the same row as the "Authors" role.
5. On the Perform an action page, under Available Actions, click the Set members link.
6. On the Members tab of the Set properties page, click the Add link.
7. On the Select entries (Navigate) page, do the following:
a) Click the OpenPagesSecurityRealm link.
b) Select the group you want (for example, OPAdministrators).
c) Click the green arrow to add the group and then click OK.
8. On the Members tab of the Set Properties page:
a) Select the Everyone group
b) Click Remove.
9. Repeat Steps 2 - 6 for the "Query User" role.
10. When finished, return to the IBM Cognos Administration page and select the Security tab.
Results
After completing this procedure, the user cannot modify reports but can still run out-of-the-box reports.
Access permissions
Not all folders and files are accessible to all users. Each folder and file can have its own set of access
permissions that determine which users are allowed to view or edit it. Sensitive or private information
remains visible only to selected users, most often to prevent accidental editing or deletion.
Each user can view only the folders and files to which they have access permissions. Each user’s view of
the file system can appear differently, although all users are typically working from the same set of data.
For example, one user can have access to all folders and files and be able to see all files in the system.
Another user can have access to only a limited set of folders and files, which makes the folders and files
to which they do not have access uneditable.
Known issues
The following behaviors are known issues in Administration > Manage System Files:
• If you set up filters for SysXMLdocument files for the Analytics bar, the filter correctly displays the
results but incorrectly calculates as zero the number of results available.
• In Folder View only system files under the current reporting period are displayed. If you click a system
file folder and select a finalized reporting period, no files in the folder are displayed and an error is
shown.
• In Detail View for a system file, you can choose only Current in Reporting Period. You cannot choose a
finalized reporting period.
• If you apply a filter in Administration > Manage System Files, the filter is not automatically applied in
My OpenPages > Files, and vice versa.
• You must disable System Administration Mode to add new system files.
Creating folders
In IBM OpenPages GRC Platform, you can create a new folder within any folder for which you have access
permissions.
Procedure
1. Go to Administration > Manage System Files.
2. Select the system file type.
3. Select the check box next to the folder that you want to add the new folder to.
4. Click Add Folder.
Uploading files
You can add files to folders in IBM OpenPages GRC Platform.
Procedure
1. Go to Administration > Manage System Files.
2. Select the system file type.
3. Select the check box next to the folder that you want to upload the file to.
4. Click Add New.
5. Click Choose File and select the file that you want to upload.
6. Type a description for the file.
7. Click Create.
Procedure
1. Go to Administration > Manage System Files.
2. Select the system file type.
3. Select the check box next to the file or folder that you want to move.
4. Click Move To.
5. Navigate to the folder that you want to move the file to.
6. Click OK.
Procedure
1. Go to Administration > Manage System Files.
2. Select the system file type.
3. Select the check box next to the file or folder that you want to copy.
4. Click Copy To.
5. Navigate to the folder that you want to move the file to.
6. Click OK.
Procedure
1. Go to Administration > Manage System Files.
2. Select the system file type.
3. Select the check box next to the file or folder that you want to rename.
4. Click Rename.
5. Type a new name and click OK.
Procedure
1. Go to Administration > Manage System Files.
2. Select the system file type.
3. Select the check box next to the file or folder that you want to rename.
4. Click Delete.
Downloading files
You can view a file stored in IBM OpenPages GRC Platform by downloading it to your computer.
Procedure
1. Go to Administration > Manage System Files.
2. Select the system file type.
3. Navigate to the file that you want to download.
4. Click the file.
5. In the Name field, click View file.
The file is downloaded to your computer.
Procedure
1. Go to Administration > Manage System Files.
2. Select the system file type.
3. Navigate to the file that you want to check out.
4. Click the file.
5. From the Actions drop-down menu, select Check out this <type of system file>.
The file is now locked.
6. In the Name field, click View file.
The file is downloaded to your computer and available for edit.
Procedure
1. Go to Administration > Manage System Files.
2. Select the system file type.
3. Navigate to the file that you want to upload the newest version of.
4. Click the file.
5. From the Actions drop-down menu, select Edit/Upload this <type of system file>.
6. Click Choose File and select the new version of the file.
7. Click Save.
Checking in files
After you have edited and uploaded a file you can check it back in to IBM OpenPages GRC Platform.
Procedure
1. Go to Administration > Manage System Files.
2. Select the system file type.
3. Navigate to the file that you want to check back in.
4. Click the file.
5. From the Actions drop-down menu, select Check in this <type of system file>.
The file is now unlocked.
A field group is identified by the Field Group icon . An object field is identified by the Object Field icon
.
Definition of fields
An object field represents information that is specific to an object type.
Fields can be object fields, computed fields, and report fragment fields.
By default, each object type has a predefined field group that contains fields that are specific for that
object type. For example, the "Effectiveness Rating" and "Operating Effectiveness" fields belong to the
Control object field group called OPSS-Control.
Fields are added to a new or existing field group. It is then associated with a profile for display in views.
If you create a new object type for a custom form or survey, you must add field groups to that object type.
Field groups are new or existing field groups. For more information, see “Adding an object type for a
custom form” on page 188.
Before you create a new field, determine the characteristics of the field and the object types that will use
the new field.
The following list identifies information that is needed before you create a new field:
• Object - Will the new field be added to a custom form or object? For objects, identify the object types
where the new field will be added.
• Name - How will the new field be identified? The name is important because it is also the label that
appears next to the field. Special characters cannot be used. For additional information, see “File
naming guidelines” on page 140.
• Label - What text is displayed when this field appears on an object View page? The initial label is the
same as the name of the field. For example, if this field is added to the Detail view page of an object, it is
also displayed on the Add and Edit pages. If required, modify the label text. For more information, see
Chapter 13, “Localizing text,” on page 277).
• Data type - What is the type of data, such as Boolean or Date that is captured by the field? For more
information, see “Data types” on page 143.
• Entry type - Is the user required to enter data in the field or is data entry optional? For more
information, see “Making fields required or optional” on page 151.
• Default value - Is a default value defined or is it blank?
• Encrypted - If the field is defined as a simple string or long string data type, decide if the field values
should be further secured by using encryption. For more information, see “Encrypting field values” on
page 151.
• How many fields are included in the field group - how many new fields will the new field group contain?
If you are creating more than one new field for an object, consider categorizing collections of object
field definitions in the same field group for ease of maintenance.
• Object view - Which view pages will display the new field? Views include Detail, Folder, or List. A custom
form or survey can only have a detail view page. For more information, see “Configure views for objects”
on page 236.
• Display order - Where does the new field appear on a view page? What fields should be listed before or
after the new field? If no display order is set, the new field will automatically be displayed at the end of
the list of fields. For details, see “Setting the display order of object types” on page 220.
Example
Suppose you want to add an Owner field to several object types. You can either modify the field group for
each object type by adding an Owner field, or you can create a generic Owner field and field group for all
object types and reuse it later if you want to add it to an object.
To simplify the work, follow the generic approach and create a generic field that can be added to any
object type.
The new field needs a field group and a generic name. Name the field group Custom Fields and the name
of the field Owner. The field name is important because it is the initial label that appears next to the field
wherever the field displays in the application. If necessary, you can modify the label text at a future time.
For details on modifying label text, see the chapter, Chapter 13, “Localizing text,” on page 277.
The Owner field will be used to capture a name, so the data type for this field will be Simple String. Since
the Owner field is considered important, make it a required field so the user must enter a name into the
field before they can save and exit the page. No default value will be set for the field so the field will
appear empty.
To complete the planning, there are no other fields to be added to the Custom Fields field group (Owner
is the only field). The new Owner field will only be displayed on the detail page of the Business Entity and
Issue object types (this also includes the add and edit pages).
When the Cognos framework model is generated, the Test Result field is converted to the query item
"TR_TEST_RESULT".
When the Cognos report is run, the "TR_TEST_RESULT" field column header displays as "Test Result Test
Result" by default.
If a long field definition name is required, create the name with unique characters at the beginning of the
name, such as "2008 Total Actual Financial Loss" instead of "Total Actual Financial Loss 2008".
Before adding fields to an object type, run the Schema Analysis report to determine the number of object
fields that can be added to an object type.
The report shows how many object fields:
• Are currently configured for an object type
• Can "safely" be added to extend that object type
In general, 350 is the threshold limit for the number of fields that can be added to an object type when
the average of all field names is 22 characters in length. By keeping the average field name short, it might
be possible to include more than the 350 threshold limit for the number of fields.
Important:
Calculations on the Schema Analysis report use and display 175 as the threshold limit rather than 350.
You can add more fields than the report shows.
Additionally, each currency field within an object type equates to six fields. This is because each currency
field has six distinct columns within the database RT_ table. These six columns equate to the core
currency field and its five subfields: Local Amount, Local Currency Code, Exchange Rate, Base Amount,
and Base Currency Code.
The Schema Analysis report is accessed through the Cognos Analytics portal. The Report lists all object
types, in alphabetical order, that are in the schema. The following example shows the name of each
column in the Report and sample data for the Control object type.
For example, you want to add three currency fields to the Control object type. Because each currency field
equates to six fields, you would be adding 18 fields to the Control object type (3 X 6).
Procedure
1. Click Reporting > Cognos Analytics.
2. Click Team content.
3. On the Team content page, navigate through the links as follows:
OpenPages_Platform_V6 > Administrative Reports
4. On the Administrative Reports page, click the Schema Analysis Report link to run the report.
Procedure
1. Enable System Administration Mode.
2. Click Administration > Field Groups.
3. On the Field Groups table, click Add.
4. On the Field Groups page, type a name for the field group.
5. Click Create.
What to do next
Add field definitions to the new field group. For details, go to “Adding fields to a field group” on page 142.
Procedure
1. Enable System Administration Mode.
2. Click Administration > Field Groups.
3. In the Field Definitions table of the field group, click Add.
Computed Select this box if you want this field to be a computed field. More boxes are
displayed.
Note: This additional
option appears for most For details, see, “Creating computed fields” on page 153.
data types.
Required Select this property if you want the field to require data entry.
Note: This additional For details, see, “Making fields required or optional” on page 151.
option appears for all
data types.
5. Click Create. The new field definition is listed on the Field Definitions table of the selected field group.
6. To add another field definition to this field group, repeat Steps 2, 3, and 4.
7. When finished adding field definitions, add the field group to one or more object types. For details, go
to “Including field groups for an object type” on page 177.
Data types
The IBM OpenPages GRC Platform application provides various data types from which you can choose.
After you select a data type for a field and save it, only the parameters or settings for the data type can be
modified; you cannot change the data type itself.
To display more parameters for a selected data type, click the double arrow icon next to the data type
selector.
Procedure
1. Click Administration > Field Groups.
2. In the Field Groups table, click the name of the field group to which you want to add a currency field.
The page containing information for that field group appears.
3. In the Field Definitions table, click Add. The page containing the information to add the field definition
appears.
4. On the add page:
a) In the Name box, type a name for the new currency field.
b) Select Currency from the Data Type drop-down list.
Important: Do not change or translate currency codes.
c) Check Required if the field is to be a required field.
Note: The Currency data type does not support computed fields. See “Defining a computed field”
on page 155 for information on computed fields.
d) Check Include Conversion if the field is to include currency conversion.
e) Click the >> icon and type the minimum and maximum allowable currency values to be allowed in
the field in the Minimum Value and Maximum Value boxes.
f) Click Create. The system creates the new currency field.
Note:
• If a user enters a value that is either below or above the specified value range, an error message
displays.
• You cannot use non-numeric characters when entering currency values. For example, either 125000
or 125,000 is legal, but not $125000.
• This format is set per User Locale.
• Object fields with this data type cannot be included in the profile of predefined objects or custom
forms that use the supplied JSP file for rendering.
Procedure
1. Click Administration > Profiles.
2. Click the name of the profile that contains both the object type and currency field you want to view or
edit.
3. Click the object type.
For example, to view or edit the currency display type for the Inherent Severity object field, select the
SOXRisk object type.
4. Click the desired object field. The Display Type column of the selected field should be ‘Currency’.
On the detail page of the selected object field, the currency display information appears.
5. To edit the currency display type, complete the following actions:
a) Click Edit.
b) Set the read only value to True or False.
c) To set the field as required, select Required.
d) Click Save.
Procedure
1. Log on to the IBM OpenPages GRC Platform application.
2. From the menu bar, select Financial and click Accounts.
3. From the list, click the name of the account you want to open its details page.
4. Under Account Details, click the Fields link.
5. Select the Actions menu and choose Edit this Account.
6. In the Annualized Value field, change the Currency, Exchange Rate, or USD values as desired.
7. When finished, click Save.
You can add, edit, and enable or disable currency exchange rates.
Use one of the following methods to update currency exchange rates.
• Upload a CSV file with currency exchange rates from:
– The application user interface. For more information, see “Formatting and uploading a CSV file” on
page 149.
– An ObjectManager loader file. For more information, see “Importing exchange rates” on page 610.
Procedure
1. Click Administration > Currencies.
2. On the Currencies page, click Edit.
3. On the Edit Exchange Rate page, edit the currency exchange rates as wanted.
4. Click Save. The edited currency exchange rates appear on the Currencies page.
The file containing the exchange rate currency data must be in a comma separated value (.csv) file that is
formatted in a specific way.
The file must have the following format:
Where:
<start date> Optional. The date the exchange rate was (or will be) applied.
You can use either of the following formats:
• mm/dd/yyyy
• mm/dd/yyyy HH:mm:sss
If no historic date is supplied, the current date is used.
The following data sample from a CSV file shows the ISO currency codes for Euros, Canadian dollars, and
Japanese yen with the corresponding exchange rate for each currency, and the historical date that the
rate was applied for two of the three currencies.
EUR,0.1589,12/26/2007
CAD,0.8636
JPY,0.0083,5/8/2008
Procedure
1. Click Administration > Currencies.
2. On the Currencies page, click Upload.
Procedure
1. Click Administration > Currencies.
2. On the Currencies page, click Enable.
3. On the Enable Currencies page, check all the currencies you want to enable.
4. Optional: Change the exchange rate for any listed currencies.
5. Click Save. The enabled currencies appear on the Currencies table.
You can disable enabled currencies. When you disable a currency it is no longer available to the system.
However, it is not deleted. You can enable it at any time.
Note: You cannot enable or disable the base currency, which is set during installation.
Procedure
1. Click Administration > Currencies.
2. On the Currencies page, click the check box next to the currencies you want to disable. (You can re-
enable these currencies at any time.)
3. Click Disable.
Procedure
1. Click Administration > Field Groups.
2. Click the name of the field group that you want to modify to open its details page.
3. On the Field Group Information table, click Edit.
4. Modify the description as necessary.
5. Click Save.
After you create an object field, you can modify field definition properties.
For any type of object field - modify the description, whether the field is required or optional, and set a
default value for the field (excluding the Date data type). For numeric fields, such as decimal or integer,
change the minimum, maximum, and default values.
For fields with enumerated strings, you can add, delete (if not in use), hide or unhide, and update the
order of the values in the list. For more information, see “Adding enumerated string values” on page 160
Note: You cannot modify the name of any object field or its data type.
You can globally set whether or not all users will be required to enter data in an object field.
When you create a new object field, by default, the Required box is cleared (optional or non-required data
entry).
Note: If you want to require a specific group of users (not all users) to enter data for a field, for maximum
flexibility set the field as required in the profile and not in the field definition (see “Setting a field in a
profile to required or optional” on page 221).
When you set an object field to be required, a red asterisk * displays after the field label in the Add and
Edit pages of the object type. For example, if you were to change the setting of the optional "Additional
Description:" field of the Account object to be a required data entry field, it displays to users as
"Additional Description*:" Users are required to enter information in the field when they created a new
Account object.
You can omit a required field for a particular view if the field is filled in by a trigger or if the field will have
been filled in prior to this view being used to edit the object.
Procedure
1. Click Administration > Field Groups.
2. Click the name of the field group containing the object field that you want to modify.
3. On the Field Definitions table, click the name of the object field you want to modify.
4. On the Field Definition Information table, click Edit.
5. If you want this field to be:
• A required data entry field - select the Required box.
• A non-required (optional) data entry field - clear the Required box.
6. Click Save.
Note: Changing a field to Required also causes all profile references to the field to be required as well.
You can encrypt a simple string or long string field value in the IBM OpenPages GRC Platform repository to
prevent system administrators from viewing confidential data directly from the database. Encrypted field
values are shown as a string of random characters.
Note: Before encrypting long strings in OpenPages running on Oracle 12.1, refer to the following
Technote: http://www.ibm.com/support/docview.wss?uid=swg22010106. The Technote describes a
potential issue and how to resolve it by obtaining the appropriate patch from Oracle support and applying
it to your environment.
Procedure
1. Click Administration > Field Groups.
2. Click the name of the field group that contains the object field that you want to modify.
3. On the Field Definitions table, click the name of the object field you want to modify.
4. On the Field Definition Information table, click Edit.
5. If you want to decrypt this field, clear the Encrypted box.
6. Click Save.
The field is now marked for decryption. The timing of the decryption depends on the status of the field
level encryption keystore:
• If the keystore is enabled, no field values are decrypted until you disable the keystore.
• If keystore is disabled, all field values are decrypted when you save the field definition.
For more information, see “Field level encryption” on page 81.
When you create a new object field, by default, the Default Value property is empty (not populated).
When you set a default value for an object field, that value displays to users in that field. For example, if
you were to set a default value for the "Additional Description:" field of the Account object that contained
the text "Enter any additional information here.", it displays to users when they created a new Account
object.
Restriction: The new default value will only be populated for new instances of an object type. In other
words, if a user attempts to edit an existing object where the value was blank, it will remain blank. The
new default value will be used when a user or administrator creates a new instance of that object type.
For example, if an administrator modifies an enumerated string (dropdown field) on a test object. The new
default value will be populated if new test objects are created. If an end user attempts to edit an existing
test object, the new default value won't be set or modified for it.
You can create, edit, or view an object field whose value is computed from the values of other fields.
These computed fields can exist on either the same object or on another, related object.
Computed fields have the following characteristics:
• Are always read-only.
• Can be used in reports.
• Can be added to the Context, Detail, Activity, List, Home Page Filtered List, Filtered List, Grid and Folder
views in the IBM OpenPages GRC Platform user interface.
• Must have unique field names. Adding more than one computed field with the same field name in the
same view will result in an error.
If you want to import (load) and export (dump) computed field definitions, you must use the
ObjectManager tool. For details, see “Importing computed field definitions” on page 614.
Computed fields require an installed and active Cognos server as they use the Cognos Computation
Handler. If a computed field is executed in the application and the Cognos server is not available, the
following message is displayed to users: Cognos is unavailable. Please contact your System Administrator.
Procedure
1. In Cognos Analytics - Reporting, model the computed field in a calculation object. For details, see
“Modeling a new computed field in Cognos ” on page 153.
2. In the OpenPages GRC Platform application user interface:
a) Define the computed field. For details, see “Defining a computed field” on page 155.
b) Regenerate the reporting framework. For details, see “Updating the reporting framework” on page
686.
You can model an equation in Cognos to define a computed field in the application.
Note: If you do not know how to use Cognos Analytics - Reporting, seek the help of an experienced
Cognos report author or call your IBM representative.
Procedure
1. Log on to the Cognos Analytics portal as an IBM OpenPages GRC Platform user with the locale set to
Report Design Language.
2. Create a list report that you can use to model the computed field equation.
3. Drag the following ID query items onto the report page to establish a context for the calculation:
• An object ID
• A reporting period ID
Example
4. Click Toolbox on the Insertable Objects pane and complete the following actions:
a) Drag a Calculation object onto the report page.
b) At the prompt, type a name.
For example, type Calc-Risk.
5. In the Expression Definition pane of the model, complete the following actions:
a) Enter an expression using model query items from the same namespace, function, or parameters.
The Cognos SQL used to define this computed value can be an existing query item in the published
Cognos framework or an equation involving multiple query items. Some of the predefined database
functions may also be useful for computed fields (such as getting an exchange rate or localizing
strings). For details, see "Using Predefined Database Functions" in the IBM OpenPages Report
Author's Guide.
For example, the following equation returns a value with the percentage by which the inherent
severity of a risk was reduced after associated controls were applied to that risk. Sample output
might be: 2.46.
total ([DEFAULT].[SOXCONTROL].[CN_INHERENT_SEVERITY_REDU]
for [DEFAULT].[SOXCONTROL].[RISK_ID]) / 100
<querySet xml:lang="en-ca">
<BIQuery name="Query1">
<cube>
<factList>
<item refItem="RI_RISK_ID" aggregate="none"/>
<item refItem="REPORTING_PERIOD_ID" aggregate="none"/>
<item refItem="Calc-Risk" aggregate="none"/>
<tabularModel>
<dataItem name="RI_RISK_ID">
<expression>[DEFAULT].[SOXRISK].[RI_RISK_ID]</expression>
</dataItem>
<dataItem name="REPORTING_PERIOD_ID">
<expression>[DEFAULT].[SOXRISK].[REPORTING_PERIOD_ID]</expression>
</dataItem>
<dataItem name="Calc-Risk">
<expression>total ([DEFAULT].[SOXCONTROL].[CN_INHERENT_SEVERITY_REDU]
for [DEFAULT].[SOXCONTROL].[RISK_ID]) / 100</expression>
</dataItem>
</tabularModel>
</querySet>
Note: Because the values in the Report Specification XML window cannot be selected, you can copy
the report specification to the Clipboard (Tools | Copy Report to Clipboard) and then paste the
information into a text document. Then, you can copy the attribute values into the application user
What to do next
In OpenPages GRC Platform, define the computed field. For more information, see “Defining a computed
field” on page 155.
Procedure
1. Click Administration > Field Groups.
2. Click the name of the field group in which you want to include the new object field.
3. On the Field Definitions table, click Add.
4. In the Name box, type a name for the new computed field.
5. In the Description box, optionally type some descriptive text.
6. Click the Data Type arrow and use Table 51 on page 155 to select a data type for the new computed
field.
Decimal Any numbers Takes any number string and parses it, localizes
it, and displays it.
Integer Whole numbers Takes a whole number string and parses it,
localizes it, and displays it.
Simple String Any Can be used for any computed field. Takes the
result of the computation engine and displays it.
This will not be localized - it displays the exact
output of the computation.
If the field is any other data type, use the Simple String data type.
7. Click the double arrow icon next to the selected data type to display additional parameters.
8. Select the Computed option to make the new field a computed field.
When you select Computed, the Required option disappears and the Cognos Computation Handler
attribute fields appear.
If you modeled the computed field in Cognos Analytics - Reporting, the values displayed in the Report
Specification XML window are not selectable (see “Modeling a new computed field in Cognos ” on
page 153). You can copy the report specification to the Clipboard (Tools | Copy Report to Clipboard)
10. Enter a value in the Primary Namespace box. The Primary Namespace is the Cognos framework
namespace in which the computation is to be performed.
Note: All referenced query items in the values for Equation, Object ID Column, and Reporting Period
ID Column must be in the same namespace.
For example, DEFAULT.
11. Enter a value in the Alternate Namespaces box if necessary.
The Alternate Namespace is the Cognos framework namespaces to which the computation will be
added during reporting framework generation.
Note: See “Using computed fields with multiple namespaces” on page 156 for an explanation of why
a computed field might need alternate namespaces.
12. Enter a value in the Object Id Column box. The Object ID Column is a reference to a Cognos
framework query item that contains the Resource ID of the computed field's object type. This value
must be the same for all computed fields in a given namespace for an object type.
Example: [DEFAULT].[SOXRISK].[RI_RISK_ID]
13. Enter a value in the Reporting Period Id Column box. The Reporting Period ID Column is the Cognos
framework query item that contains the Reporting Period Id of the computed field's object type. This
value must be the same for all computed fields in a given namespace for an object type.
Important: The Resource ID and Reporting Period ID must match within the field group and object
type. If these values do not match, the validation will fail.
For example, [DEFAULT].[SOXRISK].[REPORTING_PERIOD_ID]
14. Enter the package label of the reporting package that the field is run against in Package Name. The
value is case sensitive. The package label for a framework model is defined in the Administration >
Settings > Platform > Reporting Framework V6 > Models > [model name] > Package Label setting.
If Package Name is empty, the package for the OPENPAGES_FRAMEWORK_V6 framework model is
used.
15. Click Create. IBM OpenPages GRC Platform will then validate the equation against the primary and
alternate namespaces.
16. Regenerate the reporting framework to make the computed field available to report authors. For
details, see “Updating the reporting framework” on page 686.
Use:
average (Loss Impacts for Loss Events) * count (distinct Loss Impacts for
Loss Events)
Procedure
1. From a browser, log on to the Cognos Analytics portal as a user with administrative privileges, for
example, OpenPagesAdministrator.
By default, the URL is:
http://<hostname>/ibmcognos/bi (if you are using port 80 for Cognos)
Where <hostname> is the name of the Cognos server.
You can add new values to an existing list of enumerated string values at any time. The modifications you
make to values in a list are globally applied to all instances wherever that field group is in use.
For example, you created an object field called "Rating" that was an Enumerated String data type. When
the field was initially created, it was given the following values: High, Medium, and Low. Because of
changing business needs, you want to add a new value of "Unknown" to the list. You could add this new
value at any time and have it immediately displayed to users as a selection in the list of values.
When you add a new string value to an existing list of values:
• The value is immediately displayed to users for selection in the list of values
• The new value is added to the end of the value list
Procedure
1. Click Administration > Field Groups.
2. On the Field Groups table, click the name of the field group in the list that contains the field you want
to modify.
3. On the Field Definitions table of the selected field group details page, click the name of the field that
contains the enumerated string that you want to modify.
4. On the Enumerated String Values table of the field definition details page:
a) Click Add.
b) In the Name box, type a value for the new string.
c) Click Create.
5. To change the order number of the string values, see “Changing the order of enumerated string values”
on page 160.
You can define a default value for an enumerated string value. When you define a default value, it is
automatically applied to new objects that you create, but it is not applied to existing objects.
If you define a multi-select enumerated field value as the default value, and the field is hidden, users can
see the hidden field value in the Add New wizard because the default attribute overrides the hidden
attribute.
Procedure
1. Click Administration > Field Groups.
2. On the Field Groups table, click the name of the field group in the list that contains the field you want
to modify.
3. On the Field Definitions table of the selected field group details page, click the name of the field that
contains the enumerated string that you want to modify.
4. On the Enumerated String Values table of the field definition details page, click Edit.
5. Update the Default Value.
6. Click Save
Procedure
1. Click Administration > Field Groups.
2. On the Field Groups table, click the name of the field group in the list that contains the field you want
to modify.
3. On the Field Definitions table of the selected field group details page, click the name of the field that
contains the enumerated string that you want to modify.
4. On the Enumerated String Values table of the field definition details page:
a) Find the rows containing the string value whose list order you want to change.
b) In the Order boxes, type a new order number for the values.
c) Click Update Order.
You can hide obsolete or unwanted string values from a list of enumerated string values.
When you hide a string value from a list:
• For new instances of an object, the value or values are immediately hidden from selection by users on
the list of values.
• For existing instances of an object, if the value or values were previously selected by users (that is,
before the value was hidden), the value or values are still displayed in the list and are available during
editing for selection by users.
• The "Hidden" column on the Enumerated String Values table changes from "false" to "true".
If you define a multi-select enumerated field value as the default value, and the field is hidden, users can
see the hidden field value in the Add New wizard because the default attribute overrides the hidden
attribute.
Procedure
1. Click Administration > Field Groups.
2. On the Field Groups table, click the name of the field group in the list that contains the field you want
to modify.
3. On the Field Definitions table of the selected field group details page, click the name of the field that
contains the enumerated string that you want to modify.
4. On the Enumerated String Values table of the field definition details page:
a) Select the box next to the value or values you want to hide from the list. The "Hidden" column for
the value will be set to "false".
b) Click Hide/Unhide. The "Hidden" column for the value changes to "true".
Note: The Hide/Unhide icon toggles between Hide and Unhide depending on the current setting.
Procedure
1. Click Administration > Field Groups.
2. On the Field Groups table, click the name of the field group in the list that contains the field you want
to modify.
3. On the Field Definitions table of the selected field group details page, click the name of the field that
contains the enumerated string that you want to modify.
4. On the Enumerated String Values table of the field definition details page:
a) Select the box next to the hidden value or values you want to display from the list. The "Hidden"
column for the value will be set to "true".
b) Click Hide/Unhide. The "Hidden" column for the value changes to "false".
Note: The Hide/Unhide icon toggles between Hide and Unhide depending on the current setting.
You can only delete an enumerated string value from a field definition if the field group containing the field
is not in use.
A deleted string value is permanently removed from the list and cannot be retrieved. If the field group is in
use, Delete remains disabled and you can only hide any obsolete or unwanted string values from view. For
details see, “Hiding enumerated string values” on page 161.
Procedure
1. Click Administration > Field Groups.
2. On the Field Groups table, click the name of the field group in the list that contains the field you want
to modify.
3. On the Field Definitions table of the selected field group details page, click the name of the field that
contains the enumerated string that you want to modify.
4. On the Enumerated String Values table of the field definition details page:
a) Select the box next to the name of the value you want to remove - Delete becomes enabled.
Note: If Delete remains disabled, the field group to which this field definition belongs is in use and
you cannot delete the value.
b) Click Delete.
Limitations
Use the following configuration tasks to set up new reporting fragment fields.
Fragment Required. The unique name of the particular report component Cognos Analytics -
Name (such as a ’Pie Chart’, ‘List’, ‘Combination Chart’, and so forth). Reporting, Report Page
“Defining the reporting fragment name” on page 166
Object ID Required only if the report prompts users to select a resource Cognos Analytics -
Prompt (such as ‘Entity’, ‘Process’, and so forth) before running the Reporting, Prompt Page
report.
Otherwise, leave this field blank.
“Defining the object ID prompt” on page 167
Reporting Required only if the report prompts users to select a reporting Cognos Analytics -
Period ID period before running the report. Reporting, Prompt Page
Prompt
Otherwise, leave this field blank.
“Defining the reporting period ID prompt” on page 167
Procedure
1. Access the Field Groups page. See “Adding field groups” on page 142.
2. To include the reporting fragment field in an existing field group, click the name of the field group.
3. To include the reporting fragment field in a new field group, see “Adding field groups” on page 142.
4. On the detail page of the field group, navigate to the Field Definitions pane and click Add.
5. On the field definitions detail page, type the name of the object field.
6. Click Reporting Fragment from the Data Type field.
7. Click the double arrow next to the data type selector to display additional parameters.
Note: Keep the browser window open because you will return to it.
3. In the Actions column for the report, click the Set Properties icon .
4. On the Set Properties page of the report, select General.
5. Click the View the search path, ID and URL link.
6. In the View the search path, ID and URL window, copy the text in the Search path field.
The following example is a sample search path text for the Risk Assessment Status report.
/content/folder[@name='OPENPAGES_PLATFORM']/folder[@name='Risk
Assessment Reports']/report[@name='Risk Assessment Status']
7. In OpenPages GRC Platform, go to the Reporting Fragment field definitions detail page and paste the
search path text into the Report Path field.
8. In the Cognos Analytics portal, close the View the search path, ID and URL window. Exit the "Set
properties" page (do not exit Cognos).
Procedure
1. In Cognos Analytics - Reporting, open the report containing the component you want:
a) On the Team Content tab, navigate through the folder hierarchy to where the report you want is
saved.
For example, Team Content > OpenPages Solutions V6 >
Risk Assessment Reports > Risk Assessment Status
b) Under the Actions column for the report you want, click Edit report.
2. In edit mode, select the component you want to use for the Reporting Fragment field (such as a List, a
Chart, a Crosstab, and so forth.)
3. Verify that the entire component is selected:
a) Click Show Properties in the application bar.
b) In the Properties pane, look at the title bar. It should display the name of the selected component,
such as Pie Chart, List, Combination Chart, and so forth.
To define the Object ID Prompt, the steps in this task require going back and forth between the Cognos
Analytics portal and the IBM OpenPages GRC Platform application user interface.
Note: This task is required only if a report prompts users to select a resource (such as Entity, Process, and
so forth) before running the report. Otherwise, skip this task and leave the field blank.
Procedure
1. In Cognos Analytics - Reporting, open the report:
a) On the Team Content tab, navigate through the folder hierarchy to where the report you want is
saved.
For example, Team Content > OpenPages Solutions V6 >
Risk Assessment Reports > Risk Assessment Status
b) Under the Actions column for the report you want, click Edit report.
Procedure
1. In Cognos Analytics - Reporting, open the report:
a) On the Team Content tab, navigate through the folder hierarchy to where the report you want is
saved.
For example, Team Content > OpenPages Solutions V6 >
Risk Assessment Reports > Risk Assessment Status
b) Under the Actions column for the report you want, click Edit report.
When defining the reporting fragment size, if you leave the pixel values for height and width blank (this is
the default), the pop-up window is sized automatically.
This task is optional. Use if you want to manually control the height and width of the pop-up window for a
reporting fragment field.
Procedure
1. In IBM OpenPages GRC Platform, on the Reporting Fragment field definitions detail page:
a) In the Height box, type a numeric value for the pixel height of the reporting fragment.
b) In the Width box, type a numeric value for the pixel width of the reporting fragment.
2. Click Save.
labelKey attribute
Identifies the application text key for the localized URL text. If it is omitted, the label defaults to Go.
path attribute
Specifies the relative path to the target JSP, report, or application object view. If the target is a JSP, then it
must be in a folder that is under the sosa application deployment folder. The path attribute is required.
The application root is automatically prepended to the specified path by the application. The application
root is determined from the application.url.path property in the sosa.properties configuration file.
The path value must contain the leading slash. For example, "path" : "/custom/mycustom.jsp",
modes attribute
Controls whether the URL launcher field is available in edit or view mode.
In order for a URL launcher field to appear in an Activity View Child Hierarchy pane, the "Edit" mode must
be included.
parameters attribute
Contains the list of request parameters that are assembled to create the query string of the URL. The
parameters are specified as a list of key-value pairs. In most instances, the key names can be anything
that you define.
conditions attribute
Defines conditions that must be met in order for the URL to be active.
The conditions can include the following:
• Whether the Reporting Period selected is the current period.
• Whether the target object is locked.
• Whether the value of a specific field matches a value.
• Whether the value of a specific field matches the name of the current user.
• Whether the current user is a member of the group name set in a specific field.
Any subset of the available conditions can be included in the URL configuration string. These conditions
are evaluated in the order in which they appear in the string. Each condition can optionally include a
labelKey that contains an application text string that is displayed when a condition is not met, for
example, "Available only for the Process Owner." If the labelKey is omitted, the key for the field is applied.
Multiple conditions of the same type can be used, except for the objectState and reportingPeriod
conditions. You can use only one objectState and one reportingPeriod.
Most errors in the configuration of a condition cause a positive failure in the condition and evaluate to
true. The errors are logged. Thorough testing of both positive and negative cases is encouraged to ensure
the expected behavior.
reportingPeriod condition
The reportingPeriod condition is met when:
• The value of "isCurrent" is true and the user is in the current Reporting Period.
• The value of "isCurrent" is false and the user is in any previous Reporting Period.
objectState condition
The objectState condition is met when:
• The value of "isUnlocked" is true and the current object is not locked.
• The value of "isUnlocked" is false and the current object is locked.
fieldValue condition
The fieldValue condition evaluates the value of the field against the value that is specified by the value
attribute by using the specified operator. The target field is identified by using the
popUp attribute
Controls the behavior of the new window. The "windowAttributes" string determines the characteristics,
such as size and scroll bars, of the new window that is created when the user clicks the hyperlink. The
popUp attribute is optional.
$ {
"labelKey" : "custom.url.labelForMyCustomUrl",
"path" : "/custom/mycustom.jsp",
"modes" : ["edit", "view"],
"parameters" :
{
"objId" : "$objectId",
"repId" : "$reportingPeriodId",
"isRisk" : "true" ,
"includeVersions" : "false"
},
"conditions" :
{
"reportingPeriod" :
{
"isCurrent" : true/false, // no quotes for boolean values
"labelKey" : "custom.url.label.invalid.ReportingPeriod"
},
"objectState" :
{
"isUnlocked" : true/false, // note the UN-locked designation
"labelKey" : "custom.url.label.object.locked"
},
"fieldValue" :
{
"field" : <"FieldGroup.FieldName">,
"value" : "$currentUser",
"operator" : "equal", // supported operators include "equal" and
"notEqual"
"labelKey" : "custom.url.label.invalid.user"
}
"fieldValue" :
{
"field" : <"FieldGroup.FieldName">,
"value" : true,
"labelKey" : "custom.url.label.invalid.value"
}
"fieldValue" :
{
"field" : <"FieldGroup.FieldName">,
"value" : "Undifferentiated",
"operator" : "notEqual",
"labelKey" : "custom.url.label.invalid.value"
}
},
"popUp" :
${
"labelKey": "report.name.security.domain.role.assignments",
"path": "/report.tree.post.do",
"modes": ["view"],
"parameters": {
"reportPath": "/_cw_channels/Reporting/SOX/OpenPages V6/Audit Reports/Security/Security
Domain Role Assignments.pagespec",
"label": "Current Reporting Period",
"submitAction": "preview",
"actionContext": "preview",
"entity_id": "$objectId"
},
"conditions": {
"fieldValue": {
"field": "OPSS-BusEnt.Executive Owner",
"value": "$currentUser",
"operator": "equal",
"labelKey": "custom.url.invalid.user"
}
}
}
$ {
"labelKey" : "url.custom.jsp",
"path" : "/custom/custom.jsp",
"modes" : [ "view", "edit" ],
"parameters" :
{
"Risk Category" : "Damage to Physical Assets",
"Risk Sub-category" : "Willful Damage"
}
}
Procedure
1. Under Administration, click Application Text.
2. In the Custom line, click Add New.
3. Enter the key value in Name.
4. Enter useful information, for example, the URL field that uses the key, in Description.
5. Enter the label text in Default Label.
6. Click Create.
7. Expand the new key, and add the translated text.
8. Repeat theses steps for each key in the URL configuration string.
Procedure
1. Under Administration, click Field Groups.
2. Click Add.
3. Enter a Name and Description for the field, and click Create.
4. In the list of field groups, click the field group that you added.
5. In the Field Definitions table, click Add.
6. Enter the information for the field:
a) Enter a system name for the field.
b) In the Data Type box, select Simple String, and click the arrow to add it.
c) Set the Default Value to the URL configuration string.
d) Clear the Required and Computed boxes.
e) Click Create.
Procedure
1. Under Administration, click Object Types.
2. Select the object type that you want to add the URL launcher field to.
3. In the Included Field Groups section, click Include, select the field you created in “Adding a URL
launcher field ” on page 173, and click Add.
4. Under Administration, click Profiles.
5. Select a profile you want to update.
6. Click the object type that contains the new field.
7. Click Include, select the new field, and click Include.
8. Click the newly added field, and in the Object Field Information pane, click Edit.
9. Change the Display Type to URL, and click Save.
10. Go back to the profile detail page and click the name of a view that you want to add the field to.
11. In the Included Field Groups section, click Include, select the new field, and click Include.
12. Select Read-Only for the field, and click Save.
If a field group has never been associated with an object type (that is, it has never been used), you can
then delete it.
When you delete a field group, the field group is removed from the list of available field groups on the
Field Groups page and cannot be restored to the list.
Procedure
1. Enable System Administration Mode.
When you delete a field, the definition of the field is removed from the field group to which it belongs.
You can only delete field definitions from a field group that are not in use. After a field definition is
deleted, it cannot be restored.
Procedure
1. Access the Field Groups page (see “Adding field groups” on page 142).
2. Click the name of the field group you want to modify to open its details page.
3. Click the box next to the name of each field definition you want to delete.
4. Click Delete.
A long string field is assigned to the long string data type. Long string fields allow users to enter more than
4000 bytes in a single field.
You can encrypt long string fields up to a maximum of 2 MB in the IBM OpenPages GRC Platform
repository.
There are two sub types of the long string field: medium and large. The size of medium long string fields is
fixed to 32 KB. The size of the large long string fields is set by default to 256000 bytes, but that can be
increased by changing the Platform > Repository > Resource > Large Text > Maximum Size setting.
Tip: In the user interface, the OpenPages folder is hidden in the Administration Settings folder
hierarchy. To author an XML settings path, include the OpenPages folder after the Settings folder in the
path.
Note:
• For more information about long string data types, see “Data types” on page 143.
• For more information about setting display types for long string fields, see “Configuring display types for
long string fields” on page 271.
• For more information about filtering on long string fields, see “Utilities for filtering on long string field
content in an Oracle database” on page 451 and “Utilities for filtering on long string field content in a
DB2 database” on page 404.
• For more information about concatenating simple string fields into a long string field, see “String
concatenation utility” on page 457
• For more information about encrypting fields, see “Field level encryption” on page 81.
An object type is identified in the application by the Object Type icon . Each object type includes field
groups and associations to other objects.
For custom forms, such as surveys, you must add an object type for each custom form that you create. For
more information, see “Tasks required to set up custom forms” on page 187.
Related information
• Configuring groups and fields for an object type, see Chapter 9, “Fields and field groups,” on page 137.
• Customizing text labels for object types, see Chapter 13, “Localizing text,” on page 277.
• Configuring facts and dimensions in the reporting framework, see “Facts and dimensions” on page 661.
Note: If the same management operation is being modified by another administrator, an error message is
displayed requesting that you try again later.
SOXIssue Issue
SOXDocument File
SOXExternalDocument Link
Table 55: Platform object types (continued)
Icon Object Name Singular Label
SOXSignature Signature
SOXMilestone Milestone
Note: The SOXProject object type is for system use only; it is the master parent object type for all top level
Business Entities and Milestones.
Procedure
1. Log on to the IBM OpenPages GRC Platform as a user with the Object Types application permission
set.
Procedure
1. With the Object Types application permission set, click Administration from the menu and click
Object Types.
2. Click the name of the object type to modify.
3. Click Edit.
4. Make the necessary changes.
5. To save an older version of this object type, select the Save older versions of this object type? check
box. If this box is not checked, the old version is overwritten.
6. Click Save.
Note: To change label text for an object type, see Chapter 13, “Localizing text,” on page 277.
Procedure
1. Enable System Administration Mode.
2. With the Object Types application permission set, click Administration from the menu and click
Object Types.
3. From the list, click the name of the object type.
4. On the Included Field Groups panel, click Include.
5. Select the field groups to include.
6. Click Add.
Procedure
1. Enable System Administration Mode.
2. With the Object Types application permission set, select Administration from the menu bar. Click
Object Types.
3. From the list, click the name of the object type to modify.
4. Navigate to either the Child Associations tab or Parent Associations tab on the Object Type
Information detail page.
5. From the list of associated object types, click the name of the object type to disable.
6. On the Association Detail Info page, click Disable. The icon changes to Enable.
7. To add the object relationship changes to reports, complete the following tasks:
a) Update the Reporting Schema. For details, see “Creating or recreating the reporting schema” on
page 91.
b) Regenerate the reporting framework. For details, see “Updating the reporting framework” on page
686.
Procedure
1. Enable System Administration Mode.
2. With the Object Types application permission set, select Administration from the menu and click
Object Types.
3. From the list, click the name of the object type to modify.
4. Navigate to either the Child Associations tab or Parent Associations tab on the detail page of the
selected object type.
5. From the list of associated object types, click the name of the object type to enable.
6. On the Association Detail Info page, click Enable.
7. To add the object relationship changes to reports, complete the following tasks:
a) Update the Reporting Schema. For details, see “Creating or recreating the reporting schema” on
page 91.
b) Regenerate the reporting framework. For details, see “Updating the reporting framework” on page
686.
Procedure
1. From the menu bar, click Administration > Settings.
2. To specify the number of child objects to associate before background processing begins:
Applications > Common > Max Child Associations Interactive . The default is 250.
3. To specify the transaction timeout for the background process, click Platform > Processes >
Associate Resources > Transaction Timeout. The default is 21600 seconds.
To show the Transaction Timeout setting, change the value of Applications > Common >
Configuration > Show Hidden Settings from false to true. The default value is false.
4. To specify the email settings for the email server configuration, click:
• Applications > Common > Email > Mail Server
• Applications > Common > Email > SMTP Password
Procedure
1. Enable System Administration Mode.
2. With the Object Types application permission set, select Administration from the menu and click
Object Types.
3. Click the name of the parent object type with the child relationship to modify.
4. On the Child Associations panel, select the child object to modify.
5. Click Edit.
6. Select a value in the Relationship Type field.
7. Click Save.
Procedure
1. Create a field group and name it. See “Adding field groups” on page 142.
2. Add a field definition to the new field group and name it.
a) Select the Enumerated String data type.
b) Add a value for Draft and a value for Published . See “Adding fields to a field group” on page
142.
Related tasks
“Configure the Save As Draft feature for new objects” on page 183
“Adding the field to the object type and profile to configure the Save As Draft function ” on page 184
Procedure
1. Click Administration > Settings.
Adding the field to the object type and profile to configure the Save As Draft function
The third task in the Save As Draft configuration is to add the new field to the object type and profile.
Procedure
1. Enable System Admin Mode. See “Enabling and disabling System Administration Mode” on page 17.
2. For each object type to enable the Save As Draft icon, include the new field group.
For example, include the field group called DraftGroup. See “Including field groups for an object
type” on page 177.
3. Disable System Admin Mode.
4. Include the new field.
For example, include the field that is called Draft Status, in a profile. See “Including fields in an
object type” on page 219.
Note: Unless you want the field to be visible to users, the field does not have to be included on a View
page for Save As Draft to be displayed.
Related tasks
“Creating a field group and field for a Save As Draft configuration” on page 183
“Configure the Save As Draft feature for new objects” on page 183
Procedure
1. With the Object Types application permission set, select Administration from the menu and click
Object Types.
2. Click the name of the object type to modify.
3. On the Parent Associations panel, click the name of a parent object type.
4. On the Association Detail Info panel, click Edit.
5. In the Min Parents box, type 0 (for standalone) or 1 (to prevent a stand-alone object type).
6. Click Save.
7. For multiple parent objects, repeat Steps 3 - 6 for each parent object.
Procedure
1. With the Object Types application permission set, select the Administration menu and click Object
Types.
2. From the list, click the name of the parent object type whose child relationships you want to modify.
3. On the Child Associations tab, click the name of the child object type you want to modify.
4. On the Association Detail Info tab, click Edit.
5. In the Max Parents box, enter 2147483647 (for shared) or 1 (for not shared).
6. Click Save.
7. If you more than one child objects for which you want to restrict the parent object relationship, repeat
Steps 3 - 6 for each child object.
Procedure
1. With the Object Types application permission set, select Administration from the menu and click
Object Types.
2. Click SOXDocument.
3. On the File Types Information panel, click Add New.
4. In the MIME Type field, type a MIME content type and subtype. For example, image/cgm.
5. In the File Extension field, type a file extension that corresponds to the MIME Type. For example, cgm.
6. Click Create.
What to do next
To associate the new file type with the SOXDocument object type, see “Associating a file type with an
object type” on page 186.
Procedure
1. With the Object Types application permission set, select the Administration menu and click Object
Types.
2. From the list, click the SOXDocument object type.
3. On the File Types Information tab, click Include.
4. From the list on the Select File Type Information page:
Procedure
1. With the Object Types application permission set, select the Administration menu and click Object
Types.
2. From the list, click the SOXDocument object type.
3. On the File Types Information tab:
a) Select the check box next to the name and MIME type you want to remove.
b) Click Exclude.
Results
The associated file type is removed from the list on the File Types Information tab of the SOXDocument
object type.
Note: Files might still be discovered after the extension of these files is excluded from search. If a file
extension is associated with more than one MIME type, then files with this extension are still discovered
until all associated MIME types are excluded or are disabled from search. Follow the procedure
“Removing a file type from other object types” on page 187 with each associated MIME type to remove
the types from searches. For more information, see “Enabling attachment file types for global search” on
page 362.
Procedure
1. Move the MIME type from the exclusion list to the inclusion list.
2. Disable the MIME type.
3. Move the MIME type back to the exclusion list.
4. Run the Update command.
For more information, see “Enabling or disabling object types or fields for global search” on page 363.
To set up custom forms, such as surveys, you must complete many tasks.
Note: If you imported a custom form through the ObjectManager, perform Task 6.
Procedure
1. Enable System Administration Mode.
2. With the Object Types application permission set, select Administration from the menu and click
Object Types.
3. On the Object Types pane, click Add.
4. On the add page, complete the following steps:
a) Type a name for the new object type.
The name must start with a letter, and can only contain letters, numbers, and the underscore (_)
character. The name is also used as the initial label for the object type and cannot be modified after
it is created.
Examples include:
Procedure
1. Enable System Administration Mode.
2. With the Object Types application permission set, select Administration from the menu and click
Object Types.
3. Select the object type to delete..
4. On the Object Types tab, click Delete.
Procedure
1. Enable System Administration Mode.
2. With the Object Types application permission set, select Administration from the menu and click
Object Types.
3. Click the name of the object type to modify.
4. On the Child Associations tab, click Add.
5. On the Available Custom Forms page, select each custom form to associate with the selected parent
object type.
6. Click Add.
Procedure
1. Enable System Administration Mode.
2. With the Object Types application permission set, select Administration from the menu and click
Object Types.
3. Click the name of the custom form object you want to modify.
4. On the Parent Associations tab, click Add.
5. On the Available Object Types page, select each parent object where the object type will be attached.
6. Click Add.
Filter considerations
Before you create a filter, determine the characteristics of the filter and identify the object type on which
the new filter is used.
For instructions on creating a filter, see “Adding filters to object types” on page 191.
The following list identifies information that you need before you create a new filter:
• Object type - Which object type will the filter be used with?
• Name - How will the new filter be identified? The name of the filter is important because it is also the
initial label that will appear for the filter in the application.
• Profiles - Which profiles will be associated with the filter?
• Filtering criteria - Which fields are used in the filter criteria to narrow the scope of data returned by the
search?
• Views - Which type of view page in a profile will use the filter (Grid View, Filtered List View, Home page,
Activity View)?
Example
You create a filter for risk assessments called "In Progress" that displays all risk assessments due within
the next three months, and has the following selected fields and values:
If you associate this filter to a Filtered List View in the "Assessors" profile, application users who are
assigned the Assessors profile would then be able to select this filter from the Risk Assessment Filtered
List View filter selection list and from any Risk Assessment Grid View for that profile.
Procedure
1. Access the Object Types page (see “Accessing object types” on page 176).
2. From the list, click the name of the object type you want to modify.
3. On the Filters tab of the selected object type, click the plus sign icon.
4. On the Add Filter page:
a) Click the Field field and select a key field from the list.
Common fields are listed first, followed by fields specific to the object type.
b) In the same row as the key field, specify a search condition.
The available search conditions change depending on the selected field. For example, for a name
field, the options are Starts with, Contains, and Equals, with a following text box in which to enter
a value.
Note: Text is not case sensitive.
calendar icon or a text box for date ranges. Click the calendar icon to select specific dates,
or select a search condition (such as Within the
last) and then enter a value.
Text box for numeric values (used in computed Select a search condition (such as =) and then
fields) enter a value.
Important: For limitations on the special characters in filters for long string fields, see “Limitations
on special characters in filters for long string fields” on page 192.
c) To add another row and key field on which to search, click the Add link and repeat step 4.
By default, all the rows are connected (by their sequential number) with an AND operator (for
example 1 AND 2 AND 3). That is, all of the conditions specified must be true.
For details on specifying more complex logic for your filters, see “Using complex logic in a search
filter” on page 195.
d) Click Save.
5. To associated the filter with a view, see “Tasks to associate filters with views” on page 196.
6. To create a duplicate filter using the new filter as a template, see “Copying filters” on page 196
7. To localize the display name of a filter, see “Modifying display text for public filters” on page 280.
Reserved characters
Table 60: Reserved characters that have special meaning in the filters
Reserved
character Description
_ An underscore is used as a single character wildcard.
% A percent sign is used as a multiple character wildcard.
Table 61: Special characters that are not supported in search filters
Special
Character Description
& Ampersand
@ At symbol on keyboard
! Exclamation point or bang
\ Backward slash
^ Caret or circumflex
: Colon
; Semicolon
, Comma
- Dash
> Greater than sign
< Less than sign
( Opening parenthesis
) Closing parenthesis
= Equal sign
| Pipe or vertical bar
+ Plus sign
# Pound or number sign, hash symbol
? Question mark
~ Tilde or equivalency sign
` Grave accent
The following reserved words are not supported in the search filter and should not be used:
• ABOUT
• ACCUM
• AND
• BT
• BTG
• BTI
• EQUIV
• FUZZY
• HASPATH
• INPATH
• MDATA
• MINUS
• NEAR
• NOT
• NT
• NTG
• NTI
• NTP
• OR
• PT
• RT
• SQE
• SYN
• TR
• TRSYN
• TT
• WITHIN
Procedure
1. In a Filter window (adding or editing a filter), click Use Complex Logic.
2. In the Logic text box, modify the search expression as wanted using the logical operators.
To close the Logic text box and revert to the default search logic, click Clear Complex Logic.
3. Click Save or select from Actions menu.
Examples
• You have 3 search fields defined in your filter. By default, the system uses only the AND operator so it
would retrieve objects that only matched all 3 fields (1 AND 2 AND 3). If, however, you wanted to
broaden the search so it included field 1 and either fields 2 or 3, use the OR operator to modify the
search to retrieve all objects that matched field 1 and matched either fields 2 or 3.
To do this, create the logical expression: 1 AND (2 OR 3).
• You want to find open Issue objects that are not assigned to you. To create such a filter, you would
select the "Issue Status" field and choose the "Open" value (this is field 1). Then select the "Assignee"
field and choose your name from the Select the user window or click the End User link (this is field 2).
To exclude your name from the search results, in the Logic text box, you would type 1 AND NOT 2.
Note: The NOT operator does not return objects that have an empty, blank, or null value in the selected
field criteria. This means that any unassigned Issue objects (that is, the "Assignee" field was empty or
blank), would be excluded from the search results.
Procedure
Complete one of the following actions:
• Change the display type of the field from "Text" to one of the following display type options:
– User Selector
– User Dropdown
– User/Group Selector
– Group Selector
and then click the End User link. The End User value that is displayed in the box will resolve to the
currently logged-on user. For details on modifying a display type for a field, see “Configuring display
types for simple string fields” on page 262.
– Multi User Selector
– Multi Group Selector
– Multi User/Group Selector
• Type the following code into the text box of the object-specific field:
##{logged in user}##
Copying filters
You can save an existing filter with a new name to use as a template.
Note: Because filters contain object-specific fields, you can only copy filters within the same Object type;
you cannot copy filters between Object types.
Procedure
1. With the Object Types application permission set, select Administration from the menu and click
Object Types.
2. From the list, click the name of the Object type to modify.
Results
The new filter is now available in the Filters tab. For instructions on specifying filters and using complex
logic in filters, see “Adding filters to object types” on page 191 and “Using complex logic in a search filter”
on page 195.
To display the new filter in the list of Saved Filters on an Filtered List View page, add it to a profile. For
details, see “Associating filters to Filtered List view and Grid view pages” on page 248.
Modifying filters
After you create a filter, you can modify it. The modifications, once saved, are immediately used in the
application.
Procedure
1. With the Object Types application permission set, select Administration from the menu and click
Object Types.
2. Click the name of the Object type to modify.
3. On the Filters pane, click the filter to edit.
4. Make the required changes.
5. Click Save.
Results
To modify a localized display name of a filter, see “Modifying display text for public filters” on page 280
For instructions on specifying filters and using complex logic in filters, see “Adding filters to object types”
on page 191 and “Using complex logic in a search filter” on page 195.
To display the filter in the list of Saved Filters on an object’s Filtered List View page, add it to a profile. For
details, see “Associating filters to Filtered List view and Grid view pages” on page 248.
Deleting filters
When you delete a filter for an Object type, it is permanently deleted from the system and cannot be
restored.
If the filter is associated with object views in a profile (such as a Filtered List View, Grid View, or table on
the My Work tab of a Home page), the filter, when deleted, is immediately removed from the view and is
no longer available to users who are assigned that profile.
Procedure
1. With the Object Types application permission set, select Administration from the menu and click
Object Types.
2. Click the name of the object type to modify.
3. On the Filters tab, select the filters you want to delete.
4. Click Delete.
Example
You want to know who performs a control activity if a user selects No to the question Does the Control
Owner perform the Control?.
You could configure the behavior of the field Does the Control Owner perform the Control? to be
dynamic so that the field is both visible and required only if the user selects No to the question Does the
Control Owner perform the Control?. If the user selects Yes, then this field would remain hidden from
the user.
The Does the Control Owner perform the Control? field is considered the dependent field as the
behaviors of this field (Required and Visible) depend on the value (No) selected in the controller field,
Does the Control Owner perform the Control?.
Procedure
1. With the Object Types application permission set, select Administration > Object Types.
2. Click the name of the object type to modify.
3. On the Field Dependencies pane, click Add.
4. From the Select Dependent Field, select a field from the list.
5. In Dependent Field Behavior, select one of the following values:
Editable Enable the user to modify this dependent field only if the
controlling field is selected. Otherwise, the dependent field is read
only.
Visible Display the dependent field to the user only if the controlling field
is selected. Otherwise, the dependent field are hidden from view.
6. Click Next.
7. On the Select Controller(s) page, click the Controlling Field and choose a field from the list.
8. In the Controlling Values box, select one or more values from the list and click Add.
9. If you have multiple controller fields, click Operator and choose one of the following logical operator
values:
Add another behavior the same as those Complete one of the following steps:
to the same dependent selected in Step 4
• Copy the controller conditions to the new
field
dependent field (see “Copying controller
- OR - conditions” on page 200)
Create another • Repeat Steps 3 and 4
dependent field
The newly created dependent fields are listed on the Field Dependencies pane.
Procedure
1. With the Object Types application permission set, select Administration from the menu and click
Object Types.
2. Click the name of the object type to modify.
3. On the Field Dependencies tab:
a) Select the check box next to the controller field you want to copy.
b) Click the Copy Controllers to icon.
4. In the Dependent Field pane of the controller (or controllers) you want to copy, select one or more
behaviors for each dependent field.
5. Click Create.
The newly created dependent fields with the copied controllers are listed on the Field Dependencies
pane.
Procedure
1. With the Object Types application permission set, select Administration from the menu and click
Object Types.
2. Click the name of the object type to modify.
3. On the Field Dependencies pane:
a) Select the dependent field you want to modify.
b) Click Edit.
4. To modify the values of an existing controller field:
a) Click Edit under the Actions column.
b) In the Edit Controller box, modify the selected values as necessary.
c) Click Save.
5. To add another controller:
a) In the Add Controller pane, click the Controlling Field arrow and select a field from the list.
b) In the Controlling Values box, select one or more values from the list.
c) Click Add.
6. To remove a controller:
a) Select the check box next to the controller field you want to remove.
Note: To select all the controllers for removal, select the check box next to the Controlling Field
column heading.
b) Click Delete.
7. To change the operator when there are multiple controllers, click the Operator arrow and select a
value from the list.
8. Click Save.
Procedure
1. With the Object Types application permission set, select the Administration menu and click Object
Types.
2. From the list, click the name of the object type you want to modify.
3. On the Field Dependencies tab:
Procedure
1. With the Object Types application permission set, select the Administration menu and click Object
Types.
2. From the list, click the name of the object type you want to modify.
3. On the Field Dependencies tab:
a) Select the check box next to the dependent field you want to delete. You can select multiple boxes.
b) Click Delete.
Results
The selected dependent field is removed from the list on the Field Dependencies tab.
Procedure
1. From the menu bar, click Administration > Settings.
2. Click Applications > GRCM > Add New Wizard.
3. Click Object Types Disabled.
4. In the Value box, type the names of the objects that you want to disable. Separate each object type
with a comma (,). Be sure to use the object names and not the object labels.
5. Click Save.
Procedure
1. From the menu bar, click Administration > Settings.
2. Click Applications > GRCM > Add New Wizard.
3. Click Show Empty Sections.
4. In the Value box, type false if you do not want to show empty sections and tabs. Type true if you want
empty sections to appear but be disabled.
5. Click Save.
In the user interface, the OpenPages folder is hidden in the Administration Settings folder
hierarchy. To author an XML settings path, include the OpenPages folder after the Settings folder in
the path.
Controlling the ability to use a template object when using the Add New wizard
You can specify whether users must create new object instances from an existing object instance,
whether they can optionally create new object instances from an existing object instance, or whether the
user should create the object from scratch.
Procedure
1. From the menu bar, click Administration > Settings.
2. Click Applications > GRCM > Add New Wizard.
3. To enter information that applies to all profiles:
a) Expand the Cannot Create from Existing or the Must Create from Existing folder.
b) Select the All Profiles setting and enter the desired information.
Controlling the default object type in the parent picker in the Add New wizard
You can specify the default object type in the parent picker. For each desired object type, you can specify
a series of parent object type defaults; the first type available to this user will be set as the default.
Procedure
1. From the menu bar, click Administration > Settings.
2. Click Applications > GRCM > Add New Wizard > Parent Object Type Preferences.
3. To enter information that applies to all profiles select the All Profiles setting and enter the desired
information.
4. To enter information for a specific profile, you must first create a setting for that profile under the
Parent Object Type Preferences folder, which has the exact name of the profile. For more information,
see “Custom settings” on page 340
5. For each object type in the setting, specify the default parent object type to be selected in the Select
Parents Narrow By panel. Format is multiple lines separated by carriage return - line feed, each
formatted as <object type to be created system name><colon><highest priority object type system
name to be parent><comma><second highest priority object type system name to be parent>, and so
on, as shown in the following example:
Resource:SOXBusEntity,RiskSubEntity
ReviewComment:AuditProgram,Finding,Workpaper
RiskAssessment:SOXBusEntity
Procedure
1. From the menu bar, click Administration > Settings > Applications > GRCM.
2. Click the Default Folder setting to open its detail page.
3. In the Value field, type one of the following values:
• root_folder
Use this value to create new child objects in the root folder for the object type. This option is not
recommended.
• parent_entity
Use this value to create new child objects in the same folder as the lowest level Business Entity of
the parent object. Children of self-contained object types are not created in the same folders as their
parents.
• parent_folder
Use this value to create new child objects in or under the folder of its primary parent. This option is
recommended. Consider this option in the following circumstances:
– You are working with self-contained object types.
– You are working with a security model that includes Business Entity and other object types.
– You are using helpers or triggers that move saved objects into folders other than the default
folders.
4. Click Save.
You can configure a list of items (drop-down or list box) so that the items in the list are filtered based upon
some value selected by a user in another list.
The filtering of lists can be used to help guide users in the selection of relevant values from lists during the
creation or editing of an object.
Example
Both the "Category" and "Subcategory" fields of a Risk object (SOXRisk) have many items in their
respective lists from which a user can choose, and you want only the values of "Theft and Fraud" and
"Security Systems" to be displayed in the Subcategory list when a user selects "External Fraud" from the
Category list.
To filter the list, you would map the "Subcategory" values of "Theft and Fraud" and "Security Systems" to
the "Category" value of "External Fraud".
The "Subcategory" field with its selected values is considered the dependent picklist as the behavior of
this list depends upon the value selected in the "Category" field or controller picklist.
Procedure
1. With the Object Types application permission set, select the Administration menu and click Object
Types.
2. From the list, click the name of the object type you want to modify.
Procedure
1. With the Object Types application permission set, select the Administration menu and click Object
Types.
2. From the list, click the name of the object type you want to modify.
3. On the Dependent Picklists tab:
a) Select the check box next to the dependent picklist you want to modify.
b) Click Edit.
4. To modify the values that are displayed in a dependent picklist by a controlling value:
a) Navigate to the column heading with the controlling value.
b) Click a value in the column row to either select or clear a value.
5. Click Save.
Procedure
1. With the Object Types application permission set, select the Administration menu and click Object
Types.
2. From the list, click the name of the object type you want to modify.
3. On the Dependent Picklists tab:
a) Select the check box next to the dependent picklist you want to delete. You can select multiple
boxes.
b) Click Delete.
Results
The selected dependent picklist is removed from the list on the Dependent Picklists tab.
Procedure
1. With the Object Types application permission set, select Administration and click Object Types.
2. From the list, click the name of the object type to modify.
3. On the Field Exclusions pane for object type, click Exclude.
4. Complete the following steps on the Exclude Fields page:
a) In the Select Field field, select the fields that you want to exclude from the subsystem.
b) In the Select Subsystem field, select the subsystem.
5. Click Exclude.
The newly excluded fields are listed on the Field Exclusions tab.
6. To exclude fields from a different object type, repeat Steps 1 - 5.
7. If you excluded fields from the Reporting Framework subsystem, regenerate the reporting framework.
For more information, see “Updating the reporting framework” on page 686.
Procedure
1. With the Object Types application permission set, select the Administration menu and click Object
Types.
2. Select the name of the object type you want to modify.
3. On the Field Exclusions tab:
a) Select the check box next to the excluded field you want to modify.
b) Click Edit.
4. In the Select Subsystem box, modify the subsystem.
5. Click Save.
6. If you modified the list of fields that are excluded from the Reporting Framework subsystem, update
the reporting framework.
For more information, see “Updating the reporting framework” on page 686.
Procedure
1. With the Object Types application permission set, select the Administration menu and click Object
Types.
2. From the list, click the name of the object type you want to modify.
3. On the Field Exclusions tab:
a) Select the check box next to the excluded field you want to remove. You can select multiple boxes.
b) Click Remove.
c) If prompted, click OK.
The selected excluded field is removed from the Field Exclusions list for the object type.
4. If you modified the list of fields that are excluded from the Reporting Framework subsystem, update
the reporting framework.
For more information, see “Updating the reporting framework” on page 686.
Accessing profiles
From the detail page of a profile, you can modify profile information, and associate users. You can also
access the detail page of an object type where you can configure views and the display order of fields for
the selected object type, and so forth.
Note: To access the Profiles menu item, you must have the Profiles application permission set on your
account (for details, see “Types of application permissions” on page 32).
Procedure
1. Log on to IBM OpenPages GRC Platform as a user with the Profiles application permission set.
2. From the menu bar, select Administration and click Profiles.
Creating a profile
You can create a new profile based on an existing profile, including the "Default" profile that is supplied
with the product.
Procedure
1. With the Profiles application permission set, select the Administration menu and click Profiles.
2. On the Profiles table, click Add.
3. On the Add Profile page, type a name for the profile. The name should be easily recognizable by users
and identify the purpose for which it is designed. Profile names cannot be translated or changed after
they are created.
4. Click Based on Profile and select the profile to use as a template for the new profile.
5. If you want the new profile to be the default profile, select Default. For more information, see “Setting
a default or fallback profile” on page 215).
Important: Creating a default profile might affect the way IBM OpenPages GRC Platform handles
objects and profiles.
6. If you want the new profile to be the fallback profile, select Fallback. For more information, see
“Setting a default or fallback profile” on page 215).
7. Click Create.
8. To configure the profile, do one of the following tasks:
include and exclude object types “Including object types in a profile” on page 219
“Excluding object types from a profile” on page
219
configure views for an object type “Configure views for objects” on page 236
This video demonstrates how to create profiles and add object types and views to a profile:
https://youtu.be/Iylu3p_snfY
You can set default and fallback profiles for users and groups.
Before you create a default or fallback profile, see “Guidelines for working with profiles” on page 213.
You can designate any profile as the default profile for a user or group. Any previously designated profile
loses this default designation when you select another profile as the default profile. In an application
upgrade, the default profile includes all the object properties of the previous version of the application. All
profiles are standalone; there is no inheritance from the default profile.
When you create users and add profiles, the default profile serves as the profile that is used if no other
profile is selected. You do not need to designate a default profile. If no profile is designated as the default
profile, the fallback profile will be used.
The fallback profile allows a user who is either not associated with any profile, or whose profile is disabled
or deleted, to log on to OpenPages GRC Platform. Only one profile can be designated as the fallback
profile. If you choose to designate a profile as the fallback profile, the existing fallback profile (if there is
one) loses this designation. The fallback profile is optional, however it's a best practice to designate and
enable one so users without any other enabled profiles can log on.
Procedure
1. With the Profiles application permission set, select the Administration menu and click Profiles.
2. Click the name of a profile. The Detail page opens.
3. On the Profile Information table, click Edit.
4. On the Edit Profile page:
a) Select one or both of the following options:
• Default - to make this profile the default profile
Tip: Consider designating the most commonly assigned profile as the default profile for users and
groups.
• Fallback - to make this profile the fallback profile
b) Optionally, enter or change the description of the profile.
c) Click Save.
Profiles 215
Associating profiles to users and groups
You can associate one or more profiles to a user or group. Having multiple profiles is beneficial for users
that have more than one function and require a different profile for each one. It is also beneficial for
administrators because it can reduce the number of profiles that they need to create and maintain.
Tip: It is more efficient to associate profiles to groups rather than individual users. Note that if a user is
later added to the group, they will not be assigned the profile that was earlier assigned to the users of the
group.
Procedure
1. With the Profiles application permission set, select the Administration menu and click Profiles.
2. Select the user or group that you want to assign a profile to.
3. Click Edit.
4. From the Allowed Profiles list, select all the profiles that you want to assign to the user or group.
5. Optionally, you can change the user's current profile by selecting a different profile from the Current
Profile list.
Warning: If you change a user's profile while they are logged on you might disrupt their work.
• If you remove the user's current profile from the Allowed Profiles list, the user's current profile is
set to the first allowed profile in the alphabetical list.
• For existing users, the Current Profile is set to the user's current profile.
• For new users, the current profile is set to the default profile, if one exists and is enabled. If an
enabled default does not exist, the current profile is set to the fallback profile, if one exists and is
enabled. For more information, see “Setting a default or fallback profile” on page 215.
6. Click Save. The changes take effect immediately.
Editing a profile
You can modify the description of a profile or designate the profile as the default profile or fallback profile.
Procedure
1. With the Profiles application permission set, select the Administration menu and click Profiles.
2. Click the name of a profile. The Detail page opens.
3. On the Profile Information table, click Edit.
4. Make your edits. Note that profile names cannot be translated or changed after they are created.
5. Click Save.
Deleting a profile
Enabling a profile
When you enable a profile the status of the profile changes from Inactive to Active, and the profile
immediately becomes available to users who are assigned that profile (either currently logged on users or
to users who subsequently log on).
Procedure
1. With the Profiles application permission set, select the Administration menu and click Profiles.
2. Click the name of a profile. The Detail page opens.
3. On the Profile Information table, click Enable.
The status changes to Active.
Disabling a profile
You can disable a profile.
Important: When you disable a profile, it is not deleted. It remains in the system, and the status of the
profile changes from Active to Inactive. A disabled profile is immediately unavailable to users to currently
logged in users or to users who subsequently log in.
Before disabling a profile, see “Guidelines for working with profiles” on page 213.
For users with multiple profiles, the current profile becomes the first profile in the alphabetical list of their
allowed profiles. If you disable the only profile that is assigned to a user, the user can still log in using the
fallback profile if one exists and is enabled. For more information, see “Setting a default or fallback
profile” on page 215.
Procedure
1. With the Profiles application permission set, select the Administration menu and click Profiles.
2. Click the name of a profile. The Detail page opens.
3. On the Profile Information table, click Disable.
The status changes to Inactive.
Profiles 217
The profile that you associate with a user is not the current profile unless no current profile is selected.
Procedure
1. With the Profiles application permission set, select the Administration menu and click Profiles.
2. Click the name of a profile. The Detail page opens.
3. On the Associated Users table, click Associate.
4. In the Associate users/groups with profile box:
a) Select the users or user groups you want to associate with the profile. You can view individual users
within a group by clicking the + box.
b) Click Associate.
This video demonstrates how to configure multiple profiles for users, and how users can easily switch
from one profile to another:
https://youtu.be/4LTLOf6WUA8
Procedure
1. With the Profiles application permission set, select the Administration menu and click Profiles.
2. Click the name of a profile. The Detail page opens.
3. From the Associated Users table listing:
a) Select the box next to each user you want to disassociate from this profile.
Procedure
1. With the Profiles application permission set, select the Administration menu and click Profiles.
2. Click the name of a profile. The Detail page opens.
3. On the Object Types table, click Include.
4. On the Available Object Types page:
a) Select the box next to each object type you want to include in this profile.
b) Click Include.
5. To configure views for an object type, see “Configure views for objects” on page 236.
Procedure
1. With the Profiles application permission set, select the Administration menu and click Profiles.
2. Click the name of a profile. The Detail page opens.
3. From the Object Types table:
a) Select the box next to each object type that you want to exclude from the profile.
b) Click Exclude.
c) Click OK to remove the object type from view.
Results
The selected object type is removed from the list of object types for this profile. IBM OpenPages GRC
Platform stores an excluded object, along with any associated data, in the repository. You can view it
through reports.
Procedure
1. With the Profiles application permission set, select the Administration menu and click Profiles.
Profiles 219
2. Click the name of a profile. The Detail page opens.
3. From the Object Types table listing, click the name of the object type whose fields you want to modify
(for example, SOXIssue).
4. On the Object Fields table, click Include.
5. On the Available Object Fields page:
a) Select the box next to the name of each object field you want to include.
b) Click Include.
The included object field now appears in the list of available fields for this object type in this profile.
6. Optional: Configure the object field in a view. Depending on the view, see either “Navigational Views”
on page 237 or “Configuring fields in Detail and Activity views” on page 257.
Procedure
1. With the Profiles application permission set, select the Administration menu and click Profiles.
2. Click the name of a profile. The Detail page opens.
3. From the Object Types table listing, click the name of the object type whose fields you want to modify
(for example, SOXIssue).
4. From the Object Fields table:
a) Select the box next to the name of each object field you want to exclude.
b) Click Exclude.
c) Click OK to remove the fields from the selected object type.
Results
The excluded object fields are now absent from the list of available fields for this object type in this
profile.
Procedure
1. With the Profiles application permission set, select the Administration menu and click Profiles.
2. Click the name of a profile. The Detail page opens.
3. From the Object Types table:
a) In the box under the Order column, change the order value of the object types as wanted.
The maximum value allowed in the Order field is 999.
Example
The current display order for the following object types is Business Entity 1, Process 2, Sub-Process 3,
and Account 4.
However, if you want to display Account (instead of Process and Sub-Process) after Business Entity, set
the order number of Account to 2. When you click "Update Order", the system automatically reorders the
Process number to 3 and Sub-Process to 4.
Now, wherever these object types are found together in the application, they appear in the following
order: Business Entity 1, Account 2, Process 3, and Sub-Process 4.
Procedure
1. With the Profiles application permission set, select Administration from the menu and click Profiles.
2. Click the name of a profile. The Detail page opens.
3. In the Object Types pane for the profile, click the name of the object type that has the field to modify.
4. In the Object Fields pane, click the name of the field to modify (for example, "Description").
5. On the Object Field Information pane for the selected field, click Edit.
6. In the Required field on the edit page, either enable the option to set the field as required or disable it.
7. Click Save.
Profiles 221
222 IBM OpenPages GRC Version 7.4.0 : Administrator's Guide
Chapter 12. Managing the Home page, views for
objects, and display types
You can manage the display of the Home page, the views for each object type that is included in a profile,
and the display types for simple strings, long strings, reporting fragments, and enumerated strings.
Home page
The Home page is the initial page that users see when they log on to the IBM OpenPages GRC Platform
application.
The Home page supports a tabbed interface for displaying selected reports and information. For each
profile, you can configure one or more tabs to personalize the information on the page for users who are
assigned that profile.
Typically, the number and types of tabs you configure on a Home page will vary by profile and depends on
the business needs of users. If the number of tabs on a Home page extend beyond the size of the current
browser window, right and left arrows are automatically displayed so users can scroll horizontally through
the tabs.
Except for the My Work tab and the Dashboard tab, a tab on a Home page displays the name of the
configured report.
The type of tabs that can be configured on the Home page include:
• Cognos reports
• Cognos Workspace reports
• Cognos Analytics dashboards
• Cognos Analytics stories
• JSP Reports
• The My Work tab, which is a Home page tab provided by OpenPages GRC Platform that contains
configured panes (sections of a page) for predefined lists, filtered lists, and embedded reports.
• The Dashboard tab, which is a Home page tab provided by OpenPages GRC Platform. Administrators can
add tabs that are mandatory and cannot be deleted or altered by users. Users can add panes to the
Dashboard tab for quick access to the tasks and information that they use most.
You can control the order in which tabs (including the Dashboard tab and My Work tab) are displayed on
the Home page.
For example, a Testers profile might have the following tabs configured: "My Tests - Performer" (report) as
tab 1, the My Work tab as tab 2, the Dashboard tab as tab 3, "Test Notifications" (report) as tab 4, and the
"FCM Dashboard" (report) as tab 5.
Additionally, you can hide, show, add, or delete tabs from the Home page quickly and easily without
interruption to users who are assigned that particular profile.
Note:
• In a first-time installation, by default, the My Work tab and the Dashboard tab are both enabled.
• A report (or report fragment) that is embedded in a tab on the Home page executes when a user:
– First clicks the tab containing the report
– Navigates away from the Home page to other menus and then returns to that report tab on the Home
page
– Logs off and then logs on to the application again
• Switching between multiple tabs on the Home page and then returning to the original report tab does
not rerun the report. To refresh report data, you must click the Refresh icon on the report tab.
• If the My Work tab is empty of content (no panes are configured) but other tabs are configured for
display on the Home page, then a message, similar to the following, is displayed on the My Work tab to
users who are assigned that profile:
OP-50544: There is no information configured for display on this Home page
tab. Please contact your System Administrator.
• If the My Work tab is empty of content (no panes are configured) and no other tabs are configured for
display on the Home page, then a message, similar to the following, is displayed on the Home page to
users who are assigned that profile:
OP-50536: There is no information configured for display on your home page.
Please contact your System Administrator.
• The Dashboard tab on a users Home page displays any panels defined by the administrator plus any
panels created by the user. Panels specified as mandatory by the administrator are not editable or
removable.
To avoid performance issues and cluttering the Home page with too many tabbed reports, consideration
should be given to determining:
• Which reports or dashboards are best related to the type of tasks or activities a particular group of users
have to accomplish
• Which profile (or profiles) should contain these reports or dashboards
• Are any of the selected reports or dashboards already configured for display on the My Work tab. If so,
should these be removed?
Table 71 on page 224 contains a key to the previous illustration with a brief description of the various
Home page elements.
To configure tabs on the home page, use the Home Page Tab Configuration pane on the detail page of the
selected profile.
Table 72 on page 225 describes the information displayed on the Home Page Tab Configuration pane.
Actions The type of actions that can be used on a tab. The actions are:
• Hide - hides the tab from display on the Home page
• Show - unhides the tab and displays it on the Home page
• Delete - permanently removes the tab from the list and Home page.
Note: The My Work tab and the Dashboard tab cannot be deleted.
For information on localizing display text, see “Localizing application text” on page 281.
Managing the Home page, views for objects, and display types 225
Adding tabs for reports or dashboards
When you select one or more reports or dashboards for display in a tabbed format on the Home page,
each selected report or dashboard is immediately:
• Displayed in a tab on the Home page of users who are assigned that profile.
• Listed under the Home Page Tab Configuration table on the Profile detail page.
Note: For details about configuring the My Work tab, see “Configuring the My Work tab” on page 227.
Procedure
1. Access the Profiles page (see “Accessing profiles” on page 214).
2. Click the name of a profile. The Detail page opens.
3. On the Home Page Tab Configuration table, click Add.
4. From the list of reports and/or dashboards:
a) Expand a report folder to display a list of available reports.
b) Select the check box next to each report you want displayed in a tab on the Home page.
Note: Selecting multiple reports results in multiple tabs (one tab for each selected report).
c) Click Add.
5. Optional: Change the order in which tabs are displayed on the Home page (see “Setting the display
order of tabs” on page 226).
By default, the My Work tab is in position 1 on the Home page, the Dashboard tab is in position 2, and
each tabbed report or dashboard that you add is displayed in the order in which it was added. During an
upgrade installation, the Dashboard tab is hidden and at the bottom of the tab list.
You can change the order in which tabs (including the My Work tab and Dashboard tab) are displayed on
the Home page. When you change the position of tabs on a Home page, the change is immediately
reflected in the application user interface.
Procedure
1. Access the Profiles page (see “Accessing profiles” on page 214).
2. Click the name of a profile. The Detail page opens.
3. On the Home Page Tab Configuration table, under the Order column, type over the existing number
with the new number you want for positioning each tab on the Home page.
4. Click Update Order.
You can control whether configured tabs are displayed or hidden from users in a profile. A tab that is
disabled is hidden from users with the selected profile and can be unhidden by enabling it at a future
time.
By default, newly added tabs are enabled and displayed to users who have the profile.
When you hide or unhide a tab, the following events occur:
• The value of the Status column changes for that tab.
• The value of the link toggles between Hide and Show depending on the selection.
• The tab is immediately hidden or unhidden from users on the home page of the selected profile.
Hide a tab on the Home page for users of the Hide in the row of the tab you want to hide.
selected profile
Show a previously hidden tab Show in the row of the tab you want to unhide.
Deleting tabs
When you delete a tab for a report or dashboard from a profile, the tab is immediately removed from the
Home page of that profile, and from the list of tabs on the Home Page Tab Configuration table.
Note: You cannot delete the My Work tab or the Dashboard tab from the Home Page Tab Configuration
table; you can only hide them.
Procedure
1. Access the Profiles page (see “Accessing profiles” on page 214).
2. Click the name of a profile. The Detail page opens.
3. On the Home Page Tab Configuration table, under the Actions column, click the Delete link for the
tab you want to permanently remove.
The My Work tab is a default tab provided by IBM OpenPages GRC Platform, and contains the following
panes (sections of a page) that can be configured in a profile for display to users:
• Predefined Lists - these panes display a list of predefined items that are tailored to the logged on user,
such as My Checked-Out Files. Predefined lists also includes the My Reports pane, which can be
configured with links to reports. For details, see “Configuring predefined lists” on page 228.
• Filtered Lists - these panes display a list of items based on a filter that you define for the selected object
type. In addition, you can select object and/or report fragment fields (the data is displayed in columns),
and set the order in which columns are displayed in the pane. For details, see “Filtered lists on the My
Work tab” on page 228.
• Embedded Reports - each embedded report is displayed in a separate pane on the My Work tab. For
details, see “Configuring reports” on page 230.
You can configure the default settings of the My Work tab for profiles. For more information, see “Home
page settings” on page 333.
Note: The My Work tab can be enabled or disabled for a profile but cannot be deleted.
Note: If you disable the Filtered List View for an object type, the View Details link (or Show All link, in
older versions) for that object on the Home page might open the wrong view.
Users can personalize the display and order of the panes on their My Work tab. You can control whether
this functionality is enabled with the My Work Home Page Can Be Personalized setting. The default
value is true. Upgrading does not change the sort order.
In a first-time installation, the My Work tab is enabled by default, but it is empty of content (no panes are
configured), and a message, similar to the following, is displayed to users who are assigned that profile:
Managing the Home page, views for objects, and display types 227
OP-50536: There is no information configured for display on your home page.
Please contact your System Administrator.
The following table lists the predefined lists that are available for display on the My Work tab.
Procedure
1. Access the Profiles page (see “Accessing profiles” on page 214).
2. Click the name of a profile. The Detail page opens.
3. On the My Work Tab Configuration table, click Add Predefined Lists.
4. On the Available Predefined Lists page:
a) Select the box next to each predefined list you want to display on the My Work tab.
b) Click Include. The included items are listed in the My Work Tab Configuration table.
5. If you selected Report Listing and want to populate the My Reports pane with a list of links to reports,
see “Configuring a My Reports listing” on page 231 for details.
Procedure
1. Access the Profiles page (see “Accessing profiles” on page 214).
2. Click the name of a profile. The Detail page opens.
3. On the My Work Tab Configuration table, click Configure Filtered List.
4. On the Select a Filter page, select a filter from the list and click Next.
5. On the Select Fields page, do any of the following:
Managing the Home page, views for objects, and display types 229
Table 75: Summary of Filter Actions (continued)
Goal Action
Exclude a field as a column On the Included Object Fields or Included Reporting
Fragment Fields table, complete the following steps:
a. Select the box next to each field you want to remove as
either a column or report.
b. Click Exclude.
Change the order in which object fields On the Included Object Fields table, complete the
are displayed as columns following steps:
a. In the Order column, change the order number of the
field you want.
b. Click Update Order.
When you change the number of a field, the system
dynamically updates all the other numbers.
Include a field as a column that On the Include Reporting Fragment Fields table, complete
displays a report fragment the following steps:
a. Click Include. This opens a field selection page.
b. Select the box next to each report fragment field that
you want to display.
c. Click Include.
6. Click Finish.
Procedure
1. Access the Profiles page (see “Accessing profiles” on page 214).
2. Click the name of a profile. The Detail page opens.
3. On the My Work Tab Configuration table, click the name of the filtered list table you want to modify.
4. On the table for included objects or report fragment fields, modify the information as necessary (for
details, refer to Step 5 in “Configuring filtered lists on the My Work tab” on page 229).
5. Click Finish.
Configuring reports
You can use the following methods to configure reports on the My Work tab:
• Report Listing - this method creates a My Reports pane in which a list of selected reports can be
displayed. Each listed report name is a link that, when clicked, opens the report in a separate window.
For details, see “Configuring a My Reports listing” on page 231.
• Embedded reports - this method embeds each specified report in a separate pane on the My Work tab.
For details, see “Configuring embedded reports” on page 231.
Note:
• Only published reports are displayed in the list of available reports (under the Cognos folder) for
association on a My Work tab (either as a link in a list or as an embedded report). If you want to add a
new report, you must first publish that report. For details, see “Adding reports” on page 113.
You can configure links to reports in the My Reports pane on the My Work tab by either clicking the Add
Predefined List icon or through the wizard by clicking the Configure Reports icon.
You can globally control the maximum number of reports that are listed on the My Work tab through the
Maximum Reports Listing setting (for details, see “Maximum reports allowed on the home page” on page
336).
Procedure
1. Access the Profiles page (see “Accessing profiles” on page 214).
2. Click the name of a profile. The Detail page opens.
3. On the My Work Tab Configuration pane, take one of the following actions:
When you embed a report on the My Work tab, the report is displayed in a pane on the My Work tab of
users who have the selected profile.
Use the following steps to embed reports on the My Work tab.
Note: You may need to modify the report to accommodate differences in the My Work tab display area
and page targets. Make a copy of the report before you update the display details and targets to suit
rendering within the My Work tab display area.
Managing the Home page, views for objects, and display types 231
You can globally control the maximum number of embedded reports to show on the My Work tab through
the Maximum Embedded Reports setting. For more information, see “Maximum number of embedded
reports on the home page” on page 335.
There are performance considerations when working with embedded reports. Although embedded My
Work tab reports provide a convenient mechanism to present users with useful Cognos report data upon
logon to IBM OpenPages GRC Platform, report execution times can vary depending on the report.
When configuring embedded reports, administrators should be careful not to configure the My Work tab
with large or resource-intensive reports, as this will contribute to the overall load on Cognos resources.
Some factors that can affect utilization of Cognos system resources include:
• The number of concurrent users logged on to the system
• The percentage of users executing reports or viewing computed fields
• The frequency with which users return to their respective Home pages
The following are some guidelines for configuring reports on the My Work tab:
• Only embed reports that are well-scoped and execute in less than <10 seconds for the typical
application user.
• Configure no more than one (1) embedded report on the My Work tab for the majority of application
users.
Procedure
1. Access the Profiles page (see “Accessing profiles” on page 214).
2. Click the name of a profile. The Detail page opens.
3. On the My Work Tab Configuration table, click Configure Reports.
4. In the Configure Home Page Reports wizard:
a) In the Select Report Type step, select Embedded Reports as the report type.
b) Click Next.
5. On the Choose Reports step, click Associate to add reports to the list.
6. On the Reports page:
a) Select the box next to each report you want to embed in a pane on the My Work tab.
b) When finished, click Associate (you may need to scroll down to see the icon).
The selected reports are listed in the Associated Embedded Reports pane of the wizard.
7. If you want to remove any of the newly associated reports from the list (for example, a report was
accidentally added), you can:
a) Select the box next to each report you want to remove.
b) Click Disassociate
8. Click Finish.
Use the Configure Reports wizard to add or remove reports (both embedded reports and My Report links)
from the My Work tab.
Note: You can also remove embedded reports from the My Work Tab Configuration pane. For more
information, see “Removing items from the My Work tab” on page 233.
6. Click Finish.
Procedure
1. Access the Profiles page (see “Accessing profiles” on page 214).
2. Click the name of a profile. The Detail page opens.
3. On the My Work Configuration table listing:
a) Select the box next to each item you want to remove from the My Work tab.
b) Click Disassociate.
The Dashboard tab allows users to create their own dashboard for their Home Page by adding panels and
widgets. The configuration of a user’s Dashboard tab is saved in the database and not in the web browser
cache. This means that a user can clear the cache, switch to a different browser, or log in from a different
computer without changing the configuration of the Dashboard tab.
Users can add new panels to their Dashboard tabs and for each panel add as many of the following types
of widgets as needed:
• Filter Count widget, which appears in a user's dashboard panel as the object type name and a number
representing the number of filters applied. When a user clicks the number of filters, the Filtered List
View page for that object type is opened. If a filtered list for that object type does not exist, then the
Filtered List View page will not be opened.
• Object Global Search widget, which appears in the user's dashboard panel as the object type name
followed by a search box. When a user enters a search term in the box, for example Accounts
Receivable, the Search Results page provides a list of results.
Managing the Home page, views for objects, and display types 233
• Static Web Link widget, which appears in a user's dashboard panel as a clickable link with the label that
was provided for the widget. When creating this widget, users must begin the URL with the protocol,
such as http://.
• Add New widget, which creates an Add New button that is preconfigured for a specific object type.
Clicking the button, displays the Add New dialog box for that object type.
For each profile, administrators can add panels to a default Dashboard tab that is displayed for users who
are logging on to OpenPages for the first time.
Administrators can specify that a panel is locked and cannot be changed by users. Administrators lock a
panel by selecting the Lock panel contents check box in the Create New Panel window. When a locked
panel is saved, it is automatically pushed to all users in the profile the next time they log into OpenPages.
Administrators can also create panels that are unlocked, and these panels will be included in the default
Dashboard tab for users who are logging on to OpenPages for the first time. Users can edit or delete
unlocked panels in their own Dashboard tabs.
Both the Dashboard tab and the My Work tab will be present on a user's Home page unless specified as
hidden by an administrator in the profile configuration. Clicking the Home button in the global header will
return the user to either the Dashboard or My Work tab, depending on which tab was opened most
recently.
Administrators can export the configuration of a default Dashboard tab in JSON format. This can be useful
when migrating from one environment to another. For more information, see “Exporting the configuration
for a dashboard tab” on page 236.
Note: If the Global Search component is not enabled, then the Global Search widget is not available for
users to add to their Dashboard tabs. If you disable the Global Search component for a profile, then any
existing Global Search widgets are removed from users' Dashboard tabs the next time they log on to
OpenPages. If you disable the Global Search component for an object type, then any Global Search
widgets for that object type will be removed from users' Dashboard tabs. The Static Web Link widget type
is always available, but the other widget types will only be available if users in the profile have access
rights to the object type related to that widget type. If access rights are revoked for widget types that
users have already placed on their Dashboard tabs, then those widgets will be removed the next time the
users log on to OpenPages. Similarly, if the Add New capability is disabled for an object type that users
have associated with a widget on their dashboard, then that widgets will be removed the next time the
users log on.
For each profile, administrators can create content on a default Dashboard tab that is displayed for users
who are opening the application for the first time. Administrators can also specify that a panel is locked.
When a locked panel is saved, it is pushed to the Dashboard tab for all users in the profile and cannot be
edited or removed by users.
Note: If the Global Search component is not enabled, then the Global Search widget is not available for
users to add to their Dashboard tabs. If you disable the Global Search component for a profile, then any
existing Global Search widgets are removed from users' Dashboard tabs the next time they log on to
OpenPages. If you disable the Global Search component for an object type, then any Global Search
widgets for that object type will be removed from users' Dashboard tabs. The Static Web Link widget type
is always available, but the other widget types will only be available if users in the profile have access
rights to the object type related to that widget type. If access rights are revoked for widget types that
users have already placed on their Dashboard tabs, then those widgets will be removed the next time the
users log on to OpenPages. Similarly, if the Add New capability is disabled for an object type that users
have associated with a widget on their dashboard, then that widgets will be removed the next time the
users log on.
Procedure
1. Log on to IBM OpenPages GRC Platform as a user with the Profiles application permission set.
Results
When you save a locked panel, it is pushed to the Dashboard tab of all users in the profile and will appear
the next time that they log on to OpenPages. In order for the change to occur for all users in the profile, all
users must log on to OpenPages after the profile change.
To edit or delete a panel, administrators and users can hover their mouse pointers over the panel and
click the edit or delete icon. Users are not able to edit or remove locked panels. When users hover their
mouse pointers over locked panels, the edit and delete icons are not available to them.
When you save a panel that is not locked, it appears only on the default Dashboard tab that users see
when they open the application for the first time. Unlocked panels are not pushed to users' Dashboard
tab. They can be edited or removed by users.
Procedure
1. Log on to IBM OpenPages GRC Platform as a user with the Profiles application permission set.
2. From the menu bar, select Administration and click Profiles.
3. Click the name of the Profile for which you want to edit a default Dashboard tab.
4. From the menu bar of the Profiles detail page, click Home Page Tab Configuration.
5. In the Dashboard row, click Edit.
You can perform the following tasks:
• To add a new panel to the default Dashboard tab, click Create New Panel. For more information, see
“Creating content for users' Dashboard tabs” on page 234
• To edit an existing panel, hover your mouse pointer over the title bar of the panel and click the pencil
icon. You can change the title of a panel by clicking the title and typing a new name.
• To delete a panel, hover your mouse pointer over the title bar of the panel and click the trash can
icon.
Managing the Home page, views for objects, and display types 235
• To make a panel mandatory for all users in the profile and push it to their Dashboard tab, select the
Lock Panel Contents check box. When you save the panel, it is pushed to users' Dashboard tabs and
will appear the next time that they log on to OpenPages, and users will not be able to edit or remove
it. Panels that are not locked can be edited and removed by users.
6. Click Done Editing.
Procedure
1. Log on to IBM OpenPages GRC Platform as a user with the Profiles application permission set.
2. From the menu bar, select Administration and click Profiles.
3. Click the name of the Profile for which you want to export the configuration of the default Dashboard
tab.
4. From the menu bar of the Profiles detail page, click Home Page Tab Configuration.
5. In the Dashboard row, click Edit.
6. Click the Download JSON button, and open the JSON file in a text editor.
If the Dashboard tab uses multibyte characters, you must use a text editor that supports UTF-8, such
as Notepad or Microsoft Word. If you open the JSON file in Microsoft Wordpad, the multibyte
characters might not display correctly.
Navigational Views
Navigational Views assist users in finding instances of specific objects.
Navigational views include the following view types:
• Overview
• Folder
• Filtered List
• Grid
When you add, remove, or modify Navigational Views in a profile for a specific object type, consider the
following items:
• Views can be enabled or disabled.
Note: If you disable the Filtered List View for an object type, the View Details link (or Show All link, in
older versions) for that object on the Home page might open the wrong view.
• Some views can be deleted.
• Most views, except Overview pages, can be reordered.
• The Bulk Update feature can be used with grid views because grid views contain editable fields.
• Users with the assigned profile who are already logged on to the application must log out and log in to
see the changes.
• Users can change the sort order and field order in Filtered List Views and Grid Views.
• Users cannot add the primary parent hierarchy or business entity hierarchy fields to a Navigational View
for any object type.
Overview pages
An Overview page displays a hierarchical object-tree view of an object type. For example, if you wanted to
include an Overview page for Control Objectives, you could do so through a profile.
As an administrator, you can:
• Control which object types are included or excluded in the object-tree hierarchy on an Overview page
(see “Including object types on an overview page” on page 247 and “Excluding object types from an
overview page” on page 247 for details)
• Enable or disable an Overview page for an object type (see “Configure views for objects” on page 236
for details)
An Overview page is not supported for the following object types: SOXProject, SOXDocument,
SOXExternalDocument, SOXMilestone, SOXIssue, SOXTask, SOXSignature, and ProjectActionItem.
Managing the Home page, views for objects, and display types 237
A Filtered List view displays a page with search filter options that you can use to display objects of the
same type that match your search criteria. First, select the object type to view. Then, select the Filtered
List view from the Filter selector. The view is then populated with objects that match the filter criteria.
Use this view to display filter objects of the same type that match the search criteria in the filter the user
selects. The user can personalize the display of a Filtered List view and limit what fields of information are
displayed.
For Filtered List and Folder views:
• The Name field is required. Always configure it in the first column.
• If report fragment fields are configured, the Reports column is always the last column in the table. The
position of the Reports column can be changed in Grid View.
Example
If you previously disabled the Folder view and Filtered List view pages for Control Objectives in a profile,
and you want to make that object type and its children directly accessible again through the Assessments
menu to users who are assigned that profile. You could enable the Folder view and/or Filtered List view for
the Control Objective object type. Enabling either view page would cause the Control Objectives menu
item to be dynamically displayed on the Assessments menu. However, only the view page that was
enabled would be displayed when the menu item was selected. If you enabled both view pages, you could
set, for example, the Filtered List view page to be displayed first to users.
As an administrator, you can perform the following functions:
• Control which fields are displayed as table column headings in a Folder or Filtered List view (see
“Navigational Views” on page 237)
• Set the order in which table column headings appear (see “Setting the display order of fields in a view”
on page 243)
• Enable or disable a Folder or Filtered List view page for an object type (see “Configure views for objects”
on page 236 for details)
• Control which view page (Folder or Filtered List view) is displayed first to users when both views are
configured (see “Setting a default view” on page 242 for details)
• Control whether users can edit fields in the Filtered List view (“Editable fields in a Filtered List View” on
page 340 for details)
Grid views
The grid view allows you to select how information about an object is displayed by selecting an option
from the View selector.
A grid view allows users to view, compare, and edit fields from up to three different object types in one
location. A grid view allows users to perform operations on multiple objects at the same time.
Additionally, users can personalize the information by modifying the fields that are displayed, field order,
sort criteria, and column widths.
The grid view allows users to move between the display of objects fields in full mode and compact mode.
This ability allows the user to show all configured fields for an object or display only the subset that you
select. You define the objects that are displayed on a grid view. Users can then select a grid view and edit
the fields in the view, including reordering columns of information.
Use the Grid Actions menu to create an item, update multiple items (bulk update), export information,
delete, lock, and unlock.
The grid view provides access to an Info Card. The card displays the values for all configured fields for an
object type.
If users are allowed to edit fields in an object, define a grid view. Because grid views have editable fields,
you can use the Bulk Update feature.
For information about creating grid views, see “Creating a Grid view ” on page 248
Detail views
A Detail View displays data on the same page for the selected object including fields and any
associations it has to other objects.
From an object's Detail page, application users can edit and/or view object-specific fields for the selected
object, and add or associate other objects to it. You can configure the Detail View or any Activity View to
be the page that users see by default when they click the linked name of an object from an Overview,
Folder, Filtered List, or List View page.
Fields can be object fields, computed fields, and report fragment fields.
Note:
• The Detail view is required for objects and custom forms and can be disabled but not removed. When
you add a new object type to the Default profile, a Detail view is automatically configured for that object
type.
• When users export data from a Filtered List View to a spreadsheet, the data that is directly exported
corresponds to the fields that are configured in a Detail view for the selected object type with the
exception of Long String fields that have a large sub type. Fields with a large sub type are ignored by
Export and FastMap as these fields might be too large to be stored in a cell (the maximum storage for a
cell is 32 KB).
As an administrator, you can:
• Control which fields are displayed in the table rows of a Detail view (see “Configuring fields in Detail and
Activity views” on page 257)
• Set the display order of the fields (see “Setting the display order of fields in a view” on page 243)
• Set specific fields to be view only or editable (see “Setting object fields as read-only or editable” on
page 260)
• Set specific fields to span the 2-column table layout of the Detail page (see “Spanning table columns”
on page 260)
• Insert section headings on a page to delineate a set of fields (see “Inserting section headings” on page
258)
• Configure how report fragment fields are displayed to users (see “Configuring the display type for
reporting fragment fields” on page 261)
• Configure how string data is displayed to users (see “Configuring display types for simple string fields”
on page 262)
Activity views
Activity Views are multi-object views focused on performing a specific task, such as control
assessments. An Activity View page provides a way for users to concurrently view and edit specific fields
for an object, including any child objects that have been defined for this view, with minimal navigation.
An Activity View can display up to three levels of objects (the current object, list and detail panes for child
objects, and objects under a selected child object).
You can create your own Activity View pages for an object type in which users can edit, view, and manage
multiple associated objects on the same page. Depending on the view type, information is displayed as
Managing the Home page, views for objects, and display types 239
either a page (such as a Folder View or Detail view page) or in a section of a page (such as a Context
pane). By default, an Activity View is enabled and is automatically added to the list of views that can be
selected from the Current View selection on the object’s detail page. Users who are assigned the
selected profile have immediate access to the new Activity View.
In an Activity View, you can choose child object types at any level in the hierarchy for display in an Activity
View. For example, if users need to determine the effectiveness of a particular control, you could select
Control and Test Result (skipping the Test object) under a Risk object so only objects relevant to
performing the task are displayed in an Activity View. You can also sort how object types are displayed
and select paths to scope or limit the objects that are returned.
For more details on using Activity Views, see “Creating Activity Views” on page 250.
As an administrator, you can:
• Create, modify, or delete Activity Views (see “Creating Activity Views” on page 250)
• Control which fields are displayed in the table rows of an Activity View (see “Configuring fields in Detail
and Activity views” on page 257)
• Set the display order of the table rows containing the fields (see “Setting the display order of fields in a
view” on page 243)
• Set specific fields to be view only or editable (see “Setting object fields as read-only or editable” on
page 260)
• Set specific fields to span the 2-column table layout of the activity page (see “Spanning table columns”
on page 260)
• Insert section headings on a page to delineate a set of fields (see “Inserting section headings” on page
258)
Association views
Users with the assigned profile can use Association Views to view a page that displays parts of another
pages.
Association Views include the following view types:
• List
• Context
When you add, remove, or modify Association Views in a profile for a specific object type, users with the
assigned profile who are already logged on to the application may have to refresh the page to see the
changes.
List views
A List view displays objects of the same type in a list format, with objects listed in ascending order.
Depending on the object type, list views can be displayed as either a page or a pane.
By default, list views are displayed as pages for the following object types: Business Entities
(SOXBusEntity), Milestones (SOXMilestone), Milestone Action Items (SOXTask), and as panes on a Detail
view page for listing associated parent or child objects.
If you have a Folder or Filtered List view for Business Entities, the default list view for this object type is
not used.
When you configure either a Folder or Filtered List view for Business Entities (SOXBusEntity), the default
list view for this object type is not used.
For list views:
• You cannot add a list view to a custom form object or remove a list view from an object.
• The Name field is always displayed in column 1 and its position cannot be changed.
• If report fragment fields are configured, the Reports column is always the last column in the table and
its position cannot be changed.
Context panes
A Context pane appears in the Detail page for an object and provides information about the object that is
the focus of the Detail page. When you are looking at the details of associated objects, use the Context
pane to remind you of the key information about the object that is the focus of the Detail page.
For example, you could use a Context pane to include System Fields such as, Business Entity Structure
and Primary Association Path, or a report fragment field that displayed a line chart showing trends.
As an administrator, you can:
• Control which fields are displayed in a Context pane (see “Including and excluding fields in navigation
and association views” on page 245)
• Set the display order of the fields (see “Setting the display order of fields in a view” on page 243)
Creation views
Creation views allow you users to add new objects using the Add New wizard.
In previous releases, the layout of the Add New wizard was driven by a single view definition, either an
Activity View that is named Add New, or the Detail view. There was also no way to associate existing child
objects to the object that is being created without a separate step.
Now, a category of view that is called Creation views allows the definition of multiple Add new view
definitions for a single object type for a single profile.
For more information on using Creation views, see “Creating a Creation view” on page 256
Enabling a view
The process of enabling a view for an object type in a profile is the same for Navigational and Object
Views. It does not apply to Association Views.
Procedure
1. Access the Profiles page (see “Accessing profiles” on page 214).
2. Click the name of a profile. The Detail page opens.
3. From the Object Types table listing, click the name of the object type (for example, SOXControl) for
which you want to enable a view.
4. Navigate to the type of view you want (such as Navigational Views or Object Views).
5. Click the Enable link under the Actions column in the row containing the particular view you want to
enable.
Note:
• The link changes from Enable to Disable.
• The value in the Enabled column changes from false to true.
6. Optional: Configure the selected view:
• To add or remove object types for display in an object-tree hierarchy on an Overview page, see
“Including object types in a profile” on page 219 for details.
• To add or remove fields for a specific view, see “Excluding object types from a profile” on page 219.
• To control which view is displayed first to users when multiple views for a page are configured, see
“Setting a default view” on page 242 for details.
• To associate a filter that will narrow the scope of data that is returned from a Filtered List view page,
see “Associating filters to Filtered List view and Grid view pages” on page 248 for details.
Managing the Home page, views for objects, and display types 241
Disabling a view
The process of disabling a view for an object type in a profile is the same for Navigational and Object
Views. It does not apply to Association Views.
Procedure
1. Access the Profiles page (see “Accessing profiles” on page 214).
2. Click the name of a profile. The Detail page opens.
3. From the Object Types table listing, click the name of the object type (for example, SOXControl) for
which you want to disable a view.
4. Navigate to the type of view you want (such as Navigational Views or Object Views).
5. Click the Disable link under the Actions column in the row containing the particular view you want to
disable.
Results
• The link changes from Disable to Enable.
• The value in the Enabled column changes from true to false.
On pages where multiple views are enabled for an object type, you can select which view you want as the
default view for that page. The process of setting a default view for an object type in a profile is the same
for Navigational and Object Views that contain a Make Default link. It does not apply to an Overview view
or Association Views.
For example, if you have a Grid View, Folder View, and Filtered List View enabled for Control object types,
you could set the Grid View page to display first when users select Control from the Assessments menu.
Procedure
1. Access the Profiles page (see “Accessing profiles” on page 214).
2. Click the name of a profile. The Detail page opens.
3. From the Object Types table listing, click the name of the object type (for example, SOXControl) for
which you want to set a default view.
Results
If you later decide to change the default view to another view, click the Make Default link in the row
containing the view you want to display as the default view.
You can dynamically change the order in which fields are displayed for object types in a view.
Fields can be object fields, computed fields, and report fragment fields.
Note: The following field limitations apply only to Filtered List, Folder, and List views:
• The Name field is always displayed in column 1 and its position cannot be changed.
• If report fragment fields are configured, the Reports column is always the last column in the table and
its position cannot be changed.
When you reorder fields in a view, the change is immediately displayed to all users.
The process of setting the display order of fields for an object type in a profile is the same for all views.
Procedure
1. Access the Profiles page (see “Accessing profiles” on page 214).
2. Click the name of a profile. The Detail page opens.
3. From the Object Types table listing, click the name of the object type you want to modify.
4. Select one of the following views and complete the steps identified:
Managing the Home page, views for objects, and display types 243
The fields are automatically reordered as specified.
e) For Grid Views, click Save .
The fields are automatically re-ordered as specified.
Example
If the "Classification" object field on the property table of a Risk object Detail View page is in position 9 on
the list and you wanted it to precede the "Location" object field, which is in position 3, you would change
the display order number for the "Classification" field from 9 to 3. All the other object fields after position
3 are automatically re-ordered - so the display order for the "Location" field would become 4, the next
field that followed would become 5, and so forth.
Copy views for an object from one profile to one or more other profiles
You can copy the object views (Detail View and Activity View) and creation views for an object from one
profile to one or more other profiles.
Procedure
1. Enable System Admin Mode. For more information, see “Enabling and disabling System
Administration Mode” on page 17).
2. Click Administration > Profiles.
3. Click the name of the source profile that includes the object with the view that you want to copy.
• If the view already exists in any of the target profiles, a warning is displayed.
• If an object in the source profile is missing from the target profile, an error is displayed.
9. Click Copy.
10. Click Done.
The Results tab displays the results of the copy operation.
• If the copy was successful, a checkmark is displayed. The view is copied to the target profiles
that you selected.
• If the copy was unsuccessful because one or more objects are missing from the target profile, an
error is displayed.
Managing the Home page, views for objects, and display types 245
Including fields in views
Before you can include an object field or reporting fragment field in a Navigational or Association view, the
field must be visible in the object field or reporting fragment table listing for the selected object type or
custom form. If the field is part of a field group, make sure you include the field group for the selected
object type.
For details, see “Including fields in an object type” on page 219.
When you include object fields or reporting fragment fields in a Navigational or Association view for the
selected object type, the fields are displayed as table column headings in that view. By default, the
column heading for reporting fragment fields is called Reports.
Procedure
1. Access the Profiles page (see “Accessing profiles” on page 214).
2. Click the name of a profile. The Detail page opens.
3. From the Object Types table listing, click the name of the object type you want to modify (for example,
SOXControlObjective).
4. Select the view that you want.
5. To add field columns to the selected view:
a) On either the Included Object Fields or Included Reporting Fragment Fields table, click Include.
The available fields selection page is displayed.
b) Select the box next to each field you want to display.
c) Click Include.
6. To modify the order in which the fields are displayed in columns in a Navigation or Association View,
see “Setting the display order of fields in a view” on page 243.
When you exclude object fields or report fragment fields from either a Navigational or Association View for
the selected object type, the fields are removed from the table column headings in that view page.
With the exception of the required Name field, you can exclude any field from an object view. For
example, if you exclude the Description object field from a Filtered List View for an object type, the
Description table column and its associated data are dynamically removed from the Filtered List view
page and the change is immediately visible to all users.
Note: If you exclude object fields that are referenced by JSP reports, the report may fail or return
unexpected results.
Procedure
1. Access the Profiles page (see “Accessing profiles” on page 214).
2. Click the name of a profile. The Detail page opens.
3. From the Object Types table listing, click the name of the object type you want to modify (for example,
SOXControlObjective).
4. Select the view that you want.
5. To remove object field columns from the selected view:
Procedure
1. Access the Profiles page (see “Accessing profiles” on page 214).
2. Click the name of a profile. The Detail page opens.
3. From the Object Types table listing, click the name of the object type you want to modify (for example,
SOXControlObjective).
4. On the Navigational Views table of the selected object type, click the Overview link.
5. On the Included Object Types tab, click Include.
6. On the Available Object Types page:
a) Select the box next to each object type you want to include in the object-tree hierarchy.
b) When finished, click Include.
7. To show or hide the Description column on the Overview page:
a) On the Object View Information tab, click Edit.
b) Click the Show Description arrow and select either:
• True - to display the Description column.
• False - to hide the Description column.
c) Click Save.
Procedure
1. Access the Profiles page (see “Accessing profiles” on page 214).
Managing the Home page, views for objects, and display types 247
2. Click the name of a profile. The Detail page opens.
3. From the Object Types tab:
a) Select the box next to each object type you want to exclude from the Overview page object-tree
hierarchy.
Note: Excluding an object type also hides its children. For example, if you exclude Risks from the
Overview page, Controls, Tests, and Test Results will also be hidden from view. You do not need to
select each type - only the parent object type.
b) Click Exclude.
Procedure
1. Access the Profiles page (see “Accessing profiles” on page 214).
2. Click the name of a profile. The Detail page opens.
3. From the Object Types table listing, click the name of the object type you want to modify (for example,
SOXControlObjective).
4. Under the Navigational Views table of the selected object type, click the Filtered List link.
5. Complete the following actions:
a) On the Associated Filters tab, click Associate. The filters selection page is displayed.
b) Select the box next to each filter that you want to include.
c) Click Include.
Disassociating filters from Filtered List view and Grid view Pages
If you have a filter that is no longer appropriate for display in the filter selector on a Filtered List view page
or a Grid view page for an object type, you can remove it from the list.
Procedure
1. Access the Profiles page (see “Accessing profiles” on page 214).
2. Click the name of a profile. The Detail page opens.
3. From the Object Types table listing, click the name of the object type (for example,
SOXControlObjective) that has the filter you want to remove.
4. From the Associated Filters table listing, select the box next to each filter you want to disassociate
from this view.
5. When finished, click Disassociate.
Procedure
1. Click Administration > Profiles and select a profile.
2. Select the object that will be at the root of the grid view.
3. Under Navigational Views, click Add New.
4. To provide details about the new grid view, complete the following actions:
a) Add a name and description. Optionally, enter the translations for the name. The description is for
administrators only.
b) Add guidance to the users who are assigned to the profile, such as the methodology that the users
should follow in performing the task. You can format the text.
c) If the grid view is not ready for users to access now, clear the Enabled check box. The new grid
view is enabled by default.
d) Click Next.
5. If you want to select the related objects that contain fields of information that the user will require to
perform the task, complete the following actions:
a) Click Choose Object Type.
b) Select an object type for the selected object.
c) Click Apply.
d) Repeat these steps for each object that you want to add.
e) When you have added all the related objects, click Next.
The related objects do not have to be direct child objects. You can skip levels. For example, the object
model may be Process --> Risk --> Control --> Test Plan --> Test Result. You create a grid view that is
Process --> Control --> Test Result.
If you do not want to include related objects, just click Next.
Note: Descendants of recursive object types, such as Business Entity, appear under all of their
ancestors, not just the most immediate ancestor. For example, if the path is set to Business Entity/
Preference and the hierarchy of objects is North America Division/US Region/Pref1, Pref1 appears as
a descendant of both North America Division and for US Region.
6. If there are at least two paths between the selected objects, select one or more paths that you want
to use.
7. To specify the sort criteria for the object, complete the following actions:
a) Click Specify Sort Criteria.
b) Click or Ctrl+click the fields and click the double arrow (>>).
c) To change the order in which the fields appear, select the field and use the up arrow or the down
arrow.
d) To change how the fields are sorted, select each field and click the up triangle or the down
triangle.
e) Click Apply.
8. To apply a filter to the objects, complete the following actions:
a) Click Choose Filter.
b) Select a filter that was created for this object.
c) Click Apply.
Managing the Home page, views for objects, and display types 249
9. Click Next.
10. To configure fields for the grid view, complete the following actions:
a) To select the fields that will be displayed, click Choose Fields, select the fields, and click Apply.
b) To allow your users to control which fields are available in the grid view, select Full Mode to see
the field available in the grid view for an object.
Compact Mode is a subset of the fields that appear in Full Mode. For example, your users may
want to hide the Description field in Compact Mode. To select Compact Mode, you must select
Full Mode first to enable Compact Mode.
All included fields will appear in the Info Card. A field with neither Full Mode nor Compact Mode
selected will not appear in the grid view but it will be available for the user to make visible.
c) To change the order in which the fields appear, drag the fields to a new location or change the
sequence of numbers in the Order fields and click Update Order.
d) Specify whether each field is Read-Only.
e) To change the default column width for the fields, change the numbers in the Column Width
fields.
f) To delineate a set of fields on the Info Card, click Insert Section and enter a name for the section
heading. In the Insert before field, select the field that the section heading will appear before. If
you have translated text for the section heading, add it to each language as required. Click Apply.
g) Repeat these steps for each additional object type that you have included.
11. Click Finish.
Results
The grid view is added to the list of navigational views, where you can make it the default navigational
view, have it appear higher in the list of navigational views, disable or enable it, or delete it.
2. Select Object Types 1. In the same row as Risk, click the Choose Object Types
(for details, see “Task 2: Select object link and select Control. (For layout refer to panes "4" for
types” on page 254) Risk, and "5" and "6" for Control in Figure 17 on page
253.)
2. In the same row as Control, click the Choose Object Types
link and select Test Result. (For layout refer to pane "7" in
Figure 17 on page 253.)
Note: Child object types can be at any level in the object
hierarchy. In this example, we are "skipping" the Test object
type between Control and Test Result.
3. Specify Object Type Settings In the same row as Test Result, click the Select Sort Criteria
link and do the following:
(for details, see “Task 3: Specifying
object type settings” on page 254) 1. Select the Date Performed field from the list.
2. Set the selected field to Ascending.
(For layout refer to pane "7" in Figure 17 on page 253.)
Managing the Home page, views for objects, and display types 251
Table 79: Configuring a Sample "Control Assessment by Risk Activity" View (continued)
On this screen in the Activity View Do this...
Wizard...
4. Specify Field Settings For each object type, click Choose Fields and select the
following fields (if necessary, clear the Name field box as the
(for details, see “Task 4: Specify field
name of the object is automatically displayed in the pane
settings” on page 255)
title).
When finished with selecting fields, set the display order of
each field as shown and click Update Order.
• Risks (all Read-only fields. For layout refer to pane "4" in
Figure 17 on page 253.)
– 1 Description
– 2 Inherent Risk Rating
– 3 Category
– 4 Subcategory
• Control (mostly Read-only fields. For layout refer to pane
"6" in Figure 17 on page 253.)
– 1 Description
– 2 Domain
– 3 Control Type
– 4 Control Method
– 5 Design Effectiveness
– 6 Operating Effectiveness (writable)
• Test Result (all Read-only fields. For layout refer to pane
"7" in Figure 17 on page 253.)
– 1 Description
– 2 Performed By
– 3 Reviewed By
– 4 Reviewer Conclusion
– 5 Date Performed
– 6 Test Result
– 7 Exceptions
– 8 Exception Description
5. Define Listing Columns Click Choose Fields and add the Description field to the
listing pane for child Control objects.
(for details, see “Task 5: Define listing
columns” on page 255) Click Finish when done.
(For layout refer to pane "5" in Figure 17 on page 253.)
After the "Control Assessment by Risk Activity" view is saved, it becomes available as a selection in the
Current View selection list on the Risk object detail page.
When a "Control Assessor" selects a particular risk for analysis and navigates to the detail page of that
Risk object, that user can then click the Current View arrow and select the "Control Assessment by Risk
Activity" view from the list of views.
When the "Control Assessment by Risk Activity" view is displayed on the page, the "Control Assessor"
could then view the child controls and test results associated with that selected risk, discuss the test
The following numbered list describes the panes of an Activity view page as they are labeled in Figure 11.
1. Header pane - contains common elements such as a logo, logon user name, logout link, and the
Reporting Period selector.
2. Menu bar - a common element used as the main navigation tool for accessing objects.
3. Navigation pane - contains breadcrumb links (common element) and the Current View selector, which
is displayed when multiple Object Views are available.
4. Top-level Object Field pane - unique to Activity views - contains fields configured for the selected top-
level object.
5. First-level Child Object Listing pane - unique to Activity views - contains a list of first-level child objects
configured for the top-level object. If multiple first-level child object types are configured, a selector
box is displayed that allows users to switch between object types.
6. Child Hierarchy pane for the selected first-level child object - unique to Activity views - contains fields
configured for this object type.
Managing the Home page, views for objects, and display types 253
7. Child Hierarchy pane for children of the selected child object - unique to Activity views - contains fields
configured for this object type.
Procedure
1. In the Name field, type a name for this Activity or Grid View.
2. Click the Translate link and type the label text you want to be displayed to users in the appropriate
language field, and then click Apply.
Note: If you do not enter translated label text for the Name field, the text you entered in Step 1 will be
displayed to application users in the Current View selection list.
3. Click Next.
Procedure
1. In the Actions column, click the Choose Object Types link in the row containing the selected object
type (for example, RiskAssessment) to which you want to add child objects.
2. In the Choose Object Types box, select the box next to each child object type you want to display (for
example, Risk) under that object type. When finished, click Apply.
3. Optional: Click the Choose Object Types link next to an associated object type (from Step 2), and
select any object types you want to display (for example, Control) under that object type. When
finished, click Apply.
4. Click Next.
Procedure
1. For associated objects that have multiple paths, complete the following steps to specify the paths to
use through the object hierarchy to retrieve data:
a) Click the Choose Paths link under the Actions column in the row that contains the object type in
Task 1 (if necessary, scroll down the page to see it).
b) In the Choose Paths box, select or clear the box next to each object path that you want the
application to use or ignore for retrieving associated object data.
c) Click Apply.
The selected paths are listed in the Paths column.
Note: Descendants of recursive object types, such as Business Entity, appear under all of their
ancestors, not just the most immediate ancestor. For example, if the path is set to Business Entity/
Preference and the hierarchy of objects is North America Division/US Region/Pref1, Pref1 appears
as a descendant of both North America Division and for US Region.
Procedure
1. To specify the display fields for an object type, click Choose Fields under the object type.
a) In the Choose Fields selection box, select the box next to each field you want to include.
b) When finished, click Apply.
2. Optional: Insert a section. For details, see “Inserting section headings” on page 258.
3. Optional: Change the display order of the fields. For details, see “Setting the display order of fields in a
view” on page 243.
4. Click Next.
Procedure
1. To specify the table columns for the pane in which associated objects are listed:
a) In the Choose Fields selection box, select the box next to each object field you want to include as a
table column. By default, the Name field is selected.
b) When finished, click Apply.
2. Optional: Change the display order of the fields. For details, see “Setting the display order of fields in a
view” on page 243.
Managing the Home page, views for objects, and display types 255
3. Click Finish.
Procedure
1. Access the Profiles page (see “Accessing profiles” on page 214).
2. Click the name of a profile. The Detail page opens.
3. From the Object Types table listing, click the name of the object type (for example, RiskAssessment)
you want to modify.
4. From the Object Views table listing, click the name of an Activity View you want to modify to open the
Activity View wizard.
5. Click a link in the wizard that corresponds with the type of change you want to make. Refer to “Creating
Activity Views” on page 250 for an overview of tasks.
6. Click Save.
Procedure
1. Click Administration > Profiles and select a profile.
2. Select the object that will be at the root of the creation view.
3. From the menu bar, click Creation Views.
4. In the Creation Views section, click Add New.
5. To provide details about the new creation view, complete the following actions:
a) Add a name and description. Optionally, enter the translations for the name. The description is for
administrators only.
b) If the creation view is not ready for users to access now, clear the Enabled check box. The new
creation view is enabled by default.
c) Click Next.
6. To select the child objects to associate with the current object, complete the following actions:
a) Under Actions, click Choose Object Types.
b) Select the object types to associate.
Only direct child objects are available to associate.
c) Click Apply.
d) Click Next.
7. Choose the objects that you want show on separate pages in the Add New wizard: check box
a) For each object that you want to show on its own tab, select the Separate page check box.
By default, any objects that do not have a separate page are shown together on the Associate tab.
b) Click Next.
8. To configure fields for the creation view, complete the following actions:
a) To select the fields that will be shown, click Choose Fields, select the fields, and click Apply.
Before you include a field in a Detail or Activity view, the field must be visible in the object field list.
Fields can be object fields, computed fields, and report fragment fields.
If the field is part of a field group, make sure you include the field group for the object type. For more
information, see “Including field groups for an object type” on page 177.
Note: When dependent fields are included in a Detail or Activity view, make sure to include both the
controlling field and required dependent fields. If the controlling field that requires that a user enter a
value in a dependent field is included in a view and the required dependent field is excluded, the user
cannot complete the operation. The following error message will be displayed, "A field not available to you
has been made required by a field dependency so you will be unable to continue with this operation."
When you include object fields in a Detail or Activity view for the selected object type, the object fields are
displayed as table rows in that view.
Although you cannot modify the parameters of the table, you can set a field to span table columns.
Procedure
1. Access the Profiles page (see “Accessing profiles” on page 214).
2. Click the name of a profile. The Detail page opens.
3. From the Object Types table listing, click the name of the object type you want to modify (for example,
SOXControlObjective).
4. From the Object Views tab listing, select the view you want:
Managing the Home page, views for objects, and display types 257
Table 81: Object views (continued)
For this type of view... Do this...
Activity View a. Click the name of the Activity view you want.
b. In the Activity View wizard, click the Specify
Field Settings link.
When you exclude fields from a Detail or Activity view for the selected object type, the fields are removed
from the table rows on that view page.
Fields can be object fields, computed fields, and report fragment fields.
With the exception of the Name field, you can exclude any field from an object view. For example, if you
exclude the Description field from a Filtered List view for an object type, field is dynamically removed
from the Filtered List view page and the change is immediately visible to users.
Note: If you exclude object fields that are referenced by JSP reports, the report may fail or return
unexpected results.
Procedure
1. Access the Profiles page (see “Accessing profiles” on page 214).
2. Click the name of a profile. The Detail page opens.
3. From the Object Types table listing, click the name of the object type you want to modify (for example,
SOXControlObjective).
4. From the Object Views tab listing, select the view you want:
Procedure
1. Access the Profiles page (see “Accessing profiles” on page 214).
2. Click the name of a profile. The Detail page opens.
3. For the Detail view, click the Detail field.
4. For an Activity view, click the name of the Activity view and click Specify Field Settings.
5. To insert a section heading in the selected view:
a) Select Insert Section for the object type.
b) In the Section Information pane, provide the following information:
Procedure
1. Access the Profiles page (see “Accessing profiles” on page 214).
2. Click the name of a profile. The Detail page opens.
3. From the Object Types table listing, click the name of the object type you want to modify (for example,
SOXControlObjective).
4. From the Object Views table listing:
• For the Detail view - click the Detail link.
• For an Activity view:
a. Click the name of the Activity view you want.
b. In the Activity View wizard, click the Specify Field Settings link.
5. To modify a section heading in the selected view:
a) Click Insert Section for the object type you want.
b) On the object type tab, click the Edit link under the Actions column in the row containing the
section that you want to modify.
c) In the Section Information box, make the changes as wanted.
d) Click Apply or Save to effect the change.
Managing the Home page, views for objects, and display types 259
Deleting section headings
Section headings are an optional formatting feature. You can use section headings to delineate a set of
fields on a page. You can remove section heading. After a section is deleted, it is permanently removed
and cannot be restored.
Procedure
1. Click Administration > Profiles
2. Select the profile to modify.
3. From the Object Types listing, click the name of the object type to modify.
4. In the Object Views pane, click the Detail link or the Activity view to modify.
5. To delete the section in the Detail view, click Delete next to the section to delete.
6. To delete a section in an Activity view, click the Specify Field Settings link. Then, click Delete next to
the section to delete.
You can configure object fields on an Object View page within a profile to be view only or editable to users
assigned that profile by either selecting or clearing the Read-Only box for a field.
Note: Report fragment fields, computed fields, and certain system fields (such as "Last Modified By",
"Created By", "Creation Date" and so forth) are set, by default, to Read-Only and cannot be changed.
Procedure
1. Access the Profiles page (see “Accessing profiles” on page 214).
2. Click the name of a profile. The Detail page opens.
3. From the Object Types table listing, click the name of the object type you want to modify (for example,
SOXControlObjective).
4. Select a Views tab, and click the name of the view link you want to modify (for example, Detail) to open
its detail page.
5. On the edit page for the selected object type, do the following in the row for each object field you want
to modify:
• To make a field non-editable - select the Read-Only box.
• To make a field editable - clear the Read-Only box.
6. Click Save.
Procedure
1. Access the Profiles page (see “Accessing profiles” on page 214).
2. Click the name of a profile. The Detail page opens.
You can configure how reporting fragment fields are displayed to application users on Detail and Activity
View pages. Reporting fragment fields are always read-only fields.
Reporting fragment fields can be displayed as follows:
• Automatic - this setting embeds the report element directly into the cell for the field and displays it as a
view-only field on the page.
You can also configure the cell height of the field. By default, it is set to 235 pixels.
• On Demand - this setting displays a clickable icon in the field that opens the report element in a
pop-up window. For information on automatically sizing pop-up windows, see “Report fragment
settings” on page 321.
Note: Changing the display type setting will affect the display of this field in all profiles.
Procedure
1. Access the Profiles page (see “Accessing profiles” on page 214).
2. Click the name of a profile. The Detail page opens.
3. From the Object Types table listing, click the name of the object type containing the report fragment
field you want to modify (for example, SOXControl).
4. On the Object Fields table for the selected object type, click the name of a report fragment field to
open its detail page.
5. On the Object Field Information table:
a) Click Edit.
b) On the edit page, click the Display Type arrow and select a value from the list.
c) Click Save.
6. Optional: For Automatic display types only. If the display type is On Demand, skip this step.
You can modify the cell height of the report fragment field:
a) On the Display Type Information table, click Edit.
b) On the edit page, modify the number of pixels in the Cell Height box.
c) Click Save.
7. To make the row with the report fragment field span table columns, see “Spanning table columns” on
page 260.
Managing the Home page, views for objects, and display types 261
Configuring display types for simple string fields
For object fields that have a Simple String data type, you can configure how string data displays to users
on an object’s details page. The display types for Simple String data fall into two basic categories: selector
types for displaying users and/or groups, and text area display types for displaying text and URL
information.
Note: Changing the display type setting affects the display of this field in all profiles.
Procedure
1. Access the Profiles page (see “Accessing profiles” on page 214).
2. Click the name of a profile. The Detail page opens.
3. From the Object Types table listing, click the name of the object type containing the object field you
want to modify (for example, SOXControl).
4. On the Object Fields table for the selected object type, click the name of the object field to open its
detail page.
5. On the Object Field Information table, click Edit.
6. On the edit page:
a) To make the field required, select the Required box.
b) To select a different display type, click the Display Type arrow and select a value from the list:
• For user or group selector display types, see “Configure user and group selectors display types for
simple strings” on page 266.
• For a Business Entity Selector display type, see Configuring the Business Entity Selector display
type for simple string fields.
• For a rich text display type, see “Configuring rich text display types for simple strings” on page
262.
• For a box and URL display types, see “Configuring text and URL display types for simple strings”
on page 264.
• For a plain text area display type, see “Configuring text area display types for simple strings” on
page 266.
7. To have a row with a field span table columns, see “Spanning table columns” on page 260.
8. Click Save.
Results
Note: To change a field to Read-Only, see “Setting object fields as read-only or editable” on page 260.
Row Units (pixels or The unit of measure in pixels or percent for the Rows setting.
percent)
The default value is "Percent".
To change the value to "Pixels", select the Pixels icon.
Columns The percent or number of pixels allocated to the width of the display area,
which includes the rich text editor interface and text input area.
The default value is 100 percent.
To change the value, type a number in the box. To change the unit of measure,
use the Column units setting.
Column units The unit of measure in pixels or percent for the Columns setting.
The default value is "Percent".
To change the value to "Pixels", select the Pixels icon.
For instructions on how to configure a display type for a string data type object field, see “Configuring
display types for simple string fields” on page 262.
Configuring the Business Entity Selector display type for simple string fields
For the Business Entity Selector display type, you can select a starting business entity, establish the
number of levels that users can navigate, and determine whether to span columns.
To modify these settings, click Edit on the Display Type Information tab.
You can configure the following settings:
Number of Levels Determines the number of levels that end users can navigate to from the
starting business entity. For example, if you select Global Financial Services
as your starting business entity and set the number of levels to 2, you can
navigate to two levels below Global Financial Services (Global Financial
Services/Asia Pac/Agency Services). Limit the number of levels to improve
performance of the selector and help users select from the entities most
appropriate for this field.
The default value is 3.
Managing the Home page, views for objects, and display types 263
Table 85: Business Entity Selector display settings (continued)
Setting Description
Span Columns Determines whether to make a row span columns.
The default value is false. This setting will be ignored by views that do not
support column spanning.
For more information, see Spanning table columns
For instructions on how to configure a display type for a simple string data type object field, see
“Configuring display types for simple string fields” on page 262.
Known issue
A known issue exists when values in business entity selector fields are updated in the following scenario.
A user in the OpenPages application chooses a business entity for a business entity selector field and
saves it. The entity folder is correctly inserted in the business entity selector field. If the user then clicks
Action > Edit this Business Entity and changes the name of the business entity, the value in the business
entity selector field is not updated with the new name. If the user clicks Action > Edit this Business
Entity again and selects the icon next to the business entity selector field, the select entity is now empty.
Maximum Length The maximum number of bytes allowed to be entered for a string value.
The default value is 4000.
To change the value, type a number in the box.
For instructions on how to configure a display type for a string data type object field, see “Configuring
display types for simple string fields” on page 262.
An alternative to using the URL display type is to use the rich text display type to display a user-friendly
link name. For information, see “Configuring URL link names by using the rich text display type for simple
strings” on page 265.
The following anchor tag applies a larger font and different color to the link name:
You can put multiple anchor tags in a single rich text field. For example, the follow anchor tags display two
link names as a field's default value:
Because you are using the rich text display type rather than the URL display type, the system does not
check whether the URL is valid.
You can add fields that use the rich text display type for link names to all view types. However, on Filtered
List and Grid views the link name is displayed above a glasses icon. Clicking the icon opens a window that
contains the link.
Procedure
1. Click Administration > Field Groups.
2. Select a field group.
3. In the Field Definitions table of the field group, click Add.
a) In Data Type, select Simple String.
b) Click the double arrows (>>).
c) In Default Value, enter the URL address as an anchor tag, for example:
Managing the Home page, views for objects, and display types 265
What to do next
Create objects and use the new field. Since the URL is specified as a default value, the field does not
display on existing object instances.
For instructions on how to configure a display type for a simple string data type object field, see
“Configuring display types for simple string fields” on page 262.
Configure user and group selectors display types for simple strings
You can configure a user, group, user/group, multi-valued user, multi-valued group, or multi-valued user/
group selector display type for a simple string data type object field. An object field that has a selector
display type allows an application user to click either an arrow and select user names from a drop-down
list box or a magnifying glass icon and search for users or groups from a pop-up dialog box.
Object fields with a display type of user selector or multi-valued user selector only accept user names as
valid values. For example, Control Owner is an object field for the control object.
The following selector display types are available for simple string data types:
On all other views provides a magnifying glass icon that users can click to
display a search pop-up dialog box to search for a user.
User Selector Provides a magnifying glass icon that users can click to display a search
pop-up dialog box to search for a user.
Group Selector Provides a magnifying glass icon that users can click to display a search
pop-up dialog box to search for a group.
Depending on the selector display type, you can configure some or all of the following settings.
To modify these settings, click Edit on the Display Type Information tab.
Note: These settings are also applied to the User and Group Search function.
Managing the Home page, views for objects, and display types 267
Table 89: Additional selector display type settings (continued)
Setting Description
Starting Group Controls which group displays at the beginning of the
selection hierarchy.
If the Starting Group value is blank, selectors search the
system for all users and/or groups, depending on the display
type. A blank Starting Group value used in combination with
an Include Disabled value of True can result in improved
search performance.
To select a starting group, click the group icon and select a
valid group name from the selector window.
For example, if you are using role-based security, you could
select the Security Domains group, for non role-based
security, you could select the Workflow, Reporting and Others
group.
Note: There is a known issue with the Starting Group setting.
In the Add New wizard, the Starting Group setting is not
applied to fields that have Display Type set to User
dropdown.
Minimum Access This setting is enabled only if the Include Disabled value is
set to False. This setting allows you to filter users based on
• Read
access control list settings on an object’s folder.
• Write
For example, you want to limit the number of users who can
• Delete be assigned as a Process "Cycle Owner", which is an object
• Associate field with a user selector display type for the Process object.
Because you previously set up an access control list (ACL) for
one or more groups or users to the Process folder, you can
use the Minimum Access setting to filter the list of users. If
you only wanted users with "Delete" permissions to be
displayed on the user selector list, you can select the "Delete"
Minimum Access setting to filter and display only those users
with "Delete" ACL permissions.
If the Read box is:
• Selected - only users with Read access are displayed on the
user list.
• Cleared - no filtering occurs.
If the Write box is:
• Selected - only users with Write access are displayed on the
user list.
• Cleared - no filtering occurs.
If the Delete box is:
• Selected - only users with Delete access are displayed on
the user list.
• Cleared - no filtering occurs.
If the Associate box is:
• Selected - only users with Associate access are displayed
on the user list.
• Cleared - no filtering occurs.
Managing the Home page, views for objects, and display types 269
Table 90: Display type changes that require action (continued)
If you change this To this display type Take this
display type action1
User/Group Selector or Multi-Valued User/Group B
Selector
User/Group Selector Group Selector or Multi-Valued Group Selector A
User/Group Selector or Multi-Valued User/Group B
Selector
Group Selector Multi-Valued Group Selector A
User/Group Selector or Multi-Valued User/Group B
Selector
Multi-Valued User Multi-Valued Group Selector A
Selector
Multi-Valued User/Group Selector B
Multi-Valued Group Multi-Valued User/Group Selector A
Selector
Multi-Valued User/ Multi-Valued Group Selector A
Group Selector
1Actions
• A: If you make this change, and if "End User" is set as the filter value for that actor field in the
filter, the "End User" must be updated to the group so that the filters can return the expected
results.
• B: If you make this change, re-save the filter so that it can return the expected results.
Additionally, you cannot change a Multi-Valued User Selector, Multi-Valued Group Selector, or
Multi-Valued User/Group Selector display type to a single actor display type.
Procedure
1. Access the Profiles page (see “Accessing profiles” on page 214).
2. Click the name of a profile. The Detail page opens.
3. From the Object Types table listing, click the name of the object type containing the object field you
want to modify (for example, SOXControl).
4. On the Object Fields table for the selected object, click the name of the object field with the User
Selector display type to open its detail page (for example, Control Owner).
5. On the Display Type Information tab, click Edit.
For object fields that have a long string data type, you can configure how long string data displays to users
on an object’s details page.
There are two sub types of long text fields: medium and large. The size of medium long text fields is fixed
to 32KB. The size of the large long text fields is set by default to 256000 bytes, but that can be increased
by changing the Platform > Repository > Resource > Large Text > Maximum Size setting.
Tip: In the user interface, the OpenPages folder is hidden in the Administration Settings folder
hierarchy. To author an XML settings path, include the OpenPages folder after the Settings folder in the
path.
Managing the Home page, views for objects, and display types 271
Be aware of the space used for non-printing characters (such as tabs and line breaks), and formatting and
multi-byte characters (Rich Text display types). These may cause the data to exceed the size of the long
string field, resulting in a message such as:
OP-03381: The specified value for "MyMediumLong" is too long. The 32966
characters entered (32966 bytes) exceeds the maximum size of 32768 bytes.
Reduce the number of characters and re-enter the text. Note that character
count includes non-printing characters, such as spaces, tabs, and line breaks.
The display types for medium long string data are: On Demand, On Demand Rich Text, Text Area, and Rich
Text.
The display types for large long string data are: On Demand, and On Demand Rich Text.
Both medium and large long string fields default to the On Demand display type.
Note: Changing the display type setting will affect the display of this field in all profiles.
For more information on long text fields, see “Data types” on page 143.
Procedure
1. Access the Profiles page (see “Accessing profiles” on page 214).
2. Click the name of a profile. The Detail page opens.
3. From the Object Types table listing, click the name of the object type containing the object field you
want to modify (for example, SOXControl).
4. On the Object Fields table for the selected object type, click the name of the object field to open its
detail page.
5. On the Object Field Information table, click Edit.
6. On the edit page select the Required box to make the field required.
7. Click the Display Type arrow and select a value from the list to select a different display type:
• For On Demand and On Demand Rich Text, see “Configuring the on demand display types for long
string fields” on page 272. This applies to both medium and large long string fields.
• For a Text display type, see “Configuring text display types for medium long string fields” on page
273. This applies only to medium long string fields.
• For a Rich Text display type, see “Configuring rich text display types for medium long string fields” on
page 273. This applies only to medium long string fields.
8. Click Save.
Note: To change a field to Read-Only, see “Setting object fields as read-only or editable” on page 260.
You can configure how long string fields are displayed on demand and on demand rich text to application
users on Detail and Activity View pages.
Long string fields can be displayed as on demand and on demand rich text. Both settings allow users to
edit the field in a pop-up window. On demand displays text. On demand rich text displays the data in rich
text format.
The on demand rich text display type provides a text display area with a toolbar and commands for text
formatting and word processing. The toolbar can be minimized or expanded. When this feature is used, be
aware of the space used for non-printing, formatting, and multi-byte characters. These may cause the
data to exceed the size of the long string field, resulting in a message such as:
OP-03381: The specified value for "MyMediumLong" is too long. The 32966
characters entered (32966 bytes) exceeds the maximum size of 32768 bytes.
Reduce the number of characters and re-enter the text. Note that character
count includes non-printing characters, such as spaces, tabs, and line breaks.
Span Columns In Detail Views and Activity Views, fields are typically displayed on the page
in rows within a two-column table format. You can make a row containing a
field span table columns by configuring the Span Columns setting.
The default is true.
When true, the row containing the field will span the columns of the table.
When false, the row containing the field will be displayed within a table
column and not span the columns of the table.
For instructions on how to configure a display type for a string data type object field, see “Configuring
display types for long string fields” on page 271.
Configuring rich text display types for medium long string fields
The rich text display type provides a text display area with a toolbar and commands for text formatting
and word processing. The toolbar can be minimized or expanded.
When this feature is used, be aware of the space used for non-printing, formatting, and multi-byte
characters. These may cause the data to exceed the size of the medium long string field, resulting in a
message such as:
OP-03381: The specified value for "MyMediumLong" is too long. The 32966
characters entered (32966 bytes) exceeds the maximum size of 32768 bytes.
Managing the Home page, views for objects, and display types 273
Reduce the number of characters and re-enter the text. Note that character
count includes non-printing characters, such as spaces, tabs, and line breaks.
Note: When generating reports in PDF format, rich text fields do not render properly and the format is not
preserved.
To modify these settings, click Edit on the Display Type Information tab.
You can configure the size of the display area with the following settings:
Row Units (pixels or The unit of measure in pixels or percent for the Rows setting.
percent)
The default value is "Percent".
To change the value to "Pixels", select the Pixels icon.
Columns The percent or number of pixels allocated to the width of the display area,
which includes the rich text editor interface and text input area.
The default value is 100 percent.
To change the value, type a number in the box. To change the unit of measure,
use the Column units setting.
Column units The unit of measure in pixels or percent for the Columns setting.
The default value is "Percent".
To change the value to "Pixels", select the Pixels icon.
Span Columns In Detail Views and Activity Views, fields are typically displayed on the page
in rows within a two-column table format. You can make a row containing a
field span table columns by configuring the Span Columns setting.
The default is true.
When true, the row containing the field will span the columns of the table.
When false, the row containing the field will be displayed within a table
column and not span the columns of the table.
For instructions on how to configure a display type for a long string data type object field, see “Configuring
display types for long string fields” on page 271.
This is the procedure to configure a display type for object fields that have an Enumerated String data
type. Enumerated strings can be displayed as lists, radio buttons, or check boxes.
For object fields that have an enumerated string data type, you can configure how enumerated string data
displays to users on an object’s details page. The display types for enumerated string data include lists,
radio buttons, and check boxes.
Procedure
1. Access the Profiles page (see “Accessing profiles” on page 214).
2. Click the name of a profile. The Detail page opens.
3. From the Object Types table listing, click the name of the object type containing the object field you
want to modify (for example, SOXControl).
4. On the Object Fields table for the selected object type, click the name of the object field to open its
detail page.
5. On the Object Field Information table, click Edit.
6. On the edit page:
a) To make the field required, select the Required box.
If a field is not required, to provide the ability to enter an empty value in the field:
• For radio buttons, a None option is automatically added to the set of radio buttons.
• For check boxes, the user would clear all check boxes.
• For lists, an empty selection is added to the list of choices.
When None is selected in a set of radio buttons, all check boxes are cleared, or the empty option in
a list is selected, the value for the enumerated field will be blank.
Note: Field dependencies may mean a field is required even if Required is not selected. For details
on field dependencies, see “Dependent field behavior” on page 198.
The None label can be changed and localized in the Application Text | Labels |
com.label.enum.selection.none setting. For details on changing application text, see “Localizing
application text” on page 281.
b) To select a different display type, click the Display Type arrow and select a value from the list.
Select List to set the display as a list. Lists can be single selection or multiple value selection,
depending on the multi-value setting for the field.
Select Radio Button/Checkbox to set the display type as radio buttons or check boxes. If the field
is defined as multi-value, the display will use check boxes. If multi-value is not selected for the
field, the display will use radio buttons.
For details on enumerated string data types, see “Data types” on page 143.
Managing the Home page, views for objects, and display types 275
276 IBM OpenPages GRC Version 7.4.0 : Administrator's Guide
Chapter 13. Localizing text
You can localize display text for object types and fields, and for a variety of application objects and
custom return values. There is an administrative interface that you can use to manage localized text that
displays to users for predefined object types, object fields that are supplied by IBM OpenPages GRC
Platform or created by you, and application objects.
Locale codes
The OpenPages GRC Platform application provides translation support in several languages for predefined
object text. Each supported language has a corresponding locale code that is listed under the object text.
The locale code consists of a language code (for example, "fr" for French) and a country or region code
(for example, "FR" for France).
The following table lists the supported languages with their corresponding locale code.
The default language for object text that has not been translated is U.S. English.
You can globally set a default language in which the application user interface will be displayed to users
and optionally enable auditing of translation label changes. For details see “Set localization options” on
page 345.
Procedure
1. Click Start and select Control Panel.
2. Double-click Regional and Language Options to open its properties.
3. Click the Languages tab.
4. Select the Install files for East Asian languages option.
Locale setting
The Locale list contains a list of product languages. This language setting controls the language of the
product except for the login page.
Data formatting and report languages are available in the following cultures in the Locale list:
Table 94: Languages in the Locale list and the cultures that they represent
Language in the Locale list Culture
French French (France)
German German (Germany)
Italian Italian (Italy)
Japanese Japanese (Japan)
Portuguese Portuguese (Brazil)
Spanish Spanish (Spain)
Object text is the descriptive label name that displays in the application for object types and object fields.
You can translate and modify object text for a specific locale.
For a list of supported locales, see the topic, Chapter 13, “Localizing text,” on page 277.
You can modify the following object text for a locale:
• The singular and plural labels that display the name of an object type (for example, "Risk" and "Risks"
for the Risk object type) or custom form (such as a survey) wherever that object type appears in the
application. For details see, “Modifying display text for an object type” on page 280.
• A singular label that displays:
– The name of an object field in an object view.
For example, if you had an object field called "Impact" that displayed the label text "Impact", you
could change the label text to display "Severity of impact" instead.
– The value or values of an enumerated object string that are displayed on an object's details page.
Note:
• Only plain text should be entered as object text. Adding anything other than plain text to labels, such as
HTML, line breaks, and carriage returns, is not supported.
• Object text has a 4000 character maximum per label.
Object text is grouped primarily by object type with an additional group for unassigned field groups.
For example, the SOXControl group contains the label text for the Control object and its related field
groups.
The Unassigned Field Groups group contains the label text for field groups that are either not
assigned to an object type or are commonly used by all object types, such as System Fields, Currency
Attributes, Publishing, and so forth.
Important: Do not change or translate currency codes.
Procedure
1. Click Administration > Object Text.
2. On the Object Text page, click the name of the object type you want to modify (for example, SOXRisk).
3. On the Locale Information tab, click the name of the locale code you want to modify (for example,
en_US).
4. On the Locale Code detail page, make the required changes in the Singular Label box and Plural
Label box to the display label text as needed.
5. Click Save.
Procedure
1. Click Administration > Object Text.
2. On the Object Text page, expand the object type you want, expand the field group you want, and click
the name of the object field that you want to modify. To modify enumerated string values, on the
Object Text page, expand the enumerated object field you want, and click the name of the value that
you want to modify.
3. On the Locale Information tab, click the name of the locale code you want to modify (for example,
en_US).
4. On the Locale Code detail page, make the required changes.
5. Click Save.
Procedure
1. Click Administration > Object Text..
2. On the Object Text page, expand the object type you want, expand the filters ( icon), and click the
name of the filter that you want to modify.
3. On the Locale Information tab, click the name of the locale code you want to modify (for example,
en_US).
4. On the Locale Code detail page, make the required changes:
5. Click Save.
Procedure
1. Click Administration > Object Text.
2. On the Object Text page, expand Unassigned Field Groups > System Fields, and select the name of
the field that you want to change.
3. On the Locale Information tab, click the name of the locale code you want to change (for example,
en_US).
4. On the Locale Code detail page, make the required changes.
5. Click Save.
Column Headings The table column headings that is used in the object views throughout the
application and in JSP Notification Manager reports.
For example, com.column.heading.start.date contains the text for the Start
Date column, jspreports.notification.tests.column.parent contains the text for
the Parent column in the JSP Notification report.
Custom User-defined keys. For more information, see “Creating a custom setting” on
page 340.
Formats The formatting of numeric and name display text. For details, see “Modifying
display text in the application user interface” on page 282.
Labels Objects that are not considered objects, such as administrative tasks, and
configuration objects.
For example, com.label.acl.read contains the text for the Read property on
the Access Control details page, com.label.email contains the text displayed
next to the email input box on the User create and edit pages.
Menu Items Links to all other menu items that are not listed on the menu bar.
For example, com.menu.item.admin.object.profile contains the text for the
Profile link on the Administration menu,
com.menu.item.admin.reporting.schema contains the text for the Reporting
Schema link on the Administration menu.
Miscellaneous A variety of objects that do not belong to other groups. Includes label text for
such objects as guided action, page footer, reporting status, notification
messages, and so forth.
Reporting Framework Objects that are used by the Reporting Framework.
Table Headings Messages that are displayed to users within a table as well as the tabs
(tabular headings for a table).
For example, com.table.empty.users contains the text that displays in the
User listing table when no users are found, com.table.heading.object.field
contains the text for the Object Field Information tab on the Object Field
details page.
You can modify the value of the displayed label or text for any application object (such as icons, labels,
report names and descriptions, messages) in the IBM OpenPages GRC Platform user interface. The
process for modifying display text is the same for all application objects, including reports.
Changes to the displayed text appear wherever the particular object is displayed in the application.
Note:
Procedure
1. Click Administration > Application Text.
2. On the Application Text page, open the folder that contains the label of the object field you want to
modify (for example, Buttons or Miscellaneous), expand the folder, and click the name of the object
field or key you want to modify.
3. On the Locale Information tab, click the name of the locale code you want to modify (for example,
en_US or ja_JP).
4. On the Locale Code details page, make the required changes in the Label box to the display label text
as needed.
5. Click Save.
You can modify the format of the bucket heading in the phonebook style pop-up box of the User selector
for a locale.
Note: You can also modify the bucket size of the phonebook. For more information, see “Actor selectors:
Configure the bucket size of the phonebook” on page 314.
Procedure
1. Click Administration > Application Text.
2. On the Application Text page, expand the Formats folder and click the
com.user.bucket.name.format link to open its detail page.
3. On the Locale Information tab, click the name of the locale code you want to modify (for example,
en_US).
4. On the detail page, modify the format in the Singular Label box. The default format is {0} - {1}.
The format string uses Java code. Generally, the {0} in the format string is a variable that is replaced
by the name of the target object.
5. Click Save.
Example
To display a bucket heading with the name of the first person in the bucket followed by a dash and then
the name of the last person in that bucket, you would enter the following codes in the Singular Label field:
{0} - {1}.
You can control how user names are displayed for a locale. By default, only the user name displays.
When you change the display name format, the change occurs throughout the application wherever the
person's name displays. For example, if you modified the name format so that the last name of the person
was followed by the person's first name, that modified name format displays in the menu bar, user
selector, and search result boxes.
Note: If an invalid format string is defined, only the user's logon name will be displayed.
Example
To display the first and last name of users, you would enter the following codes in the Singular Label box:
%FN; %LN;.
When the first and last names are used, the user name is shown with a hyphen. For example, User_JS -
John Smith.
Procedure
1. Click Administration > Application Text.
2. On the Application Text page, expand the Formats folder and click the
menu.item.documentation.object.overview link to open its detail page.
3. On the Locale Information tab, click the name of the locale code you want to modify (for example,
en_US).
4. On the detail page, modify the text in the Singular Label box.
The singular label of the object type is represented by {0} in the format string.
5. Click Save.
To view the changes in the browser, users must log out and then log back in to the application.
Procedure
1. Click Administration > Application Text.
2. On the Application Text page, expand the Formats folder and click the
menu.item.documentation.object.folder.view link to open its detail page.
3. On the Locale Information tab, click the name of the locale code you want to modify (for example,
en_US).
4. On the details page, add or edit text in the Singular Label box.
Note: The plural label of the object type (such as, Risks, Controls, Processes) is represented by {0} in
the format string.
5. Click Save.
Example
If you wanted to change the Folder View or Filtered List View link format from the object type name (such
as Risks or Controls) which is represented by {0}, to display the object type name followed by the text
"View" (such as Risks View or Controls View), you would enter the value in the Singular Label box as {0}
View.
Procedure
1. Click Administration > Application Text.
2. On the Application Text page, expand the Formats folder and click the
menu.item.documentation.object.list.view link to open its detail page.
3. On the Locale Information tab, click the name of the locale code you want to modify (for example,
en_US).
4. On the details page, add or edit text in the Singular Label box.
Note: The plural label of the object type (such as, Business Entities) is represented by {0} in the
format string.
5. Click Save.
You can add new keys to the Custom folder for localization.
Note: For Cognos report pages (or JSP report instances) that were manually created using the publishing
facility on the IBM OpenPages GRC Platform server, you can use the values in the Report Name Key and
Report Description Key fields on the report page to manually create custom application text keys to
localize the name and description of a report after it is created.
Procedure
1. Click Administration > Application Text.
2. On the Application Text page, in the Custom folder, click the Add New link to open its detail page.
3. On the add detail page:
a) In the Name box, type the name of the key.
For example, a report called My Loss Events could have report.name.my.loss.events for a
report name key or report.description.my.loss.events for a report description key.
b) Optionally, type a description of the key.
c) In the Default Label box, type the text that will be displayed, by default, if no translated text is
provided.
d) Click Create.
4. Click the name of the field created in the previous step, to open its detail page.
5. To change the label text for a locale, on the Locale Information pane:
a) Click the link for the locale code you want.
b) In the Label box, type the translated text you want displayed for that locale.
c) Click Save.
Procedure
1. Click Administration > Application Text.
2. On the Application Text page, in the Custom folder click the name of a key to open its detail page.
3. On the Locale Information pane:
a) Click the link for the locale code you want.
b) In the Label box, type the translated text you want displayed for that locale.
A reporting period is a "snapshot" of the current state of the repository, usually created when the
documentation phase of a quarter or year is complete and ready for attestation. Administrators with the
Reporting Periods application permission can create, modify, and delete reporting periods. Object resets
are a way to automatically modify objects that exist in the IBM OpenPages GRC Platform repository.
Object resets are rule-based operations that are contained in a ruleset.
Past reporting periods can then be viewed and reported on from any time in the future without rolling
back the changes made to the repository after the reporting period was created. After a reporting period
is created, the existing report is carried forward to the current reporting period and can be modified
without altering the state of the earlier reporting period’s data. Only one reporting period at a time can be
"Active".
The most common use of the object reset functionality is to "reset" all of your objects at the beginning of a
new reporting period. For example, each quarter you have controls and tests that need to be reviewed and
performed. The results of those tasks are recorded by updating the properties and attachments of the
appropriate objects. After all quarterly tasks are completed, and the quarter is finished, you archive all of
the results into a reporting period and prepare for the new quarter. However, the existing objects still
display the test results and changed properties of the previous quarter. If you are planning to reset your
data as part of the beginning of a new reporting period, you will have to archive the existing data to a
reporting period.
Rather than modify the objects by hand, you can use the object reset capability to take your existing
objects and modify their properties based on the rules in your ruleset.
While object resets work well with the reporting period capability of the OpenPages GRC Platform
application, object resets do not require the existence of a reporting period to be used.
After an active reporting is finalized, the contents of that reporting period cannot be altered. Any changes
to the objects or files will only be reflected in the current reporting period.
This allows administrators to create the next reporting period ahead of time and then apply it
incrementally to different areas of their documentation project when each area is ready to be finalized.
ACL interactions
When viewing objects, your existing ACLs control which objects you can view in the current reporting
period and in past reporting periods. If your access permissions change in the current reporting period,
you will be able to view the newly accessible items in past reporting periods, and you will not be able to
view items to which you have lost permissions, even if in past reporting periods you had access to them.
Regardless of your access permissions, you are never allowed to add, edit or remove objects and/or files
from past reporting periods.
Procedure
1. From the menu bar, select Administration and click Reporting Periods.
2. Click the Add Active icon.
3. Enter the necessary information and click Create. You are returned to the Reporting Periods page and
the new reporting period is listed in the table with a status of "Active".
4. Click Refresh to update the current value of the Status field.
Results
After adding a new reporting period, the reporting period will be added to the Reporting Period selection
list on each overview and object page.
Note: If you have any standalone objects in your system (objects that were not created in the context of a
business entity hierarchy) they will be immediately finalized when the reporting period is created.
Procedure
1. From the menu bar, select Administration and click Reporting Periods.
2. Click the Add Finalized icon.
3. Enter the label and description for the new reporting period and click Create.
When an active reporting period is created, it is applied to all of the objects (resources) in the IBM
OpenPages GRC Platform repository. While a reporting period is active, there are two actions you can take
- reapplying the reporting period, or finalizing the reporting period. The reporting period can be reapplied
or finalized on a business entity by business entity case.
Reapplying a reporting period updates the reporting period version of the entity (and its associated
hierarchy of objects) to match the current "live" version. Reapplication of the reporting period can be done
at any level of the business entity hierarchy, and will only affect the children of the currently viewed
business entity.
Note: To perform any Reporting Period operation, the system must be in System Administration Mode
(see “Enabling and disabling System Administration Mode” on page 17).
Procedure
1. Navigate to the business entity you want to be the root of the reapplied reporting period.
2. Select the active reporting period from the list and click the View icon.
3. On the locks page, if you want to remove all locks on the selected business entity after the reapply
operation, select the Remove all Locks option.
4. Click the Re-Apply icon to update the business entity and all of its children to their current "live"
version.
Results
For example, if you have a business entity with the field "Entity in Scope?" set to "Yes" and you create an
active reporting period, when you view that business entity in that reporting period you will see "Yes" as
the value.
If you then change the value of Entity In Scope to "No" in the Current Reporting Period (the live data), and
you want to update the entity in the active reporting period, you can reapply the active reporting period
and the value of Entity In Scope will be updated to "No".
Note: There is no way to reverse a reapplication of a reporting period or to only pick up some of the
modifications made to the children of the business entity, so be careful when reapplying a reporting
period.
After you are certain that no more changes need to be made to a business entity and its descendants, you
can finalize the reporting period for that business entity.
After you finalize an entire reporting period, it ceases to be active. Only then can you create a new active
reporting period. If even one business entity is not finalized, the reporting period remains active.
Procedure
1. From the menu bar, select Administration and click Reporting Periods.
2. Click the name of the active reporting period.
3. Click the Finalize icon to finalize the entire reporting period. The status of the reporting period
changes to Finalizing.
After you create a reporting period, occasionally you may have to delete it to reflect last-minute changes
to your financial close, or due to a mistake in the name (for example, wrong quarter, wrong year, and so
forth).
IBM OpenPages GRC Platform supports deletion of reporting periods for a configurable amount of time
after the reporting period is created. for details on this setting, see “Modify the deletion interval for a
reporting period” on page 311.
If the deletion period has expired, then the active reporting period cannot be deleted.
If the deletion period has not expired, then the active reporting period can be deleted.
Note: The default period for deletion of a reporting period is seven days after creating an active reporting
period.
When a reporting period is deleted, no files are removed from the database.
Procedure
1. From the menu bar, select Administration and click Reporting Periods.
2. On the Reporting Periods page, select the reporting periods you want to delete.
3. Click Delete at the beginning of the page.
You are returned to the Reporting Periods page and the deleted reporting period is removed from the
table.
4. Click Refresh to update the current value of the Status field while the deletion is occurring.
Results
If you cannot delete a reporting period (you click the check box and the Delete icon does not activate),
the deletion period for that reporting period has expired. However, you can retroactively change the
deletion period setting.
Object resets
Object resets are a way to automatically modify objects that exist in the IBM OpenPages GRC Platform
repository. Resets can be started by users with the proper permissions from the Object Resets menu item
in the Administration section of the menu bar.
The most common use of the object reset functionality is to "reset" all of your objects at the beginning of a
new reporting period. For example, each quarter you have controls and tests that need to be reviewed and
performed. The results of those tasks are recorded by updating the properties and attachments of the
appropriate objects. After all of these quarterly tasks have been completed, and the quarter is finished,
you archive all of the results into a Reporting Period and prepare for the new quarter. However, the
existing objects still display the test results and changed properties of the previous quarter.
Suppose that you have files that are attached to test results. You can configure the settings to delete
attachments when test results are deleted. To delete the SOXDocument objects, you can add
SOXDocument to the Cascade Delete setting to delete the files that are associated with the test results
during the object reset rule to delete test results.
Creating a ruleset
Object resets are rule-based operations on the objects in your IBM OpenPages GRC Platform repository.
The rules that govern how an object reset will affect your data are contained in a ruleset file.
A ruleset is a set of rules contained in an XML loader file that is created outside of the OpenPages GRC
Platform application. Multiple rulesets can be included in a single XML file. The ruleset loader file is
loaded into the system through the ObjectManager loader tool. After the ruleset is imported, it can be
selected during the Specify Options step of the Object Reset guided action.
When you use ObjectManager loader tool to import security rules, the entire ruleset is loaded and replace
existing security rules that have the same name as a imported rule. Before importing security rules,
export your existing rules first.
<file-identifier>-op-config.xml
Sample ruleset
The following XML is a sample ruleset.
<openpagesConfiguration xmlFormatVersion="1.20">
<ruleSets>
<ruleSet name="Quarterly Reset"
description="Rule set to be executed at the beginning of each
and every quarter"
type="Object Reset">
</property>
<property name="Impact"
useDefaultValue="false">
<propertyValue name="Unknown"/>
</property>
</bundle>
</propertyUpdateRule>
</rule>
</ruleSet>
<!-sample Reset Ruleset for a currency property->
<ruleSet name="Your_Ruleset_Name"
description="Reset a currency property"
type="Object Reset">
<rule name="Reset a currency property"
description=""
type="Property Update">
<propertyUpdateRule contentType="SOXAccount">
<bundle name="OPSS-Account_Annualized Value">
<property name="Annualized Value_LA"
useDefaultValue="false">
<propertyValue name="1.0"/>
</property>
</bundle>
<bundle name="OPSS-Account_Annualized Value">
<property name="Annualized Value_LC"
useDefaultValue="false">
<propertyValue name="AED"/>
</property>
</bundle>
<bundle name="OPSS-Account_Annualized Value">
<property name="Annualized Value_ER"
useDefaultValue="false">
<propertyValue name="1.0"/>
</property>
</bundle>
</propertyUpdateRule>
</rule>
</ruleSet>
</ruleSets>
</openpagesConfiguration>
<openpagesConfiguration xmlFormatVersion="1.15">
</openpagesConfiguration>
Attributes:
• xmlFormatVersion
Version of the IBM OpenPages GRC Platform XML DTD.
<ruleSets>
Description: Container tag for one or more ruleSet tags.
Parent Tags: <openpagesConfiguration>
Child Tags: <ruleSet>.
Syntax:
<ruleSets>
</ruleSets>
Attributes: None.
<ruleSet>
Description: A ruleset is a collection of rules that will be executed when the ruleset is selected during a
Reset session. Each ruleset is displayed in the IBM OpenPages GRC Platform user interface as a separate
entry in the list of Rulesets.
Parent Tags: <ruleSets>
Child Tags: <rule>
Syntax:
<ruleSet name="Name"
description="Description"
type="Object Reset">
</ruleSet>
Attributes:
• name
An identifying name for the ruleset. Will be displayed in the OpenPages GRC Platform user interface.
The maximum length for the ruleset name attribute is 255 bytes (not characters).
• description
A description of the function of the ruleset. The maximum length for the ruleset name attribute is 2000
bytes (not characters).
• type
The type of ruleset. Currently, there is only one type - "Object Reset".
<rule name="Name"
description="Description"
type="[Property Update|Object Delete|Object Disassociate]"
</rule>
Attributes:
• name
The name of the rule. The maximum length for the rule name attribute is 255 bytes (not characters).
• description
A description of the function of the rule. The maximum length for the rule name attribute is 2000 bytes
(not characters).
• type
The type of rule. There are three types of rules: Property Update, Object Delete, and Object
Disassociate.
<propertyUpdateRule>
Description: The <propertyUpdateRule> tag defines a rule that modifies the value of an existing property
on a certain object type. Unless modified by the use of the <criteria> tag within the same <rule> tag, all
objects of the specified object type within the scope of the Reset will be updated.
Parent Tags: <rule>
Child Tags: <bundle>
Syntax:
<propertyUpdateRule contentType="">
</propertyUpdateRule>
Attributes:
• contentType
Specifies the object type that the rule will be applied to. Must match a valid IBM OpenPages GRC
Platform object type.
<bundle>
Description: The <bundle> tag specifies which bundle contains the property to be modified.
Parent Tags: <propertyUpdateRule>
Child Tags: <property>
Syntax:
<bundle name=""
</bundle>
Attributes:
• name
<property>
Description: The <property> tag is used inside a <bundle> tag to specify the property that will be updated.
Parent Tags: <bundle>
Child Tags: <propertyValue>
Syntax:
<property name="">
useDefaultValue="[true|false]"
[<propertyValue>
<propertyValue>]
</property>
Attributes:
• name
The name of the property to be updated.
• useDefaultValue
Specifies whether the property should be updated to reflect the default value of the property (if one
exists). If no default value exists, the property is not updated.
<objectDeleteRule>
Description: The <objectDeleteRule> tag is used to specify an object type for deletion. Unless modified by
the use of the <criteria> tag within the same <rule> tag, all objects of the specified object type within the
scope of the Reset will be deleted.
Parent Tags: <rule>
Child Tags: None.
Syntax:
<objectDeleteRule contentType=""/>
Attributes:
• contentType
Specifies the object type to be deleted. All objects of this type within the scope of the Reset are deleted.
<objectDisassociateRule>
Description: The <objectDisassociateRule> tag is used to disassociate an object type from another object
type. If you use the <criteria> tag with this rule type, the criteria must be based on the child’s property
values. You cannot base a rule on properties or property values belonging to the parent object type.
Parent Tags: <rule>
Child Tags: None.
Syntax:
<objectDisassociateRule parentContentType=""
childContentType=""/>
Attributes:
• parentContentType
Identifies the parent object type that the child object type is associated with.
• childContentType
<criteria>
Description: The <criteria> tag is used to refine the behavior of a rule by specifying the standards that
need to be met in order to invoke the rule. The criteria tag can contain one or more <criterion> tags that
will be judged when deciding whether to apply the rule to a specific object.
It should be noted that criteria can only be applied in a "positive" manner - that is, if the criteria are met,
the rule will be used. You cannot specify a rule where if the criteria are met, the rule is NOT applied.
Parent Tags: <rule>
Child Tags: <criterion>
Syntax:
<criteria logicalOperator="[and|or]">
Attributes:
• logicalOperator
Specifies whether all of the criterion ("and") will be used to determine whether the rule will be applied
to the object, or if only one of the criterion ("or") needs to be satisfied.
<criterion>
Description: The <criterion> tag allows the user to specify a property and value(s) that must match the
evaluation specifications set in the <criterion> tag.
Use a maximum of three criterion within a single <criteria> tag. Adding additional criterion will increase
the processing time required to complete the Reset.
Parent Tags: <criteria>
Child Tags: <propertyValue>
Syntax:
<criterion bundle=""
property=""
operator="[=|<>|<=|<|>|>=|like]"
<propertyValue=""/>
[<propertyValue=""/>]
</criterion>
Attributes:
• bundle
The property bundle containing the property to be evaluated.
• property
The property name of the property to be evaluated.
• operator
Specifies the manner in which the value of the property will be evaluated. Valid operators are equal (=),
not equal (< >), greater than (>), less than (<), greater or equal to (>=), less than or equal to
(<=), and "like".
Only the equal, not equal, and "like" operators can be used with string variables.
Note: The "like" parameter allows the use of wild cards in the <propertyValue> tag. These wild cards
consist of the "%" and "_" symbols, which are passed to a SQL database query against the database.
<propertyValue>
Description: The <propertyValue> tag performs two functions, depending on its location. The Boolean
property value must be all lowercase. For example, "true" is correct, "True" is incorrect.
If the <propertyValue> tag is contained inside a:
• <property> tag, it specifies the new value (or values) for the updated property.
• <criterion> tag, it specifies the relevant property to be considered when applying the criteria.
Note: The <propertyValue> referenced in a <criterion> tag cannot be null (or empty).
If you are modifying an enumerated string (drop-down list) property that is multi-selectable, you can
place multiple <propertyValue> tags inside the <property> tag. When the rule is processed, all of the
<propertyValue> tags will be evaluated, and the property will be modified to select all of them.
Parent Tags: <property>, <criterion>
Child Tags: None.
Syntax:
<propertyValue name=""/>
Attributes:
• name
Specifies the value of the property. The maximum length for the property value’s name attribute is 2000
bytes (not characters).
After you have finished creating the ruleset loader file, you will need to use the ObjectManager tool to load
the ruleset into the IBM OpenPages GRC Platform system.
If you load a ruleset with the same name as an already-loaded ruleset, the ruleset will be overwritten with
the new rules. To return to an earlier version of the ruleset, you would have to re-load the original ruleset
loader file. Rulesets are not "version-controlled".
Procedure
1. Open a command or shell window on the OpenPages GRC Platform server.
2. Navigate to the <OP_Home> directory.
Where: <OP_Home> represents the installation location of the OpenPages GRC Platform application.
By default, this is:
• Windows - C:\OpenPages
• AIX and Linux - /opt/OpenPages
3. Run the following command on a single line:
Procedure
1. Log on to the IBM OpenPages GRC Platform system as a user with the Object Reset application
permission.
Note: If you have chosen to obey ACL restrictions, the user must have the permissions to modify the
objects within the scope of the Reset. If the user does not have sufficient permissions, warning
messages will be generated in the log, and the objects will not be modified.
Reset status
The new reset session is added to the list of reset sessions on the Object Reset page. You can track the
progress of the reset by monitoring the Status column of the table.
The possible values for the Status field are Initiated, In Progress, Completed, or Failed.
The "Failed" status will only be shown if the system is set to stop the reset if errors are encountered. If the
system is set to continue on errors, then when the reset is completed, the "Completed" status will be
shown. Any errors that occurred during the reset will be captured in the Reset Session Log.
In addition to the detail page, a detailed view of the reset session is recorded in the reset session Log. The
level of detail depends on the configuration setting.
For details on setting the logging level, see the topic “Performing the object reset” on page 302.
Procedure
Click the View Log icon on the reset session detail page.
The reset session log contains three sections - the error messages section, the warning messages section,
and the informational messages section.
You can export all of the object reset rulesets to an XML file using ObjectManager. In order to do this, you
must have file access to the IBM OpenPages GRC Platform server.
This procedure will export ALL defined rulesets. Exporting rulesets does not remove them from the
OpenPages GRC Platform application; they will still be available for use after they are exported.
Procedure
1. Back up the ObjectManager.properties file.
Note: The ObjectManager.properties file is located in the root installation folder of your
OpenPages GRC Platform installation. By default, this is c:\OpenPages.
2. Open the ObjectManager.properties file in a text editor.
3. Locate the following block of settings in the file:
configuration.manager.dump.modules=true
configuration.manager.dump.file.types=true
configuration.manager.dump.bundle.types=true
configuration.manager.dump.file.upload.content.types=true
configuration.manager.dump.jsp.based.content.types=true
configuration.manager.dump.content.type.relationship.sets=true
configuration.manager.dump.app.permissions=true
configuration.manager.dump.actors=true
configuration.manager.dump.actor.group.memberships=true
configuration.manager.dump.actor.object.profile.associations=true
configuration.manager.dump.non.form.based.resources=true
configuration.manager.dump.form.based.content.types=true
4. Modify each line to have a false value, except the line that reads:
configuration.manager.dump.rule.sets=true
configuration.manager.migrate.configuration.objects
where
<password> is the password to the OPAdministrator user account.
<path-to-XML-file> is the full path to the ruleset file you created.
<file-identifier> is the portion of the ruleset file name preceding "-op-config.xml". When the XML file
is created, the file name will append "-op-config.xml" to the end of the filename. For example, if you
specified a <file-identifier> called "ruleset", the generated XML file would be named "ruleset-op-
config.xml".
10. A new XML file is generated in the specified location that contains only the latest version of the
rulesets that exist in the application at the time of the export.
Note: Be sure to "reset" the ObjectManager.properties file to its original contents - otherwise, your
scheduled backups using ObjectManager will only export the rulesets.
To access the Settings menu, you must have Settings application permission on your account.
Use this procedure to view the Configuration and Settings page. For more information, see “Types of
application permissions” on page 32.
Procedure
1. Log on to IBM OpenPages GRC Platform with an account that has the Settings application permission.
2. From the navigation bar, select Administration > Settings.
Tip: In the user interface, the OpenPages folder is hidden in the Administration Settings folder
hierarchy. To author an XML settings path, include the OpenPages folder after the Settings folder in
the path.
From the Settings page, view summary information about settings and access the Detail page.
On the Settings page, the Application folder settings represent a selected list of individual settings.
All of the following actions are accessed from the Applications folder.
To access the Applications folder settings menu item, you must have Settings application permission set
on your account. From the navigation bar, select Administration > Settings > Applications.
Tip: In the user interface, the OpenPages folder is hidden in the Administration Settings folder
hierarchy. To author an XML settings path, include the OpenPages folder after the Settings folder in the
path.
To enhance performance on an Overview view page, you can change the maximum number of nodes that
can be displayed to users in an Overview view by changing the value of the Overview Cache Capacity
setting.
If the number of nodes that are displayed exceeds the default of 10000, the additional nodes are not
displayed. Each cached object requires 1600 bytes of memory.
Administration > Settings > Applications > GRCM > Caches
Tip: In the user interface, the OpenPages folder is hidden in the Administration Settings folder
hierarchy. To author an XML settings path, include the OpenPages folder after the Settings folder in
the path.
Default: 10000
Value: In the Value box, type a new numeric value.
The new setting will take effect after you log out and log back in.
To display a client-specific page with information about accessibility for disabled users, configure the
display of the Accessibility link in the header pane of the IBM OpenPages GRC Platform application.
When a user clicks the Accessibility link, the designated page is displayed. By default, the Accessibility
link is not displayed in the header pane of the application.
Administration > Settings > Applications > Common > Accessibility > URL
Tip: In the user interface, the OpenPages folder is hidden in the Administration Settings folder
hierarchy. To author an XML settings path, include the OpenPages folder after the Settings folder in
the path.
Default: none
Value: In the Value box, type a URL.
For example, you create a page in HTML format that contained information about your company's
accessibility policy for disabled users and want this policy to be available to all users through the
application. The saved file is named accessibility.htm and was copied to the custom_files
folder, which you created, under the /sosa folder location on the server, "machine1".
The URL path that you would enter in the Value box might look similar to the following:
http://machine1:7009/openpages/custom_files/accessibility.htm
Show or hide field-specific guidance on the Add or Edit page of an object through the Show Field
Guidance setting.
By default, the Show Field Guidance setting is set to display in the application. When a user clicks a
question mark icon next to a specific field on an object's Add or Edit page, the field guidance text is
displayed.
Administration > Settings > Applications > Common > Configuration > Show Field Guidance
Tip: In the user interface, the OpenPages folder is hidden in the Administration Settings folder
hierarchy. To author an XML settings path, include the OpenPages folder after the Settings folder in
the path.
Default: true
Values:
• true - the question mark icon and field guidance text is displayed to users.
The Show System Generated Field Guidance setting controls whether information about field
dependencies and dependent picklists is appended to field guidance.
For this setting to have effect, the Show Field Guidance setting must be set to true. If Show Field
Guidance is false, then no guidance would be shown in any event. For details, see“Display or hide field
guidance” on page 308.
Administration > Settings > Applications > Common > Configuration > Show System Generated Field
Guidance
Tip: In the user interface, the OpenPages folder is hidden in the Administration Settings folder
hierarchy. To author an XML settings path, include the OpenPages folder after the Settings folder in
the path.
Default: true
Values:
• true - shows system-generated dependencies information.
• false - suppresses system-generated dependencies information.
You can disable the Add New capability for any or all objects from several launch points within the
product. There is a different registry setting for each of the launch points.
These launch points do not prefill parent information. If users find it difficult to select the most
appropriate parent information for particular object types, you can disable the Add New capability.
Note: The Object Types Disabled setting overrides these settings. If an object type is disabled
everywhere, there is no need to disable the Add New wizard individually for each launch point. For more
information about the Object Types Disabled setting, see “Controlling the availability of object types in
the Add New wizard” on page 204.
If an object view for an object type is configured to display both a Folder View and Filtered List View
(displayed as tabs on the page), you can configure which tab is displayed first to users on the page
through the Default Object View setting.
Note: For information about configuring Folder and Filtered List views for an object type, see “Folder
views and Filtered List views” on page 237.
Administration > Settings > Applications > GRCM
Tip: In the user interface, the OpenPages folder is hidden in the Administration Settings folder
hierarchy. To author an XML settings path, include the OpenPages folder after the Settings folder in
the path.
Default: filter
Values:
• filter - the Filtered List View tab is displayed first to users.
• folder - the Folder View tab is displayed first to users.
The file check-out feature locks files to prevent other users from uploading and overwriting changes, or
from moving, renaming, or deleting the file while a file is checked out. When the file is checked in, the lock
is removed.
You can configure the display of the Check Out and Check In icons by changing the value of the Enable
File Checkout setting.
Use the Sort by Modification Date setting to globally configure the sorting behavior of objects in list views
so that objects are listed by their modification date. By default, objects in a list view are listed by name.
For example, an object type has multiple associated objects. By default, associated objects are listed by
name in a list pane on a Detail View page. However, users want to see associated objects that are listed by
their last modified date. To globally change the sort order of objects in list panes so that objects are listed
by the date they were last modified, you would set the value of the Sort by Modification Date setting to
true.
Administration > Settings > Applications > GRCM > List View > Sort by Modification Date
Tip: In the user interface, the OpenPages folder is hidden in the Administration Settings folder
hierarchy. To author an XML settings path, include the OpenPages folder after the Settings folder in
the path.
Default: false
Values:
• true - objects in a list view are sorted by their last modification date.
• false - objects in a list view are sorted by name. This is the default setting value.
You can configure the number of days in which a reporting period can be deleted after it is created. After
the specified interval, the reporting period can no longer be deleted.
Administration > Settings > Applications > GRCM > Reporting Periods > Delete Interval
Tip: In the user interface, the OpenPages folder is hidden in the Administration Settings folder
hierarchy. To author an XML settings path, include the OpenPages folder after the Settings folder in
the path.
Default: 7 days
Value: In the Value box, edit the number of days you want for the deletion interval.
Some settings are hidden to protect these settings from being modified. To display hidden settings,
change the value in the Show Hidden Settings setting.
Administration > Settings > Applications > Common > Configuration
Tip: In the user interface, the OpenPages folder is hidden in the Administration Settings folder
hierarchy. To author an XML settings path, include the OpenPages folder after the Settings folder in
the path.
Default: false
Use the Page Size setting to control the number of rows that are listed per page. This setting applies to
the following administrative areas within the IBM OpenPages GRC Platform application: user and group
management, role assignments, profile user association, and custom security.
Administration > Settings > Applications > Common > Administration > Users and Groups > Page Size
Tip: In the user interface, the OpenPages folder is hidden in the Administration Settings folder
hierarchy. To author an XML settings path, include the OpenPages folder after the Settings folder in
the path.
Default: 100
Values: In the Value box, type a number.
You can use the Bucket Size setting to control the number of user names that are displayed in a bucket or
category within the User Selector phonebook style pop-up dialog box.
For information about the phonebook, see “Modifying the phonebook” on page 271.
The number of buckets that are displayed in the phonebook is determined by the size of the bucket and
the number of users. For example, if there are 100 users and the bucket size is set to 20, the phonebook
would display 5 buckets of 20 users per bucket.
Administration > Settings > Applications > Common > User Selector > Bucket Size
Tip: In the user interface, the OpenPages folder is hidden in the Administration Settings folder
hierarchy. To author an XML settings path, include the OpenPages folder after the Settings folder in
the path.
Default: 10
Values: In the Value box, type a numeric value for the number of users you want displayed per bucket.
For all selector display types, you can use the Fields setting to configure additional display information for
users and groups.
This setting applies when a phonebook style user or group selector dialog box is open on certain pages,
including when:
• assigning a user or group administrator permissions from a Security Domain page
• selecting the starting group when configuring display type attributes for a user or group field in a profile
For information about selector dialog boxes, see the topic “Modifying the selector dialog box” on page
271.
Note:
For example, to display the email address of users followed by a description of the user, type the
following codes in the Value box: %EM;%DN;.
The result of these settings in the User Selector is that the Name column is followed by the Email and
Description columns.
Deprecated.
Administration > Settings > Applications > GRCM > Detail Page > Use Actor Search Only
Customize the administration menus for your users by adding custom menu items.
Attention: Users do not see changes to menus until the next time they log in.
The navigation bar in IBM OpenPages GRC Platform contains various menus that represent categories for
grouping views and object types. Use the Items setting to modify the order in which the main menus are
displayed on the navigation bar.
Which categories for object types are available as menus on the navigation bar depends on your particular
business solution.
Administration > Settings > Applications > GRCM > NavigationMenu > Items
Tip: In the user interface, the OpenPages folder is hidden in the Administration Settings folder
hierarchy. To author an XML settings path, include the OpenPages folder after the Settings folder in
the path.
Default: MyOpenPages is typically displayed as the first menu item on the navigation bar, and
Administration as the last menu item.
Values: In the Value box, modify the order of the menus as you want these to appear on the
navigation bar.
Note:
• The list must be comma delimited.
• The order in which the menus are defined in the list determines the order in which the menus are
displayed on the navigation bar in the application user interface.
In the following example, the menus on the navigation bar are displayed as follows: My OpenPages
followed by Reports, Organization, Remediation, and then Administration.
MyOpenPages,Reports,Organization,Remediation,Administration
The navigation bar in the IBM OpenPages GRC Platform application contains various menus that
represent categories for grouping views, object types, and system pages.
There are two types of menu items that you can add to a menu: object types and system pages.
Administration > Settings > Applications >
Tip: In the user interface, the OpenPages folder is hidden in the Administration Settings folder
hierarchy. To author an XML settings path, include the OpenPages folder after the Settings folder in
the path.
Default: none
Values:
Note:
RiskAssessment,SOXRisk,__separator__,SOXControl,SOXTest,
SOXTestResult
Risk Assessment
Risk
______________
Control
Test
Test Result
• The order in which the submenu items are defined in the list determines the order in which the
submenu items are displayed in the selected menu on the application user interface.
• The list must not have any leading or trailing spaces.
For most object types, you can auto-generate their names when they are created or copied. This ability
allows users to enforce internal naming policies and ensure unique object names.
The auto-generation of object names is controlled by a series of settings that can be accessed from the
Settings menu item under the Administration menu on the navigation bar. It is possible to turn
autonaming on or off for each object type individually. For example, you might want all business entities
and processes to be named by users, but all risks, controls, and test plans named automatically by the
IBM OpenPages GRC Platform application.
Note: Auto-naming is not supported for the following object types: SOXDocument and SOXSignature.
Although auto-naming is not supported for SOXDocument objects, you can control how duplicate file
names are handled. For information, see “SOXDocument object auto-naming settings for duplicate file
names” on page 320.
Administration > Settings > Applications > GRCM > Auto Naming
Tip: In the user interface, the OpenPages folder is hidden in the Administration Settings folder
hierarchy. To author an XML settings path, include the OpenPages folder after the Settings folder in
the path.
Default: none
Values: For each object type, you can modify the following settings:
New object Determines whether new instances of the object are automatically named.
If the value is set to:
• true - auto-naming is enabled for new instances.
• false - auto-naming is disabled for new instances.
The default value is false.
Can be edited Determines whether the generated name can be edited during the creation
process.
If the value is set to:
• true - the generated name can be edited.
• false - the generated name cannot be edited.
The default value depends on the object type.
Default parent If the created object has no parent, the value for this parameter will be used to
name replace the "%P;" variable in the generated name.
Format Determines the format of the generated name. Additional details can be found in
“Configure the format of object names” on page 318.
The Format setting allows you to incorporate some contextual information about the object, as well as an
identifier in the object name.
You can use the variables that are described in the following table to format the auto-generated name.
Administration > Settings > Applications > GRCM > Auto Naming
Tip: In the user interface, the OpenPages folder is hidden in the Administration Settings folder
hierarchy. To author an XML settings path, include the OpenPages folder after the Settings folder in
the path.
Default: none
Values:
• In addition to the variables, you can include any valid text in the auto name.
• The name of an object:
– Must be 252 bytes or less.
– Cannot contain forward slashes (/), backslashes (\), or the ellipsis character (...).
Name examples
If we use a parent Process of "Hiring Practices" and a creator of "JSmith", and have the following
settings:
• Auto-Named value is set to true
• Can be Edited value is set to false
• Format value is set to %P;_RIS_%N7;
• Default Parent Name has no value set.
The auto-generated name is "Hiring Practices_RIS_0000001" and could not be edited.
Example 1:
For the auto-naming format parameter
would result in the generated name "Risk 001 for Hiring Practices (JSmith)"
Example 3:
Not all of the variables need to be used in an auto-generated name. For example,
results in "_RIS_0000001"
Use the Auto Remediate Duplicate File Names setting to control auto-naming for SOXDocument objects.
Within a folder, file names for SOXDocument objects must be unique. This setting controls what happens
when a duplicate file name is added. The system can add a numeric suffix to the file name or force the
user to rename it.
Administration > Settings > Applications > GRCM > Auto Naming > SOXDocument > Auto Remediate
Duplicate File Names
Tip: In the user interface, the OpenPages folder is hidden in the Administration Settings folder
hierarchy. To author an XML settings path, include the OpenPages folder after the Settings folder in
the path.
Default: true
Values:
• true - adds a numeric suffix to the file name.
• false - forces users to rename the file.
In infrequent user applications, such as questionnaire assessments and IBM OpenPages Loss Event Entry,
this setting is ignored and duplicate file names are automatically renamed.
In Folder View, this setting is ignored and an error is issued when a user saves a duplicate file name in the
folder. The user must manually rename the file.
If your organization has multiple IBM OpenPages GRC Platform environments, you can move data from
one environment to another without needing physical access to either environment. Migration means
exporting from a source environment and importing into a target environment. The following Application
settings support environment migration:
For details, see Chapter 22, “Migrating OpenPages GRC Platform environments,” on page 575.
Administration > Settings > Applications > GRCM > Environment Migration
Tip: In the user interface, the OpenPages folder is hidden in the Administration Settings folder
hierarchy. To author an XML settings path, include the OpenPages folder after the Settings folder in
the path.
\ / | * : { } [ ] " ?
Maximum String Controls how many rows are displayed in the Review selected items box
Items when exporting items with environment migration. Permissible values are any
integer greater than zero. The default is 10000.
Certain categories of items that can be exported with Environment Migration
(such as Application Text) contain many tens of thousands of items. To reduce
the page size and make Internet Explorer more responsive when reviewing
these categories, you can now set a limit on the number of items that are
shown. When a limit is set you can still use the search feature to find items
beyond the row limit.
Process Log Report The location of the Process Log Report Page Spec. This value was previously
Page Spec fixed and can now be set. The default is /_cw_channels/Reporting/
Hidden Reports/CommandCenter/Administrative Reports/
Environment Migration/Process Log Report.pagespec
Special Character Specifies whether special characters are checked while validating names of
Validation metadata. The default is true. Set to false to preserve legacy special
character rules.
For all profiles, you can globally configure the size of the pop-up window for report fragment fields in
certain object views.
A report fragment pop-up window can be sized:
• Manually - by specifying the size of the pop-up on the field definition page of a report fragment field.
• Automatically - if no size is specified on the field definition page of a report fragment field, the pop-up
window will be automatically sized using the settings in Table 101 on page 322.
Report fragment fields with a display type of On Demand always display Cognos report components in a
pop-up window.
For report fragment fields with a display type of 'Automatic', the display behavior varies depending on the
object view:
• For Detail and/or Activity View pages - Cognos report components are always embedded directly into
the cell of the report fragment field.
Use the Mail Server setting to configure your mail server so you can automatically send email
notifications to users from your JSP-based reports or the Notification Manager utility.
The Mail Server setting is also used to do mail routing for objects that use lifecycles, for example,
questionnaire assessments and incidents. Email notifications are sent to lifecycle assignees when a
lifecycle starts and with every transition except for close transitions.
For emails generated by lifecycle triggers, the sender address is specified in the trigger.xml file. The
default is [email protected]. For more information about lifecycle triggers, see the IBM
OpenPages GRC Solutions Guide.
Depending on your environment, you can configure the following settings:
• SMTP Password
• SMTP Port
• SMTP Security Type
• SMTP User Name
• SOCKS Proxy Private IP Address
Define SMTP Port and SMTP Security Type if you use a third-party SMTP provider. Valid values for
SMTP Security Type are SSL/TLS and STARTTLS. You must also import the SSL certificate from the
SMTP server provider. Refer to the SMTP provider's documentation and import it by using IBM WebSphere
administrative console. Leave SMTP Port and SMTP Security Type empty if you have an unencrypted
connection that uses the default port number. In this case, the SMTP servers are behind a firewall and a
third-party SMTP provider is typically not used.
Some settings might be hidden. For information about unhiding settings, see “Show hidden settings” on
page 311.
To enhance the performance of large files for upload to the IBM OpenPages GRC Platform application, you
can enable the Optimized File Upload setting.
You can only optimize the upload if you are using the Edit/Upload this File option. You cannot optimize
the upload if you use the Add New option.
When enabled, this feature provides the following functions:
• Compresses the selected file on the user machine before uploading it to the OpenPages GRC Platform
repository.
• Displays additional Optimized File Upload text and a Browse and Save icon to users for attaching files.
Note:
– The file upload applet requires the Java Runtime Environment version 7 on the client browser.
– When using the Chrome browser, if the registry setting Administration > Settings > Applications >
Common > Optimized File Upload is set to true, the setting is ignored by the Chrome browser. For
Optimized File Upload to be available, you must use Microsoft Internet Explorer.
By default, this value is disabled.
Administration > Settings > Applications > Common > Optimized File Upload
Tip: In the user interface, the OpenPages folder is hidden in the Administration Settings folder
hierarchy. To author an XML settings path, include the OpenPages folder after the Settings folder in
the path.
Default: false
Values: In the Value box, type true or false
• true - The Optimized File Upload Browse and Save icon is displayed to users in addition to the
standard file upload icon.
• false - Only the standard file upload icon is displayed to users.
You can configure settings in the Copy Options folder to resolve duplicate names during copy operations
and show additional copy options to users during a Copy From operation.
Note:
• During a copy operation for self-contained objects, if a naming conflict exists between the source and
the target object, the copy operation will fail and the naming conflict resolution choices made by a user
are ignored (see “Configure self-contained object types” on page 343).
• Self-contained object types and security context point object types do not respect the "copyof" naming
option, if selected. By definition self-contained and security context point objects types automatically
have their own folder, so no Copy Of prefix is required.
• In a Copy From operation, the target folder path is based on the closest self-contained parent object.
Administration > Settings > Applications > Common > Configuration > Copy Options
Tip: In the user interface, the OpenPages folder is hidden in the Administration Settings folder
hierarchy. To author an XML settings path, include the OpenPages folder after the Settings folder in
the path.
Max Object Trees This setting is a positive integer that determines when the copied objects are
Copied Interactive created.
If the user chooses to copy the objects and their descendants, and the number
of selected objects is less than or equal to the value of this setting, the dialog
stays open until the copies are complete, blocking other actions.
If the number of selected objects is greater than the value of this setting, then
the copies are created in the background. The user receives an email when the
copy process has completed.
The default value is 20.
Max Top-level This setting is a positive integer which determines when the copied objects are
Objects Copied created.
Interactive
If the user chooses to only copy the objects themselves without any
descendants, and the number of objects to be copied is less than or equal to the
value of this setting, then the copies are created while the user waits.
If the number of objects to be copied is greater than the value of this setting,
then the copies are created in the background. The user receives an email when
the copy process has completed.
The default value is 250.
Show Name Specifies whether to display the name conflict resolution options in the Copy
Conflict Wizard options tab. If the options are not displayed to the user, the value from
Resolution the Conflict Policy setting is used.
Options
The default value is true.
Show Object Copy If this value is set to true, the user is allowed additional control of what is
Options copied with the selected objects. Users are able to choose if just the objects
themselves are copied, or if descendants of the object are copied as well.
By default, descendants are copied as well. Even if they choose to copy
descendants, by default files and issues are not copied. If this option is set to
true, users have the opportunity to also include files and issues.
The default value is true.
Use Legacy Copy Controls whether the copy operation uses the new interface or the legacy
interface. Permissible values are true or false.
The Date field display format setting controls how date fields are displayed for GRC objects. It does not
affect dates that appear in other areas of the system. It affects only how date fields are displayed and not
the format when users enter date values.
The Date field display format setting and the locale determine how date fields are displayed. The
examples below illustrate how the date, October 25, 2016, is displayed given different date formats and
locales:
Administration > Settings > Applications > GRCM > Date Field Display Format
Default:
The values are:
• short - dates are displayed in Java Locale SHORT format.
• medium - dates are displayed in Java Locale MEDIUM format.
• long - dates are displayed in Java Locale LONG format.
Procedure
1. Log on to the application server as a user with administrative privileges.
2. Click Administration > Settings > Applications > Common > Max File Upload Size
Tip: In the user interface, the OpenPages folder is hidden in the Administration Settings folder
hierarchy. To author an XML settings path, include the OpenPages folder after the Settings folder in
the path.
3. In the Value field, type the maximum upload size as a numeric value followed by a single letter to
represent the unit. For example: 200K, 500M or 1G.
4. Click Save.
5. Restart the OpenPages GRC Platform application service.
For details on starting services, see Chapter 20, “Starting and stopping servers,” on page 549.
You can use the Disable the Files of OPX setting to temporarily enable management of system files in the
OPX administrative interface. System folders and files can also be accessed by using Administration >
Manage System Files.
Administration > Settings > Applications > Common > Disable the files of OPX
Tip: In the user interface, the OpenPages folder is hidden in the Administration Settings folder
hierarchy. To author an XML settings path, include the OpenPages folder after the Settings folder in
the path.
Default: true
Values:
Signatures
Signatures are added on the Detail page of an object type by clicking the Signatures field. If configured,
users can add, edit, and revoke signatures for the specified object type from the Actions menu on the
Signature pane.
The Actions menu is hidden from users who do not have the correct permissions.
When you configure signatures for a specific object type (such as Processes or Accounts), you grant
permission to a group of users to add a signature. The group is able to add, edit, or revoke a signature for
the specified object types to which they have Read access.
To enable a user group to add or revoke signatures directly on an object, you must configure the
Permission setting for the specified object type. For details, see “Configure signatures” on page 328.
Configure signatures
When you add a group to an object type setting for signatures, sign-off is enabled for objects of that type.
Users who belong to the group can add and revoke signatures. Click Actions on the Signatures pane to
add a signature to the object type.
Note: Only groups that are defined in object type can sign off on objects of that type. Sub groups of a
group do not inherit the sign-off permission.
Administration > Settings > Applications > GRCM > Signature > Permission
Tip: In the user interface, the OpenPages folder is hidden in the Administration Settings folder
hierarchy. To author an XML settings path, include the OpenPages folder after the Settings folder in
the path.
Default: enabled
Values: In the Value box on the setting detail page, complete the following steps:
• To configure groups to add a signature to an object type, type the name of the group to add.
Note: If you are entering multiple user groups, use a comma to separate group names, and do not
use a space after the comma.
The Mode setting controls whether a lock is created when a signature is added. When the Autolock value
is set, adding a signature to an object creates a lock on the object. It prevents further changes to the
object and any object that is associated with it. Revoking a signature removes the associated lock.
Note: When the locking feature is enabled, users can create signatures only on items to which they have
Write privileges.
Administration > Settings > Applications > GRCM > Signature > Mode
Tip: In the user interface, the OpenPages folder is hidden in the Administration Settings folder
hierarchy. To author an XML settings path, include the OpenPages folder after the Settings folder in
the path.
Default: none
Values: In the Value field, type one of the following values:
When a signature is added to a parent object, you can automatically apply signatures to all associated
objects in the hierarchy, below the signed object. For example, signing a process applies the signature to
any sub processes, accounts, risks, controls, and tests that are associated with the process.
This feature is turned off by default. It is enabled through the Cascade setting.
Note: To enable cascading signatures, the Mode setting must have the Cascade value set (for details see,
“Configure signature locks” on page 329).
Administration > Settings > > GRCM > Signature > Cascade > <object>
Tip: In the user interface, the OpenPages folder is hidden in the Administration Settings folder
hierarchy. To author an XML settings path, include the OpenPages folder after the Settings folder in
the path.
Default: none
Values: In the Value box on the setting detail page, complete the following steps:
• To add a cascading signature to child objects, type the name of the child object type.
Note: If you are entering multiple child objects, use a comma to separate the names, and do not use
a space after the comma.
For example, to add a cascading signature to the Process object type for child sub-processes,
accounts, and risks, the value in the SOXProcess is set to the following value:
SOXSubprocess,SOXAccount,SOXRisk
• To remove a cascading signature from child objects, delete the name of the child object type.
You can configure the display of the Lock this menu item on the Actions menu for various object types
through the Display Lock Button setting. This setting applies to manual and automatic signature locking.
For users to see the Lock this menu item on the Actions menu of an object type, the user must be
assigned the Lock application permission. For details, see “Configure the Lock and Unlock application
permissions ” on page 330.
Administration > Settings > Applications > GRCM > Locks > Display Lock Button
Tip: In the user interface, the OpenPages folder is hidden in the Administration Settings folder
hierarchy. To author an XML settings path, include the OpenPages folder after the Settings folder in
the path.
Default: none
Values:
• To add an object type, type the name of the object type that is separated by a comma.
You can use the object type settings under the Lock Child Types folder to configure locks on child objects
when a parent object is locked.
For example, you want to lock child Process objects whenever a business entity is locked. You would
enter SOXProcess in the setting Value box for SOXBusEntity. When a business entity is locked, users
would not be able to add, associate, copy, and disassociate processes to the locked business entity. The
child objects of that process will not inherit any locks. If you want to lock its child objects too, then you
would have to specify those object types in the value of the SOXBusEntity setting.
Administration > Settings > Applications > GRCM > Locked Objects > Lock Child Types
Tip: In the user interface, the OpenPages folder is hidden in the Administration Settings folder
hierarchy. To author an XML settings path, include the OpenPages folder after the Settings folder in
the path.
Default: none
Values: In the Value box of the selected setting, enter the exact name of one or more child object
types that should be locked when the parent object is locked.
Find the exact object name listed under the Allowed Associations folder.
Note: If there are multiple child object types, you must add a comma to separate each object name.
For example: SOXProcess,
SOXControl,SOXIssue,SOXDocument,SOXExternalDocument,SOXSignature
For example, you can enable the SOXProcess and LossEvent child objects for SOXBusEntity so users can
associate processes and loss events to a locked business entity. When enabled, the business entity detail
page displays the Associate icons (Add New, Associate, Copy From, and Disassociate) only on the
Processes and Loss Events tabs. Note that the Associate icons also display on the SOXProcess and
LossEvent detail pages.
You can make objects available to users for association when a parent object is locked.
For object types that are defined in the Allowed Associations setting, the Add New, Associate, Copy
From, and Disassociate actions are enabled and Delete is disabled.
For object types that are not defined in the Allowed Associations setting, the Add New, Associate, Copy
From, Disassociate, and Delete actions are disabled.
Administration > Settings > Applications > GRCM > Locked Objects > Allowed Associations
Tip: In the user interface, the OpenPages folder is hidden in the Administration Settings folder
hierarchy. To author an XML settings path, include the OpenPages folder after the Settings folder in
the path.
Default: none
Administrators can enable a global unlock operation for business entities or sub-entities by enabling the
Remove All Tree Locks application permission for designated groups of users. The Unlock All operation
removes all direct and inherited locks on a business entity, including all of its children.
Note: When you enable the Remove All Tree Locks application permission for a group, the Unlock All
icon is displayed only on a business entity or sub-entity detail page.
Typically, you would use the Unlock All operation if
• The remove locks option was not selected after a finalized reporting period.
• Different business sub-entities of a multi-national organization have different reporting-period closure
dates during the year. One sub-entity may need to remain locked while other entities are unlocked.
For example:
BE-US is a business entity representing the corporate office of a multi-national firm. BE-IND and BE-UK
are two sub-entities within the BE-US entity. December is the financial closure period for BE-UK while
March is the closure period for BE-IND.
When BE-US is signed off in December, BE-IND and BE-UK remain locked along with their associated
objects. Since December is the reporting-period closure date for BE-UK also, its reporting period is
finalized. If the Unlock All operation is applied to BE-UK exclusively, users can keep working in the BE-
UK object hierarchy while BE-IND and its hierarchy remain locked.
Procedure
1. Go to Administration > Users, Groups and Domains and select the Workflow, Reporting and
Others page.
2. Add a new group or select a group and navigate to its Permissions tab.
3. On the Permissions tab, click Edit.
4. Under Files, select Remove All Tree Locks.
Continuing on error
The Continue on Error setting determines whether the object reset session will log errors and continue to
run, or whether the errors will be logged and the session halted. You can change whether the object reset
session runs or halts processing when an error is encountered.
Administration > Settings > Applications > Common > Object Reset > Continue on Error
Tip: In the user interface, the OpenPages folder is hidden in the Administration Settings folder
hierarchy. To author an XML settings path, include the OpenPages folder after the Settings folder in
the path.
Default: true
Values:
• true - Errors are logged and processing continues.
• false - Errors are logged and processing is halted.
Administration > Settings > Applications > Common > Object Reset > Ignore Locks
Tip: In the user interface, the OpenPages folder is hidden in the Administration Settings folder
hierarchy. To author an XML settings path, include the OpenPages folder after the Settings folder in
the path.
Default: false
Values:
• true - Locks on objects will be ignored when running the reset session.
• false - Locked objects will not be modified by the reset session.
Administration > Settings > Applications > GRCM > Home Page
Open the profile folder that you want to customize filtered lists for (for example, OpenPages PCM
7.4.0 Master), add a new folder, and name the folder with the same name as the filter. Then, add the
Show All Link setting.
If the settings are not available or the setting values are blank, the profile settings are used.
Tip: If you delete and then add the filtered list back to the home page, or when you add a new filtered
list to the home page, the folders and settings for the filtered list are created automatically.
Note: These settings do not apply to the predefined lists on the home page (My Checked-Out Files
and My Reports).
Default: blank
Values: In the Value box, type Filtered List or the name (not the label) of a specific grid view for
the View Details target.
You can use the Items settings to control how predefined panes are displayed on a home page. The order
of the items determines the order of the corresponding HTML panes.
You can configure the following Items settings:
• A global Items setting (Administration > Settings > Applications > GRCM > Home Page > Items)
• Profile-level Items settings (Administration > Settings > Applications > GRCM > Home Page >
<profile> > Items)
The following rules apply:
• The global Items setting defines all possible home page items and their sequence. The default is
myCheckedOutFiles,myReports. If you remove an item from the global Items setting, the pane is
suppressed for all users regardless of how the profile-level Items settings are defined.
• The profile-level Items settings define home page items and their sequence for users who belong to the
profiles. If you remove an item from a profile-level Items setting, the pane is suppressed for all users
who belong to the profile. Items that are not included in the global Items setting cannot be included in a
profile-level Items setting.
• If you reorder the sequence of items in a profile-level Items setting, it overrides the global Items
setting for users who belong to the profile.
The following examples illustrate how the settings work together.
Table 105: Examples of the Items setting at global and profile levels
And the profile-level Items
If the global Items setting is... setting is... The result is...
myCheckedOutFiles, blank None of the panes display on the
myReports specified profile.
Administration > Settings > Applications > GRCM > Home Page > Items
Tip: In the user interface, the OpenPages folder is hidden in the Administration Settings folder
hierarchy. To author an XML settings path, include the OpenPages folder after the Settings folder in
the path.
Default: My Checked-Out Files (myCheckedOutFiles), My Reports (myReports)
Values: In the Value field, add, remove, or reorder the items.
Administration > Settings > Applications > GRCM > Home Page > <profile> > Items
Tip: In the user interface, the OpenPages folder is hidden in the Administration Settings folder
hierarchy. To author an XML settings path, include the OpenPages folder after the Settings folder in
the path.
Default: is from the global Items setting
Values: In the Value field, add, remove, or reorder the items.
Administration > Settings > Applications > GRCM > Home Page > My Work Home Page Can Be
Personalized
Tip: In the user interface, the OpenPages folder is hidden in the Administration Settings folder
hierarchy. To author an XML settings path, include the OpenPages folder after the Settings folder in
the path.
Default: true
Values:
• true - users are allowed to personalize their My Work home page portlets.
• false - users are not allowed to personalize their My Work home page portlets.
Administration > Settings > Applications > GRCM > Home Page > Maximum Objects
Tip: In the user interface, the OpenPages folder is hidden in the Administration Settings folder
hierarchy. To author an XML settings path, include the OpenPages folder after the Settings folder in
the path.
Default: 5
Values: In the Value box, type a number greater than zero.
Administration > Settings > Applications > GRCM > Home Page > Maximum Reports Listing
Tip: In the user interface, the OpenPages folder is hidden in the Administration Settings folder
hierarchy. To author an XML settings path, include the OpenPages folder after the Settings folder in
the path.
Default: 5
Values: In the Value box, type a number greater than zero.
Administration > Settings > Applications > GRCM > Home Page
Open the profile folder that you want to customize filtered lists for (for example, OpenPages PCM
7.4.0 Master), add a new folder, and name the folder with the same name as the filter. Then, add the
Detail Link setting.
If the settings are not available or the setting values are blank, the profile settings are used.
Tip: If you delete and then add the filtered list back to the home page, or when you add a new filtered
list to the home page, the folders and settings for the filtered list are created automatically.
Note: These settings do not apply to the predefined lists on the home page (My Checked-Out Files
and My Reports).
Default: blank
Values: In the Value box, type Detail for the detail view, or the name (not the label) of an activity
view for the hyperlink target.
Define view definition used to determine fields displayed on a home page filtered list
You can use the Fields setting to customize the fields that are displayed on home page filtered lists.
Administration > Settings > Applications > GRCM > Home Page
Open the profile folder that you want to customize filtered lists for (for example, OpenPages PCM
7.4.0 Master), add a new folder, and name the folder with the same name as the filter. Then, add the
Show All Link setting.
If the settings are not available or the setting values are blank, the profile settings are used.
Tip: If you delete and then add the filtered list back to the home page, or when you add a new filtered
list to the home page, the folders and settings for the filtered list are created automatically.
Note: These settings do not apply to the predefined lists on the home page (My Checked-Out Files
and My Reports).
Default: blank
Values: In the Value box, type Filtered List or the name (not the label) of a specific grid view for
the View Details target.
Administration > Settings > Applications > GRCM > Filtered List > Show All Objects
Tip: In the user interface, the OpenPages folder is hidden in the Administration Settings folder
hierarchy. To author an XML settings path, include the OpenPages folder after the Settings folder in
the path.
Use the Filter on all fields in profile setting to control whether the fields in a Detail View or in a user
profile are available for creating an Advanced Filter on a Filtered List View page. By default, only the
fields included in an object type Detail View page are available for creating an Advanced Filter.
For example, you might exclude certain system fields (such as Creation Date and Created by) and custom
fields from a Detail View of an object type, but include these fields in the user's profile. If you wanted to
make all fields included in the user's profile available for creating an Advanced Filter, you would set the
value of the Filter on all fields in profile setting to true.
Administration > Settings > Applications > GRCM > Filtered List > Filter on all fields in profile
Tip: In the user interface, the OpenPages folder is hidden in the Administration Settings folder
hierarchy. To author an XML settings path, include the OpenPages folder after the Settings folder in
the path.
Default: false
Values:
• true - all fields that are included in the user's profile are available for creating an Advanced Filter.
• false - only fields that are included in an object type Detail View are available for creating an
Advanced Filter.
Maximum number of objects to export to Microsoft Excel on the Filtered List View
Use the Maximum Export Size setting to control the maximum number of objects that can be retrieved
and exported to Microsoft Excel (in .xls format) from a Filtered List View page.
If the number of objects that are being exported exceeds the defined number, then the user is prompted
to refine their filter.
Administration > Settings > Applications > GRCM > Filtered List > Maximum Export Size
Tip: In the user interface, the OpenPages folder is hidden in the Administration Settings folder
hierarchy. To author an XML settings path, include the OpenPages folder after the Settings folder in
the path.
Default: 1000
Values: In the Value field, type a number greater than zero.
Enable object type and field export choices in the Filtered List View
Use the Enable Object Type and Field Export Choices setting to allow users to choose which object
types and fields to export.
Administration > Settings > Applications > GRCM > Filtered List > Enable Object Type and Field
Export Choices
Default: true
Values:
Administration > Settings > Applications > GRCM > Filtered List > Object Types to Exclude in Export
Default: SOXSignature
Values: In the Value field, type a comma-separated list of object type names that you want to exclude.
For example, if you wanted to exclude Process and Risk Assessment object types, you would type:
SOXProcess,RiskAssessment.
Use the Number of Levels to Export setting to determine how many total levels of object types the user
can choose to export, including the top-level object that is exported.
This setting is useful for limiting the growth of the tree of objects that a user can export. The number of
records that are exported grows exponentially as a user selects more object types to export. For example,
if a user selects a single object type, such as Process, and chooses to export its Risks, the Controls under
Risks, the Test Plans under Controls and the Test Results under Test Plans, it might result in hundreds or
thousands of exported records. Unless the number of levels is limited, the export might take a long time,
and might impact system performance for other users.
This setting is hidden by default. For information about unhiding settings, see “Show hidden settings” on
page 311.
The Enable Object Type and Field Export Choices setting overrides Number of Levels to Export. For
more information, see “Enable object type and field export choices in the Filtered List View” on page 338.
Administration > Settings > Applications > GRCM > Filtered List > Number of Levels to Export
Default: View+2
Values: Possible values are View, View+1 and View+2. For example:
• If a user's Grid View is Process - Risk - Control, and this value is View, they can export Processes,
their Risks, and their Controls. If this value is View+1, the user can export Processes, their Risks,
and their Controls, and one more object type that is a direct child of Controls. If this value is View+2,
the user can export one more object type that is a direct child of the first additional object type
chosen.
• If a user's Filtered List View is for Processes, and this value is View, they can export only
Processes. If this value is View+1, the user can export Processes and one more object type that is a
direct child of Process. If this value is View+2, the user can export one more object type that is a
direct child of the first additional object type chosen.
Note: This setting is case sensitive and there must be no spaces between the View value and the
characters +1 or +2.
Administration > Settings > Applications > GRCM > Filtered List > Concurrent Exports
Tip: In the user interface, the OpenPages folder is hidden in the Administration Settings folder
hierarchy. To author an XML settings path, include the OpenPages folder after the Settings folder in
the path.
A value of false makes all fields in the Filtered List View read-only. A value of true enables all fields in the
Filtered List View to be edited. Actual ability to edit is controlled by security settings and field
dependencies. Possible values are true or false.
Attention: If you change the registry settings to allow the Filtered List View to be editable, then all
of the fields in the Filtered List View become editable. If there are any fields in the Filtered List
View that you do not want to be editable, do not make the Filtered List View editable.
Administration > Settings > Applications > GRCM > Filtered List > Editable
Default: true
Values:
• true - all fields can be edited in a Filtered List View.
• false - no fields can be edited in a Filtered List View; the fields are read only.
Custom settings
When enabling new content types and creating your own reports, you may need to create your own
custom setting within the Settings menu. By default, you cannot create or delete settings until you enable
the feature.
Administration > Settings > Common > Configuration > Allow Create and Delete Settings
Tip: In the user interface, the OpenPages folder is hidden in the Administration Settings folder
hierarchy. To author an XML settings path, include the OpenPages folder after the Settings folder in
the path.
Default: false
Values:
• true - enable the creation and deletion of custom settings.
• false - disable the creation and deletion of custom settings.
After enabling Allow Create and Delete Settings, you can create custom settings entries in new or
existing folders.
Complete the following procedure to create a custom setting:
Procedure
1. Navigate to the folder where you want to create the new setting and select the folder.
2. Click Add Setting.
3. On the Settings page, type a setting name and value.
4. Select Encrypted if you want the value of the setting to be encrypted.
5. Click Create to add the new setting to the current folder.
Procedure
1. Navigate to the folder that contains the setting to be deleted. Select the desired setting. The Delete
icon becomes active.
Note: If you select a folder, all settings within that folder are deleted.
2. Click Delete.
3. Click OK.
Procedure
1. Select the setting or folder that you want to make a copy of.
2. Click Copy To.
3. Select the folder in which the new setting or folder will be positioned.
4. If you are coping a folder, scroll down and enter the name of the new folder in New Folder Name.
5. Click OK. The new setting or folder is created.
On the Settings page, in the Common folder is a selected list of individual settings.
From the navigation bar, select Administration > Settings > Common.
When you create user names, you can exclude the use of any alphanumeric and special characters,
including spaces, through the Illegal Characters setting.
For example, if you add an asterisk (*) as a value to this setting, the application validates the user name
for that character before it was created. If it detects an asterisk (*) in the user name, such as Test*User, it
displays an error message.
By default, the security context point at which you can assign Role Templates to users on objects in the
hierarchy is set at the Business Entity (SOXBusEntity) level. You can extend the security context to
other objects in the hierarchy to achieve a finer level of control by changing the Model setting.
Important:
This is a system-wide setting. Switching the security model after data is loaded (or migrated) into the
system is not recommended and requires assistance from IBM OpenPages GRC Platform Professional
Services.
SOXBusEntity/SOXProcess
Permissions in the Role template could then be assigned at either the Business Entity or Process level,
and would include any objects that were created beneath that security context point in the same
location.
The maximum number of security context points you can have in the Model setting is 3. For example,
SOXBusEntity/SOXProcess/RiskAssessment
Administration > Settings > Common > Security > Role Templates > Disable Role Group
Tip: In the user interface, the OpenPages folder is hidden in the Administration Settings folder
hierarchy. To author an XML settings path, include the OpenPages folder after the Settings folder in
the path.
Default: false
Values:
When you define an object type using the Self Contained Object Types setting, the behavior of that
object type changes for copy, move, and rename operations.
A self-contained object type is an object type that has its own folder and is either part of the role-based
security model as defined in the Model setting or defined using the Self Contained Object Types setting.
For information about the Model setting, see “Role-based security model” on page 43.
Note:
• Roles can only be assigned to objects that are defined as security context points through the Model
setting.
• Defining an object type through the Self Contained Object Types setting does not automatically change
the folders of existing instances of that type. If instances of the object type you want to define as self-
contained already exist, you must contact your IBM representative for assistance in executing a special
PL/SQL script that will go back and create folders for existing instances. This script is maintained by IBM
OpenPages GRC Platform Customer Services & Support and does not ship as part of the product.
Conversely, if an object type is later removed from the self-contained list, no automatic re-foldering
occurs. All existing instances retain their dedicated folders.
By default, Business Entities are self-contained objects. For example, if the role-based security model
setting is defined as SOXBusEntity/SOXProcess, both Business Entity and Process objects are treated as
self-contained objects.
Self-contained object types behave differently than non-self-contained object types for copy, move, and
rename operations. The characteristics that distinguish self-contained objects from non-self-contained
objects follow.
Self-contained objects:
• Are always created under a parent folder that matches the object name (the same behavior as Business
Entities). For example, a process P1 under the North America business entity will have the path /North
America/P1/P1.txt
• When copied, all the objects under its hierarchy will also be copied to the target.
• When moved, all the objects under its hierarchy will also be moved to the target.
• Can only be moved to an allowed parent object.
• Cannot be moved to a folder.
• Cannot have their parent folder edited, moved, or renamed.
• Can be renamed by users who have Read+Write access control (ACLs) permission.
• During a copy operation, if a naming conflict exists between the source and the target object, the copy
operation will fail and the naming conflict resolution choices made by a user are ignored.
Administration > Settings > Common > Self Contained Object Types
Tip: In the user interface, the OpenPages folder is hidden in the Administration Settings folder
hierarchy. To author an XML settings path, include the OpenPages folder after the Settings folder in
the path.
When you enable the CodeCogs Equation Editor with the Enable CodeCogs(r) Equation Editors setting,
users can enter mathematical equations in Rich Text fields. The equations are rendered in all views. They
are also represented in Cognos reports in HTML output.
In all Rich Text fields you can click the new fx icon in the toolbar to open a dialog where you can enter or
update a mathematical equation. You can save and render an equation on the screen in both read only
and edit mode. You can load or update them in a Rich Text field with ObjectManager and Fastmap. You can
also export them to Microsoft Excel from a Filtered List View or Grid.
The equation editor is only available in English.
There is source downloaded from a third-party web site, codecogs.com. If the equation editor is enabled,
this site is automatically added to the security whitelist. The LaTeX version of a formula is sent to the
CodeCogs web site, which returns an image of the formatted formula. If SSL is used, the formula is
encrypted in transit. However, CodeCogs has access to your formula.
The formulas are displayed only in the Change History under the Source tab, not the Changes tab. In the
Change History, an inserted or changed equation is highlighted in color in the Source tab. However, the
color highlight is not currently supported for equations in the Changes tab.
Administration > Settings > Applications > Common > Rich Text Editor > Third Party plugins > Enable
CodeCogs(r) Equation Editors
Tip: In the user interface, the OpenPages folder is hidden in the Administration Settings folder
hierarchy. To author an XML settings path, include the OpenPages folder after the Settings folder in
the path.
Default: false
Values:
• true - equation editor is enabled.
• false - equation editor is disabled.
On the Settings page, the Platform folder settings represent a selected list of individual settings.
From the navigation bar, select Administration > Settings > Platform.
Tip: In the user interface, the OpenPages folder is hidden in the Administration Settings folder
hierarchy. To author an XML settings path, include the OpenPages folder after the Settings folder in the
path.
Auditing
Administration > Settings > Platform > Globalization > Auditing Enabled
Tip: In the user interface, the OpenPages folder is hidden in the Administration Settings folder
hierarchy. To author an XML settings path, include the OpenPages folder after the Settings folder in
the path.
Default: true
Values: Enable auditing of changes that are made to translated object and application label text.
• true - auditing enabled.
• false - auditing disabled.
This option must be set to true to allow new application strings to load.
Default locale
Administration > Settings > Platform > Globalization > Default Locale
Tip: In the user interface, the OpenPages folder is hidden in the Administration Settings folder
hierarchy. To author an XML settings path, include the OpenPages folder after the Settings folder in
the path.
Default: en_US
Values: Set the language to use to display the application user interface by default.
Note: Users can override the default locale setting by choosing another language in the My Settings
menu item option that is located under the user name.
The following list identifies the supported locale code values with their corresponding language:
• de_DE (German)
• en_GB (U.K. English)
• en_US (U.S. English)
Table 106: Parent folder path and associated child folder path
Parent folder path C1 Child folder path
/BE1/SBE2/R2 /BE1/SBE1/C1
/BE1/SBE1/R1 /BE1/SBE1/C1
/BE1/SBE3/R3 /BE1/SBE1/C1
/BE1/SBE4/R4 /BE1/SBE1/C1
(primary parent)
If you disassociate the primary parent, R4, from C1, although R2 is chronologically the earliest
association to C1, R1 is reassigned as the primary parent. This is because R1 and C1’s folder paths
match (/BE1/SBE1).
Note: If no folder path matches the child object, the chronological order is used.
If you have older JSP reports and want to send email notifications to users from these older JSP-based
reports or the Notification Manager utility, configure the host setting.
Note: This setting is only used for backward compatibility.
Cross-context sharing
You can use the Cross context sharing setting to affect whether any non-primary links to objects outside
the context (scope) of a copy operation are included or ignored during a copy operation.
When cross-context sharing is enabled, copy operations maintain non-primary links to objects outside the
context of the copy. When it is disabled, non-primary links to objects outside the context of the copy are
ignored.
Administration > Settings > Platform > Repository > Resource > Copy > Cross context sharing
Tip: In the user interface, the OpenPages folder is hidden in the Administration Settings folder
hierarchy. To author an XML settings path, include the OpenPages folder after the Settings folder in
the path.
Default: false
Values: In the Value field, type one of the following values:
• true - Cross-context sharing is enabled and the copy operation maintains any non-primary links to
objects that are outside the scope (context) of the copy.
• false - Cross-context sharing is disabled and the copy operation ignores any non-primary links to
objects that are outside the scope (context) of the copy.
The settings in the Administration > Settings > Platform > Reporting Framework V6 folder apply to the
reporting framework used by Cognos Analytics.
Note: In reference to Reporting Framework V6, V6 refers to the latest framework version, not to any
specific OpenPages release number.
For more information, see the following topics:
• Chapter 25, “Configuring and generating the reporting framework,” on page 659
• “Configuring settings that apply to all framework models” on page 665
• “Configuring framework models ” on page 669
The reporting schema folder settings represent a selected list of individual settings.
From the navigation bar, select Administration > Settings > Platform > Reporting Schema.
You can add an index to any RT_ table in the database through the Create Index on Fields setting.
Before configuring this setting, complete the following tasks:
• Review this task with your database administrator and your IBM representative.
• Test the change by manually creating the index in the database before making a permanent change in
IBM OpenPages GRC Platform.
You can create a string up to 4000 characters.
Configure this setting only after careful analysis of your data query patterns. Adding too many indexes to a
table can harm performance.
Administration > Settings > Platform > Reporting Schema > Create Index on Fields
Default: none.
Values: In the Value field, enter an index in the following format:
ObjectTypeName1= [FieldGroupName1.PropertyName1,...,
FieldGroupNameN.PropertyNameN]
|ObjectTypeNameN= [FieldGroupName1.PropertyName1
,...,FieldGroupNameN.PropertyNameN]
Where:
ObjectTypeName1 is the name of the object type you want to add an index to.
FieldGroupName1 is a bundle definition associated with the object.
PropertyName1 is the name of a property in the bundle.
Note:
• Vertical bars (|) separate multiple index strings.
• Commas (,) separates columns inside an index.
Depending on the size of the database, you can update the reporting schema through the application
user interface or incrementally through scripts with assistance from your IBM representative.
For more information, see “Changes that require the reporting schema to be regenerated” on page 89.
The Core Attributes bundle includes all of the following system parameters:
• Latest Resource Version
• Resource Check Out Status
• Resource Check-in Date
• Resource Checked in By
• Resource Checked Out By
Example 3: Adding an index for quick filters and custom simple strings
Indexes can help the performance of certain searches with Quick Filters and filters on custom simple
string fields (except users and user groups).
The usual indexing technique is not applicable here, because Quick Filters and filters on custom simple
string fields are commonly case insensitive and commonly implement "contains" logic. As such, even if a
database index existed on the filtered field, it would not be used.
A typical use case is as follows:
• Filter performance appears inadequate.
• The user executing a filter has IBM OpenPages security access to a small fraction of the data.
• The number of records is high. This is a function of the number of object instances in the current
reporting period and the number of reporting periods in the system.
• The width of records is high. This is a function of the number of custom properties.
For example, loss event data may be tightly restricted within a company. As such, indexing the LossEvent
object type could improve filter performance.
It is beneficial to filter on security access before applying any property filter. The security access filter will
filter out a large percentage of data, leaving the property filter to work on fewer records.
Such an index will benefit all the filters on a given Object Type, so it only needs to be created once per
Object Type.
Security settings
By default, click Log Off in the header pane to log the user out of IBM OpenPages GRC Platform.
If you are using single sign-on (SSO), you can change the page that is displayed after you log off by
modifying the value of Logout URL.
Note: If you are not using single sign-on, you cannot redirect the logout link.
Administration > Settings > Platform > Security > Logout URL
Default: none
Values: In the Value field, type a qualified URL.
Administration > Settings > Platform > Security > User Locking
Values: Click a setting to open its detail page, and type a value in the Value field.
Cross-site scripting (XSS) is a computer security vulnerability that allows malicious attackers to inject
client-side script into web pages viewed by other users. You can use the Cross-site Scripting Filter
setting to check all HTTP GET requests sent to IBM OpenPages GRC Platform. The Cross-site Scripting
Filter setting enables basic filtering of common attacks. The Advanced XSS Filter setting turns on more
aggressive filtering of JavaScript actions. The IE XSS Filter setting is used to set the X-XSS-Protection
header on a request. However, the preferred approach is to use the X-XSS-Protection header setting.
Administration > Settings > Platform > Security > Cross-site Scripting Filter
Default: true
Values: In the Value field, type one of the following values:
• true - Cross-site filtering is enabled.
• false - Cross-site filtering is disabled.
Restart all application servers in your cluster to enable the change. For information, see Chapter 20,
“Starting and stopping servers,” on page 549.
Administration > Settings > Platform > Security > Advanced XSS Filter
Default: true
Values: In the Value field, type one of the following values:
• true - Advanced XSS filtering is enabled.
• false - Advanced XSS filtering is disabled.
Restart all application servers in your cluster to enable the change. For information, see Chapter 20,
“Starting and stopping servers,” on page 549.
Administration > Settings > Platform > Security > IE XSS Filter
Default: false
Values: In the Value field, type one of the following values:
• true - XSS filtering at the browser level is enabled.
• false - XSS filtering at the browser level is disabled.
Restart all application servers in your cluster to enable the change. For information, see Chapter 20,
“Starting and stopping servers,” on page 549.
When the Cross-site Scripting Filter setting is enabled, certain HTML elements are blocked by that filter.
For more information on enabling this filter, see “Security cross-site scripting filter settings” on page 351.
You can use the Safe Tags setting to globally allow certain HTML elements to pass through the filter.
For example, your company uses embedded forms to capture information that is provided by users. The
embedded form contains the HTML form element, which is passed in an HTTP request. By default, the
Cross-site Scripting Filter setting is enabled so the form element is blocked. To allow user input in an
embedded form to be passed in an HTTP request, you would add the HTML form element to the Safe
Tags value list as follows:
style, form
The settings in the Platform Workflow Implementations folder control aspects of the integration of IBM
OpenPages GRC Platform and IBM Business Process Manager.
From the navigation bar, select Administration > Settings > Platform > Workflow Implementations >
IBM BPM.
When you create the toolkits during the IBM Business Process Manager installation, the following values
for the workflow implementation settings are defined in the op-bpm-registry-entries-
opconfig.xml file:
• Enable Login SSO is set to true.
• Portal Page Path contains the URL of the default Process Portal page that is customized for OpenPages.
Set auto-login
With the Enable Login SSO setting, you can control whether auto-login is used. If it is enabled,
OpenPages users can access the IBM BPM menu items in OpenPages without having to log in to IBM BPM.
Administration > Settings > Platform > Workflow Implementations > IBM BPM > Enable Login SSO
Default: false
Values:
• true - to enable auto-login from OpenPages to IBM BPM.
• false - to disable auto-login from OpenPages to IBM BPM.
With the Portal Page Path setting, you can customize the page that is displayed when users click the
Process Portal tab on the Home page. The system appends the value in the Portal Page Path setting to
the base value entered in the Server URL setting to create the full URL.
There are three ways to configure the Process Portal tab on the Home page:
• Use the default BPM Process Portal page. On this page, the Log out icon in the navigation pane is
displayed but is non-operative. If a user clicks Log out, they are not logged out of BPM.
• Use the default Process Portal page that is customized for OpenPages. On this page, the Log out icon in
the navigation pane on the Process Portal tab is hidden.
• Create your own customized page. If you do this, hide the Log out icon.
Administration > Settings > Platform > Workflow Implementations > IBM BPM > Portal Page Path
Default: <default value>
Values: In the Value box, set to blank or type the path of the customized Process Portal page.
• blank - use the default BPM Process Portal page.
• <default value> - use the default Process Portal page that is customized for OpenPages from
the op-bpm-registry-entries-opconfig.xml file or use your own customized page.
If the OpenPages GRC Platform application server is integrated with the BPM process center, set Server
URL to the URL for the BPM process center. The Administration > IBM BPM Process Center menu item is
displayed and opens the URL you enter.
If it is integrated with the BPM process server, set Server URL to the URL for the BPM process server. You
must also hide the Administration > IBM BPM Process Center menu item:
1. Click Administration > GRCM > NavigationMenu > Administration > Management > Subitems.
The setting contains a comma-separated list, for example:
ReportingSchema,Search,__separator__,ObjectReset,ReportingPeriods,
__separator__, IBM_BPM_ProcessCenter, IBM_BPM_ProcessInspector,
IBM_BPM_ProcessAdmin, __separator__, CognitiveServices,
__separator__, RCA_Integration,__separator__,
LdapConfiguration
ReportingSchema,Search,__separator__,ObjectReset,ReportingPeriods,
__separator__, IBM_BPM_ProcessInspector, IBM_BPM_ProcessAdmin,
__separator__, CognitiveServices, __separator__, RCA_Integration,
__separator__, LdapConfiguration
The User Preferences folder settings represent a selected list of individual settings in the User
Preferences folder.
All of the following actions are accessed from the Platform folder.
From the navigation bar, select Administration > Settings > User Preferences.
Set which alert notifications are displayed to application users in the Alerts folder. You can select
various alert notification settings in the Alerts page.
Application users can change these default settings through their My Settings pane.
Administration > Settings > User Preferences > Alerts
Tip: In the user interface, the OpenPages folder is hidden in the Administration Settings folder
hierarchy. To author an XML settings path, include the OpenPages folder after the Settings folder in
the path.
Default: false.
Values: Select the name of a setting on the Alerts pane to open its detail page. In the Value box, type
one of the following values:
• true - An alert is displayed to application users.
• false - No alert is displayed to application users.
For example, you configured dependent fields or dependent picklists for an object type and you want
to alert users that different values for particular fields are available depending on their selection.
Under the Alerts folder, you can set the values in the Picklist Options Changed and Picklist Values
Removed settings to true so each time a user changes a value in one of these fields, an alert
notifying the user that values have changed is displayed.
Procedure
1. Install IBM OpenPages GRC Platform using the default settings. Make sure that you also install the
Search Server component. Specify the default values for all the fields. For more information, see the
topic Search server post installation tasks in the IBM OpenPages GRC Installation and Deployment
Guide.
2. Follow the steps in the topic Copying database driver files to the search server in the IBM OpenPages
GRC Installation and Deployment Guide to copy the JDBC database driver and start the search server.
3. Log in to IBM OpenPages GRC Platform with administrative privileges.
4. Click Administration > Global Search
5. Click Create and periodically click Refresh to get progress updates.
The size of your data set, the configuration of your hardware, CPU speed, network speed, and available
memory all influence the time it takes to set up global search. The process takes a few minutes on
small sets of data (such as a few hundreds records) up to several hours on larger sets of data (such as
a few million records).
6. After search setup is completed, the search box is available beside the Reporting Period drop-down
box. In the search box, type some text that you want to search on and press Enter. The result of your
search appears in the result view. You can refine your search by typing more or fewer terms, or by
selecting the object types to limit the search.
For more information about using global search, see the topic Searching for objects in the IBM
OpenPages GRC User Guide.
For more information about administering global search, see “Customizing global search” on page 363
Procedure
1. On the search server, open a command prompt.
2. To change the login information that the search server uses to login to the database, enter the
following commands:
On Microsoft Windows operating systems,
cd <SEARCH_HOME>/OPSearch/opsearchtools/
opsearchtool.cmd setdbuserpassword -username current-username
-password current-password -newusername new-username
-newpassword new-password
cd <SEARCH_HOME>/OPSearch/opsearchtools/
./opsearchtool.sh setdbuserpassword -username current-username
-password current-password -newusername new-username
-newpassword new-password
For example, the following command changes the password to dbNEWpassword, but keeps the same
database username:
The following command changes both the database username and the password:
3. To change the login information for the global search service (Apache Solr), enter the following
commands:
cd <SEARCH_HOME>/OPSearch/opsearchtools/
opsearchtool.cmd setsolruserpassword -newusername new-solr-username
-newpassword new-solr-password
cd <SEARCH_HOME>/OPSearch/opsearchtools/
./opsearchtool.sh setsolruserpassword -newusername new-solr-username
-newpassword new-solr-password
Table 110: Parameters to change the global search service login information
Parameter Description
new-solr-username The new username for the Solr service
The Solr user does not need to be an OpenPages
user.
Note: You do not need to provide the current username and password to change and encrypt the
password for the global search service. The script uses the current login information of the database
server for authentication before it allows the change. The default username and password is
OpenPagesAdministrator / OpenPagesAdministrator.
For example, the following command sets the username to solruser and the password to
solrpassword:
What to do next
When you update the user name and password, the changes are applied only to the search server. You
must update the database server as well to ensure the login information is synchronized.
Procedure
1. Log on to OpenPages as a user with administrative privileges.
2. Click Administration > Global Search.
3. Click Disable to disable the global search component.
4. Stop the global search service.
For more information, see “Stopping the global search services by using a script” on page 554 or
“Stopping the global search services” on page 555.
5. Change the database user name or password.
For more information, see "Changing password references" in the IBM OpenPages GRC Platform
Administrator's Guide.
6. Change the login information to use for the database server and Apache Solr.
For more information, see “Setting login information for the search server” on page 358.
7. Start the global search services.
For more information, see one of the following topics:
• “Starting the global search services by using a script” on page 553
• “Starting the global search services on Windows” on page 554
• “Starting the global search services on Linux or AIX” on page 555
8. From OpenPages, click Administration > Global Search
9. Click Enable to enable the global search component.
10. If required, set up SSL for the global search service.
For more information, see “Setting up SSL for the global search service” on page 519 in the IBM
OpenPages GRC Installation and Deployment Guide.
What to do next
When you update the user name and password, the changes are applied only to the search server. You
must update the database server as well to ensure the login information is synchronized.
Procedure
1. Disable global search:
a) Log in as an administrator.
b) Click Administration > Global Search > Disable.
2. Perform OPBackup or OPRestore. For more information, see “The OPBackup utility” on page 387.
3. Enable global search:
a) Log in as an administrator.
b) Click Administration > Global Search > Enable.
Attention: If you run the OPRestore utility, the search index becomes out of sync with the
restored data in the OpenPages database. As a result, global search results might be inaccurate
and incomplete. To prevent this, you must re-create the global search index. You can re-create
the global search index before or after the database restore operation.
4. To re-create the global search index:
a) Log in as an administrator.
b) Click Administration > Global Search > Disable.
c) Click Administration > Global Search > Drop.
d) Click Administration > Global Search > Create.
Procedure
1. Log on to OpenPages GRC Platform as a user with administrative privileges.
2. Click Administration > Global Search.
3. Click Disable to disable the global search component.
4. Click Enable to enable the global search component again.
Procedure
1. Log on to OpenPages GRC Platform as a user with administrative privileges.
2. Click Administration > Global Search.
3. Click Disable File Search to disable the file search component.
4. Click Enable File Search to enable the file search component again.
5. Click Check for Updates.
6. When the check for updates is completed, click Update for the changes to take effect.
Procedure
1. Log on to OpenPages GRC Platform as a user with administrative privileges.
2. Click Administration > Object Types > SOXDocument.
3. Under File Types Information, specify whether the file types selected by check box in the Name
column are enabled or disabled for file attachment global search.
• Click Enable Search. Selected file types that are disabled become enabled, and selected file types
that are already enabled stay enabled.
• Click Disable Search. Selected file types that are enabled become disabled, and selected file types
that are already disabled stay disabled.
Note: Files might still be discovered after the file type of these files is disabled from search if the file
type is associated with more than one MIME type. Files of this type are still discovered until all
associated MIME types are excluded or are disabled from search. Follow the procedure “Removing a
file type from other object types” on page 187 with each associated MIME type to remove the types
from searches.
4. Click Administration > Global Search.
5. Click Check for Updates.
6. When the check for updates is completed, click Update for the changes to take effect.
Procedure
1. Log in to IBM OpenPages GRC Platform with administrative privileges.
2. From the menu bar, click Administration > Object Types.
3. Select the object type or field for which you want to enable or disable global search.
4. Click Edit.
5. Enable or clear Global Search.
6. Click Save.
7. Click Administration > Global Search.
8. Click Check for Updates.
9. When the process completes, check the logs for changes such as added or removed object types and
fields. You can go back and make more changes and click Check for Updates to see a log of updated
changes.
10. When you are satisfied with your changes, click Update to force the changes onto the global search
index.
Procedure
1. Log in to IBM OpenPages GRC Platform with administrative privileges.
2. From the menu bar, click Administration > Object Types.
3. Select the object type SOXSubaccount.
4. Click Edit and clear Global Search.
5. Click Save.
6. From the menu bar, click Administration > Object Types.
7. Select the object type SOXRisk.
8. Under Included Field Groups, click OPSS-Risk.
9. Under Field Definitions, click Owner.
10. Click Edit and clear Global Search.
11. Click Save.
12. From the menu bar, click Administration > Global Search and click Create.
Create appears only on initial enablement.
13. Click Refresh periodically to get progress updates and notification of when the operation is complete.
This process can take from several minutes to several hours, based on how much data you have.
Procedure
1. Log in to IBM OpenPages GRC Platform with administrative privileges.
2. From the menu bar, click Administration > Object Types.
3. Select the object type SOXSubaccount.
4. Click Edit and enable Global Search.
5. Click Save.
6. From the menu bar, click Administration > Object Types.
7. Select the object type SOXRisk.
8. Under Included Field Groups, click OPSS-Risk.
9. Under Field Definitions, click Owner.
10. Click Edit and enable Global Search.
11. Click Save.
12. From the menu bar, click Administration > Object Types.
13. Select the object type SOXBusEntity.
14. Under Included Field Groups, click MRG-BusEnt.
15. Under Field Definitions, click Additional Description.
16. Click Edit and clear Global Search.
17. Click Save.
18. From the menu bar, click Administration > Global Search and click Check for Updates. You can look
at the logs based on Check for Updates to find out what changes occurred.
19. Periodically, click Refresh to get progress updates and notification of when the operation is complete.
This process can take from several minutes to several hours, based on how much data you have.
20. Click Update to start an update operation so that your global search index is synced with the changes
you made.
21. Click Refresh periodically to see how far from completion the process is. This process can take from
several minutes to several hours, based on how much data you have and the kind of changes you
made.
Global search is now updated and ready for use.
During the Update operation, global search is offline. Any user who attempts to use global search
receives a message to this effect. Plan an update during off-hours, and communicate the scheduling
of the update to your users.
Procedure
1. Disable global search and stop the global search services.
Oracle
Procedure
1. Log on to OpenPages GRC Platform as a user with administrative privileges.
2. Click Administration > Settings > Platform > Search > Result Fields.
Attention: You must provide the correct field-group and field-name for the additional field. If
the formatting is wrong, or if the field-group or field-name do not match what is in your
OpenPages schema, that additional field is not included in the search results.
You can ensure that you use the correct field-group and field-name by going to the source. For
example, you want to add a field to the Workpaper object type search results.
a. Log on to OpenPages GRC Platform as a user with administrative privileges.
b. Select your object type. Click Administration > Object Types > Workpaper.
c. Select your field-group. From Included Field Groups, click the field group OPSS-Work.
d. Select your field-name. From Field Group Information, find the name of the custom field you want
to add. For example, Audit Description.
e. Make sure that you have the field-group and field-name correct, for example, OPSS-Work.Audit
Description. Follow the steps in the preceding procedure. For example, click Administration >
Settings > Platform > Search > Result Fields > Workpaper.
f. Set or change the value to OPSS-Work.Audit Description and click Save. The additional field
value 'Audit Description' appears after the description system field on a new line in the items that
are returned from a global search.
Procedure
1. Log in to IBM OpenPages GRC Platform with administrative privileges.
Procedure
1. Log in to IBM OpenPages GRC Platform with administrative privileges.
2. Click Administration > Settings > Platform > Search > Admin > Query Path.
3. Change the value as required.
Attention: Do not modify this registry setting unless you are instructed by customer support to
do so. Changing this registry setting can result in global search not working or unexpected
performance issues.
Procedure
1. Log in to IBM OpenPages GRC Platform with administrative privileges.
2. Click Administration > Settings > Platform > Search > Admin > Search Server Administration URL.
3. Change the value as required.
Attention: If you are changing this registry because you want to enable SSL or because you
want to change the server on which global search is installed, then you must also make the
same change to the registry keys Administration > Settings > Platform > Search > Index >
Search Server URL and Administration > Settings > Platform > Search > Request > Search
Server URL.
Procedure
1. Log in to IBM OpenPages GRC Platform with administrative privileges.
2. Click Administration > Settings > Platform > Search > Index > Full > Progress Refresh Interval.
3. Change the value as required. The default value is 30 seconds.
Procedure
1. Log in to IBM OpenPages GRC Platform with administrative privileges.
2. Click Administration > Settings > Platform > Search > Index > Full > Record Cache Size.
3. Change the value as required. The default value is 100.
Attention: Do not modify this registry setting unless you are instructed by customer support to
do so. Changing this registry setting can result in global search not working or unexpected
performance issues.
Procedure
1. Log in to IBM OpenPages GRC Platform with administrative privileges.
2. Click Administration > Settings > Platform > Search > Index > Incremental > Polling Interval.
3. Change the value as required. The default value is 60.
Setting the number of records to cache before sending to the server for indexing
Specifies the total number of records to cache before sending to the Apache Solr server for indexing.
Attention: Do not modify this registry setting unless you are instructed by customer support to
do so. Changing this registry setting can result in global search not working or unexpected
performance issues.
Setting the Query Path to the Apache Solr server that handles Folder ACL indexing
Specifies the URL path to the Apache Solr server that handles Folder ACL indexing.
Procedure
1. Log in to IBM OpenPages GRC Platform with administrative privileges.
2. Click Administration > Settings > Platform > Search > Index > Folder ACL Query Path.
3. Change the value as required.
Attention: Do not modify this registry setting unless you are instructed by customer support to
do so. Changing this registry setting can result in global search not working or unexpected
performance issues.
Procedure
1. Log in to IBM OpenPages GRC Platform with administrative privileges.
2. Click Administration > Settings > Platform > Search > Index > Language Analyzer.
3. Change the value as required. The default value is en.
Attention: Before you make a change to this registry key, and if global search is already
enabled, make sure to disable global search and drop the current index. For more information,
see “Enabling and disabling global search” on page 361.
Setting the Query Path to the Apache Solr server that handles Folder ACL indexing
Specifies the URL path to the Apache Solr server that handles indexing.
Procedure
1. Log in to IBM OpenPages GRC Platform with administrative privileges.
Attention: Do not modify this registry setting unless you are instructed by customer support to
do so. Changing this registry setting can result in global search not working or unexpected
performance issues.
Setting the URL to the Apache Solr server that handles Folder ACL indexing
Specifies the URL for the search server index.
Procedure
1. Log in to IBM OpenPages GRC Platform with administrative privileges.
2. Click Administration > Settings > Platform > Search > Index > Search Server URL.
3. Change the value as required.
Attention: If you are changing this registry because you want to enable SSL or because you
want to change the server on which global search is installed, then you must also make the
same change to the registry keys Administration > Settings > Platform > Search > Admin >
Search Server Administration URL and Administration > Settings > Platform > Search >
Request > Search Server URL.
Procedure
1. Log in to IBM OpenPages GRC Platform with administrative privileges.
2. Click Administration > Settings > Platform > Search > Request > Batch Size.
3. Change the value as required. The default value is 1000.
Attention: Do not modify this registry setting unless you are instructed by customer support to
do so. Changing this registry setting can result in global search not working or unexpected
performance issues.
Setting the Query Path to the Apache Solr server that handles Folder ACL search requests
Specifies the URL path to the Apache Solr server that handles Folder ACL search requests.
Procedure
1. Log in to IBM OpenPages GRC Platform with administrative privileges.
2. Click Administration > Settings > Platform > Search > Request > Folder ACL Query Filter.
3. Change the value as required.
Setting the URL to the Apache Solr server that handles OpenPages search requests
Specifies the URL path to the Apache Solr server that handles search requests.
Procedure
1. Log in to IBM OpenPages GRC Platform with administrative privileges.
2. Click Administration > Settings > Platform > Search > Request > Query Path.
3. Change the value as required.
Attention: Do not modify this registry setting unless you are instructed by customer support to
do so. Changing this registry setting can result in global search not working or unexpected
performance issues.
Procedure
1. Log in to IBM OpenPages GRC Platform with administrative privileges.
2. Click Administration > Settings > Platform > Search > Request > Result Cache Refill Attempts.
3. Change the value as required. The default value is 5.
Attention: Do not modify this registry setting unless you are instructed by customer support to
do so. Changing this registry setting can result in global search not working or unexpected
performance issues.
Setting the number of search results records that are cached per user session
Specifies the number of search results records that are cached per user session. This value sets the upper
limit for the number of results that are shown to the user.
Procedure
1. Log in to IBM OpenPages GRC Platform with administrative privileges.
2. Click Administration > Settings > Platform > Search > Request > Result Cache Size.
3. Change the value as required. The default value is 100.
Attention: Do not modify this registry setting unless you are instructed by customer support to
do so. Changing this registry setting can result in global search not working or unexpected
performance issues.
Procedure
1. Log in to IBM OpenPages GRC Platform with administrative privileges.
2. Click Administration > Settings > Platform > Search > Request > Search Page Size.
3. Change the value as required. The default value is 500|10000.
Attention: Do not modify this registry setting unless you are instructed by customer support to
do so. Changing this registry setting can result in global search not working or unexpected
performance issues.
Setting the URL to the Apache Solr server that handles search requests
Specifies the URL for search requests.
Procedure
1. Log in to IBM OpenPages GRC Platform with administrative privileges.
2. Click Administration > Settings > Platform > Search > Request > Search Server URL.
3. Change the value as required.
Attention: If you are changing this registry because you want to enable SSL or because you
want to change the server on which global search is installed, then you must also make the
same change to the registry keys Administration > Settings > Platform > Search > Admin >
Search Server Administration URL and Administration > Settings > Platform > Search >
Index > Search Server URL.
Procedure
1. Log in to IBM OpenPages GRC Platform with administrative privileges.
2. Click Administration > Settings > Platform > Search > Request > Search Timeout.
3. Change the value as required. The default value is 0.
Attention: Do not modify this registry setting unless you are instructed by customer support to
do so. Changing this registry setting can result in global search not working or unexpected
performance issues.
Procedure
1. Log in to IBM OpenPages GRC Platform with administrative privileges.
2. Click Administration > Settings > Platform > Search > Index > Result Fields > <object type name>.
3. For details on how to change or provide a new value, see “Displaying a custom field in global search
results” on page 366.
4. If the object type for which you want to add the additional field is not on the list, you can create a new
registry key for it. Select the Result Fields node and click Add Setting.
Procedure
1. Log in to IBM OpenPages GRC Platform with administrative privileges.
2. Click Administration > Settings > Platform > Search > Allow Compression.
3. Change the value as required. The default value is true.
Attention: Do not modify this registry setting unless you are instructed by customer support to
do so. Changing this registry setting can result in global search not working or unexpected
performance issues.
Procedure
1. Log in to IBM OpenPages GRC Platform with administrative privileges.
2. Click Administration > Settings > Platform > Search > Connection Timeout.
3. Change the value as required. The default value is 5000.
Attention: Do not modify this registry setting unless you are instructed by customer support to
do so. Changing this registry setting can result in global search not working or unexpected
performance issues.
Procedure
1. Log in to IBM OpenPages GRC Platform with administrative privileges.
2. Click Administration > Settings > Platform > Search > Follow Redirects.
3. Change the value as required. The default value is false.
Attention: Do not modify this registry setting unless you are instructed by customer support to
do so. Changing this registry setting can result in global search not working or unexpected
performance issues.
Procedure
1. Log in to IBM OpenPages GRC Platform with administrative privileges.
2. Click Administration > Settings > Platform > Search > Maximum Connections Per Host.
3. Change the value as required. The default value is 100.
Attention: Do not modify this registry setting unless you are instructed by customer support to
do so. Changing this registry setting can result in global search not working or unexpected
performance issues.
Procedure
1. Log in to IBM OpenPages GRC Platform with administrative privileges.
2. Click Administration > Settings > Platform > Search > Maximum Total Connections.
3. Change the value as required. The default value is 1000.
Attention: Do not modify this registry setting unless you are instructed by customer support to
do so. Changing this registry setting can result in global search not working or unexpected
performance issues.
Procedure
1. Log in to IBM OpenPages GRC Platform with administrative privileges.
2. Click Administration > Settings > Platform > Search > Request Retry Attempts.
3. Change the value as required. The default value is 3.
Attention: Do not modify this registry setting unless you are instructed by customer support to
do so. Changing this registry setting can result in global search not working or unexpected
performance issues.
Procedure
1. Log in to IBM OpenPages GRC Platform with administrative privileges.
2. Click Administration > Settings > Platform > Search > Socket Timeout (index).
3. Change the value as required. The default value is 1800000.
Attention: Do not modify this registry setting unless you are instructed by customer support to
do so. Changing this registry setting can result in global search not working or unexpected
performance issues.
Procedure
1. Log in to IBM OpenPages GRC Platform with administrative privileges.
2. Click Administration > Settings > Platform > Search > Socket Timeout (search).
3. Change the value as required. The default value is 5000.
Attention: Do not modify this registry setting unless you are instructed by customer support to
do so. Changing this registry setting can result in global search not working or unexpected
performance issues.
Procedure
1. Log in to IBM OpenPages GRC Platform with administrative privileges.
2. Click Administration > Settings > Platform > Search > Solr Password.
3. Change the value as required. The default value is encrypted text.
Attention: Do not modify this registry setting unless you are instructed by customer support to
do so. Changing this registry setting can result in global search not working or unexpected
performance issues.
Procedure
1. Log in to IBM OpenPages GRC Platform with administrative privileges.
2. Click Administration > Settings > Platform > Search > Solr User ID.
3. Change the value as required. The default value is 0.
Attention: Do not modify this registry setting unless you are instructed by customer support to
do so. Changing this registry setting can result in global search not working or unexpected
performance issues.
Procedure
1. Log in to IBM OpenPages GRC Platform with administrative privileges.
2. Click Administration > Settings > Applications > GRCM > Search > Default Results Page Size.
3. Change the value as required. Allowable values are 10, 25, and 50. The default value is 10.
Attention: If you change the value of this registry key to a value larger than 10, global search
and overall IBM OpenPages GRC Platform performance might be impacted. This change is
global to all users.
Procedure
1. Log in to IBM OpenPages GRC Platform with administrative privileges.
2. Go to the <SEARCH_HOME>/OPSearch/opsearchtools/ folder.
3. Open the openpages_search.properties file.
4. Change the OPSearchTool.IndexerErrorHandlerParameters property as required.
Attention: If you change to the openpages_search.properties file, you must disable and
then enable global search for the change to take effect. For more information, see “Enabling
and disabling global search” on page 361.
Attention: If you change to the openpages_search.properties file, you must disable and
then enable global search for the change to take effect. For more information, see “Enabling
and disabling global search” on page 361.
Procedure
1. Log in to IBM OpenPages GRC Platform with administrative privileges.
2. Go to the <SEARCH_HOME>/OPSearch/opsearchtools/ folder.
3. Open the openpages_search.properties file.
4. Change the OPSearchTool.SolrHeapSize property as required.
Attention: If you change to the openpages_search.properties file, you must disable and
then enable global search for the change to take effect. For more information, see “Enabling
and disabling global search” on page 361.
Procedure
1. Log in to IBM OpenPages GRC Platform with administrative privileges.
2. Go to the <SEARCH_HOME>/OPSearch/opsearchtools/ folder.
3. Open the openpages_search.properties file.
4. Change the OPSearchTool.IndexerHeapSize property as required.
Procedure
1. Log in to IBM OpenPages GRC Platform with administrative privileges.
2. Go to the <SEARCH_HOME>/OPSearch/opsearchtools/ folder.
3. Open the openpages_search.properties file.
4. Change the OPSearchTool.TextExtractorHeapSize property as required.
Attention: If you change to the openpages_search.properties file, you must disable and
then enable global search for the change to take effect. For more information, see “Enabling
and disabling global search” on page 361.
Procedure
1. Log in to IBM OpenPages GRC Platform with administrative privileges.
2. Go to the <SEARCH_HOME>/OPSearch/opsearchtools/ folder.
3. Open the openpages_search.properties file.
4. Change the OPSearchTool.TextExtractorTimeout property as required.
Attention: If you change to the openpages_search.properties file, you must disable and
then enable global search for the change to take effect. For more information, see “Enabling
and disabling global search” on page 361.
Procedure
1. Log in to IBM OpenPages GRC Platform with administrative privileges.
2. Go to the <SEARCH_HOME>/OPSearch/opsearchtools/ folder.
3. Open the openpages_search.properties file.
4. Change the OPSearchTool.FileStorageRootPath property as required.
Maintenance
Q. Are there any backup and restore operations to be performed on the global search server?
A. There are no backup and restore requirements for OpenPages global search. However, if you restore
the database from a backup, the global search index is now out of sync with the OpenPages database. In
this scenario, you must re-create the global search index by first disabling global search, then dropping
the index, and then creating the index.
Q. Are there any index optimizations?
A. There is no need to optimize the OpenPages global search index. Apache Solr dynamically and
automatically optimizes the index over time. If you perform a bulk update that impacts over 50% of your
records and you have many records - hundreds of thousands of records, for example - the automatic
index optimization of Apache Solr can take several days to catch up. If you suspect search performance is
suffering because of a bulk update, you can force an index optimization from the Apache Solr
administration page.
IBM DB2 and the OpenPages GRC Platform backup and restore utilities
The backup and restore utilities are installed during the IBM OpenPages GRC Platform installation.
Use the utilities that are provided with IBM DB2 to back up and restore databases in IBM OpenPages GRC
Platform.
For information about developing a database backup and restore strategy, see the IBM DB2 Knowledge
Center (http://www.ibm.com/support/knowledgecenter/SSEPGG_11.1.0/
com.ibm.db2.luw.admin.ha.doc/doc/c0005945.html).
For more information about backing up or restoring, see “DB2 databases for OpenPages GRC Platform
backup and restore” on page 394.
Use the following utilities for backing up and restoring the IBM OpenPages environment:
• OpenPages GRC Platform backup (OPBackup) and restore (OPRestore)
These utilities are used to backup and restore the application. For more information, see “The
OPBackup utility” on page 387.
Users can choose to run a live OPBackup. When you run a live OPBackup, OpenPages services are not
stopped on the application server, which allows for maximum uptime of the OpenPages application. By
default, OpenPages services are restarted.
• Cognos backup (OPCCBackup) and restore (OPCCRestore)
These utilities are used to back up and restore OpenPages GRC Platform Cognos files. For more
information, see “Using the Cognos Backup utility” on page 391.
Note:
• Log files for email notification are stored in the logs folder in the following location:
– For OPBackup (OpenPages GRC Platform application backup):
• Make sure to set rules in your email client to never send emails from the OpenPages GRC Platform
application server to the Spam or Junk mail folders.
Configuring backup job notification
Use this procedure to configure email parameters for IBM OpenPages GRC Platform and Cognos backup
jobs.
Procedure
1. Open a command or shell window and do one of the following.
a) For an OPBackup (OpenPages GRC Platform application backup,
navigate to the op-backup-restore.env file in the bin directory as follows:
• For Microsoft Windows, the bin directory is <OP_Home>\aurora\bin
• For AIX and Linux, the bin directory is <OP_Home>/aurora/bin
b) For a OPCCBackup (Cognos backup), navigate to the op-cc-backup-restore.env file in the bin
directory where <cc_home> represents the installation of Cognos.
• For Microsoft Windows, the back up path is OPBackup <path-to-back-up-location>
• For AIX and Linux, the back up path is OpBackup.sh <path-to-back-up-location>
where <path-to-backup-location> is the full path of the directory where the backed up files
are located on the application server. If a file path is not specified, the OPBackup command uses,
by default, the backup location specified in the BACKUP_LOCATION parameter of the <OP_Home>|
aurora|bin|op-backup-restore.env file.
2. Open the selected .env file in a text editor.
3. Specify a value after the equal sign (=) for the parameters described in the following table and save
the .env file.
Example
The following is a sample error log message that occurred when an OPBackup command was initiated
while the reporting schema was still being generated.
Note: The .log file name has the format op_backup_<yyyy_mm_dd_hh_mm_ss>.log
Where:
<yyyy_mm_dd_hh_mm_ss> represents the year_month_day_hour_minute_second. For example:
Windows
C:\OpenPages\openpages-backup-restore\op_backup_2010_07_26_09_35_42.log
AIX and Linux
/opt/OpenPages/openpages-backup-restore/op_backup_2010_07_26_09_35_42.log
Sample error log messages follow.
Using IBM OpenPages GRC Platform utilities with IBM DB2 databases 385
• For Oracle database environments, a sample error log message might look similar to this text:
– can-proceed:
[exec] declare
[exec] *
[exec] ERROR at line 1:
[exec] ORA-20001: There are existing processes running.
[exec] Please let them finish or terminate them before proceeding.
[exec] ORA-06512: at line 7
[exec]
– can-proceed:
[exec] declare
[exec] *
[exec] ERROR at line 1:
[exec] ORA-20001: There are existing object reset operations running.
[exec] Please let them finish or terminate them before proceeding.
[exec] ORA-06512: at line 7
[exec]
• For IBM DB2 environments, a sample error log message might look similar to this text:
– can-proceed:
[exec] ERROR near line 26:
[exec] SQL0438N Application raised error or warning with diagnostic
[exec] text: "There are existing processes running. Please let them
[exec] finish or termi".
– can-proceed:
[exec] ERROR near line 26:
[exec] SQL0438N Application raised error or warning with diagnostic
[exec] text: "There are existing object reset operations running.
[exec] Please let them finish or termi".
It is best to run all jobs to completion before you start a backup or restore operation. However, this check
can be enabled or disabled as follows.
Procedure
1. Open a command or shell window on the OpenPages GRC Platform server.
2. Navigate to the op-backup-restore.env file in the bin directory.
• For Microsoft Windows, the bin directory is <OP_Home>\aurora\bin
• For AIX and Linux, the bin directory is <OP_Home>/aurora/bin
3. Open the op-backup-restore.env file in a text editor.
4. Set the CHECK_BACKGROUND_PROCESSES parameter in the file to true or false.
Setting the value to true enables the asynchronous background job. If background processes are
running, this value prevents OPBackup or OPRestore from starting. True is the default value. false
disables the validation check for asynchronous background jobs. OPBack or OPRestore start even if
background processes are running.
Procedure
1. Log on to the current OpenPages GRC Platform application server.
2. Navigate to the OP_HOME|aurora|bin directory and open the op_backup.manifest file in a text
editor.
3. Type the full path name to all custom directory names or to a specific file. Each directory or file must
be on a separate line in the file.
Using IBM OpenPages GRC Platform utilities with IBM DB2 databases 387
4. Save the manifest file using the current location and name.
This might happen if there is a relatively high level of data modification transactional activity on the
system during the backup. Run live OP backup when transactional activity is low. If this is not possible or
not desirable, or if the error keeps happening, it may be possible to avoid this error by setting
UNDO_RETENTION initialization parameter to a higher (possibly much higher) value, at least for the
duration of the backup. Setting UNDO_RETENTION to a higher value, may result in a growth of UNDO table
space, so it should be done by an experienced database administrator or with the assistance of IBM
Support.
To use the OpenPages GRC Platform application backup utility live, you run the OPBackup command with
the nosrvrst option. This does the following:
• Backs up OpenPages GRC Platform application and environment files
• Exports the OpenPages GRC Platform application database
Procedure
1. Open a command or shell window on the OpenPages GRC Platform server.
2. Navigate to the bin directory as follows:
• For Microsoft Windows, the bin directory is \<OP_Home>\aurora\bin
• For AIX or Linux, the bin directory is /<OP_Home>/aurora/bin
3. Type the following backup command:
Windows
where:
Windows
<path-to-backup-location> is <oracle_base>\admin\<SID>\dpdump
AIX and Linux
<path-to-backup-location> is <oracle_base>/admin/<SID>/dpdump
Procedure
1. From a command or shell window, navigate to the op-backup-restore.env file in the bin directory
as follows.
• For Windows, the installation directory is c:\<OP_Home>\aurora\bin
• For AIX or Linux, the installation directory is <OP_Home>/aurora/bin
2. Open the op-backup-restore.env file in a text editor of your choice.
3. Change the USE_GZIP_COMPRESSION= setting from false to true.
Procedure
1. Open a command or shell window on the OpenPages GRC Platform server.
2. Navigate to the op-backup-restore.env file in the bin directory as follows.
Using IBM OpenPages GRC Platform utilities with IBM DB2 databases 389
4. Set the value of the BACKUP_OP_STORAGE parameter in the file to one of the following:
false The storage folder and its content are not backed
up.
5. When finished, save the changes to the file and exit the editor.
Prerequisites
Important: Before you run the OPRestore utility, you must restore the IBM DB2 OpenPages database.
The OPRestore tool can be used only on an existing OpenPages database. It cannot be used on a
database that does not have an OpenPages schema.
Restoring files
To back up or restore the IBM DB2 databases for IBM OpenPages GRC Platform, you must use the utilities
that are provided with DB2. For more information about the databases in IBM OpenPages GRC Platform
and backing up or restoring them, see Backing up and restoring DB2 database.
Note: To refresh a "test" environment, see “Refreshing a test environment from backup files” on page
441.
As part of the restoration process, the following OpenPages resources are restored:
• If the OpenPages storage folder was backed up, the storage folder and its content are restored.
For information about enabling and disabling storage folder backup, see “Enabling and disabling storage
backup” on page 389.
• The OpenPages application environment files are restored.
• The OpenPages database schema is populated with data restored from backup files.
Depending on your configuration, if any asynchronous background jobs are detected, an OPRestore job
might exit and possibly display errors. See “Asynchronous background jobs and administrative functions”
on page 385.
Procedure
1. If you enabled the global search component during backup, recreate your search index so that your
search results are synchronised.
a) Click Administration > Global Search.
b) Click Disable to disable the global search component.
c) Click Drop to drop the search indexes.
What to do next
Preferences related to the long string text index won't be exported by “Running the OPBackup command”
on page 425, and therefore are not restored. You must “Create a long string index for an Oracle database”
on page 452 pointing to the database server you are restoring to.
Using IBM OpenPages GRC Platform utilities with IBM DB2 databases 391
Running the OPCCBackup command
When you use the Cognos backup utility, you run the OPCCBackup command in a command or shell
window. The OPCCBackup command uses Oracle Data Pump to export the database (services can
continue to run during the backup).
Note: Oracle Data Pump backup files are created on the database server.
Procedure
1. From a command or shell window, navigate to the bin directory as follows:, where <CC_Home>
represents the installation location of the Cognos application.
• For Microsoft Windows, navigate to <CC_Home>\tools\bin. By default, <CC_Home> is
C:\OpenPages\CommandCenter.
• For AIX or Linux, navigate to <CC_Home>/tools/bin.
2. Execute the following backup command:
Windows
OPCCBackup <path-to-backup-location>
AIX
OPCCBackup.sh <path-to-backup-location>
Where:
<path-to-backup-location> is the full path of the directory where the backed up files are located
on the Cognos server. The file path is optional.
Note: If no file path is specified, the OPCCBackup command uses, by default, the backup location
specified in the BACKUP_LOCATION parameter of the <CC_Home>|tools|bin|op-cc-backup-
restore.env file.
The following table lists the default Content Store database export location specified in the
environment file.
Where <SID> is the Oracle System Identifier (for example, OP).
The default Content Store database export locations are:
Windows: <oracle_base>\admin\<SID>\dpdump
AIX: <oracle_base>/admin/<SID>/dpdump
Procedure
1. From a command or shell window, navigate to the op-cc-backup-restore.env file in the bin
directory as follows, where <CC_Home> represents the installation location of the Cognos application..
• For Windows, the bin directory is <CC_Home>\tools\bin. By default, <CC_Home> is
C:\OpenPages\CommandCenter.
• For AIX and Linux, the bin directory is <CC_Home>/tools/bin. By default, <CC_Home> is opt/
OpenPages/CommandCenter.
2. Open the op-cc-backup-restore.env file in a text editor.
3. Change the USE_GZIP_COMPRESSION= setting in the file from false to true.
Procedure
1. Stop the Cognos service on the administrative server and any non-administrative servers in the cluster.
For details, see “Starting and stopping the Cognos services” on page 560.
2. Stop the IBM Cognos Configuration tool, if it is running, on all cluster members.
3. From a command or shell window, navigate to the bin directory as follows:
Where <CC_Home> represents the installation location of the Cognos application.
Using IBM OpenPages GRC Platform utilities with IBM DB2 databases 393
Table 114: Installation location of the Cognos application (continued)
Operating Installation location
system
AIX and <CC_Home>/tools/bin
Linux
By default, <CC_Home> is /opt/OpenPages/CommandCenter
Using IBM OpenPages GRC Platform utilities with IBM DB2 databases 395
On an AIX or Linux operating system, to restore a database with the alias name of sample from the
backup location /opt/db2backup with a backup timestamp of 20121129131259, you could use db2
restore db sample from /opt/db2backup taken at 20121129131259.
For information about restoring your DB2 database, see the IBM DB2 Knowledge Center (http://
www.ibm.com/support/knowledgecenter/SSEPGG_11.1.0/com.ibm.db2.luw.admin.ha.doc/doc/
c0006237.html).
Procedure
1. Back up your OpenPages GRC Platform application production DB2 database.
For more information, see “OpenPages GRC Platform DB2 database backup” on page 395.
2. Back up your IBM Cognos Controller production DB2 database.
For information about backing up the IBM OpenPages application database, see “OpenPages GRC
Platform DB2 database backup” on page 395.
3. Create the OpenPages GRC Platform application database instance in the new environment.
For more information about creating a DB2 database, see the IBM DB2 documentation.
4. On the new OpenPages GRC Platform application database only, run the enable-ora-
compatibility script to enable Oracle Compatibility Mode.
In the output, look for the DB2 profile variable, DB2_COMPATIBILITY_VECTOR, with the value of
ORA. For example, DB2_COMPATIBILITY_VECTOR=ORA.
a) On Microsoft Windows, from the Start menu, click All Programs > IBM DB2 > DB2COPY1 >
Command Window - Administrator, and type the following command: enable-ora-
compatibility.bat
Note: If you have multiple instances of DB2 on the server, make sure that you choose the
DB2COPY of the OpenPages database instance.
b) On AIX and Linux, type the following command: ./enable-ora-compatibility.sh
You can use this procedure to refresh any test server by using the backup files from any other IBM
OpenPages GRC Platform server.
Prerequisites:
• Make sure that you have access to both the production or "source" and test or "target" servers.
Using IBM OpenPages GRC Platform utilities with IBM DB2 databases 397
• The operating systems must match between source and target servers.
OP_n.n.n_Non_Embedded_DVD_1
Where n.n.n represents the current version number of the OpenPages GRC Platform release.
Backing up and copying OpenPages GRC Platform application production files for a DB2
database
The IBM OpenPages GRC Platform backup utility backs up the application files. The exported data from
the production backup file is used later to refresh data on the test or target server.
Procedure
1. Log on to your production OpenPages GRC Platform server as a user with administrative permissions.
2. Run the OpenPages GRC Platform backup utility (OPBackup) to back up the application files.
For more information, see “The OPBackup utility” on page 387.
3. Copy the backup .zip or .tar.gz file to your test server.
Procedure
1. Log on to your test OpenPages GRC Platform server as a user with administrative permissions.
2. Run the backup utility (OPBackup) as described in “The OPBackup utility” on page 387 to backup the
OpenPages GRC Platform application files.
Drop the DB2 Database for the application on the test system
You must drop the IBM OpenPages GRC Platform database on the test server. Dropping the IBM DB2
database for IBM OpenPages GRC Platform on the test system deletes all object data.
The DB2 database includes OpenPages GRC Platform application data.
Procedure
1. If necessary, log on to your IBM OpenPages GRC Platform test server as a user with administrative
permissions.
2. Open a command or shell window.
3. ForWindows users only, type the following command in the Command Prompt window to initialize the
DB2 command line processor (CLP):
db2cmd
4. In the DB2 CLP, type the following command to drop the DB2 test database:
db2 drop db <DATABASE_NAME>
Where <DATABASE_NAME> is the name of the test database.
For example, if the name of the test database is op, type db2 drop database op.
Copy and restore the application production DB2 database backup file to the test DB2
database server
You must use the utilities that are provided with IBM DB2 to restore the IBM OpenPages GRC Platform
application database on the test system.
The OpenPages GRC database backup file from the DB2 production server includes both OpenPages GRC
Platform application data.
Using IBM OpenPages GRC Platform utilities with IBM DB2 databases 399
Procedure
1. Copy the OpenPages GRC Platform database backup file from the DB2 production server to the test
database server.
2. Copy the Java UDF class files from the DB2 production server folders to the folders on the test
database server.
For example:
• On Windows systems, copy the class files from C:\IBM\SQLLIB\FUNCTION on the production
database server to the DB2 database server on the test system.
• On AIX and Linux systems, copy the class files from /home/db2inst1/sqllib/function on the
production database server to the DB2 database server on the test system.
3. Restore the DB2 database to the test server. For more information, see “OpenPages GRC Platform DB2
database restore” on page 395.
Update the OpenPages GRC Platform storage location in the DB2 database
After you restore the openpage-storage files from the production backup, you must update the IBM
OpenPages GRC Platform storage location on the test database.
Procedure
1. Log on to a system as a user with administrator privileges. You can use any system with access to
CLPPlus that can connect to the OpenPages database server.
2. Copy all the files under the openpages-storage folder from the production backup .zip file to the
openpages-storage location on the test server.
By default, the storage location is <OP_Home>|openpages-storage.
OP_n.n.n_Configuration|Database|DB2|INSTALL_SCRIPTS
Examples
• LFS (AIX and Linux)
clpplus -nw openpages/apassword@testdbserver:50000/opx @sql-wrapper update-
storage /home/op/upd-storage-output.log testdbserver 50000 opx openpages
apassword LFS aix11 aix11 Unix /usr/opdata/openpages-storage
• UNC (Windows)
clpplus -nw openpages/apassword@testdbserver:50000/opx @sql-wrapper update-
storage c:\temp\upd-storage-output.log testdbserver 50000 opx openpages
apassword UNC storageserver eng11 Windows \\storageserver\openpages-storage
Back up the Cognos Database on the DB2 production and test servers
You must use the utilities that are provided with IBM DB2 to back up the IBM Cognos Controller database
on both the production and test servers. The exported DB2 production database is used later to refresh
the IBM Cognos Controller database on the test or target server.
For more information about the databases in IBM OpenPages and backing up DB2 databases, see “DB2
databases for OpenPages GRC Platform backup and restore” on page 394.
Back up Cognos configuration files on the DB2 production and test servers
You must run the Cognos backup utility to back up Cognos configuration files on both the production and
test servers. The Cognos configuration file backup from the production server is used later to refresh
Cognos configuration on the test server.
Using IBM OpenPages GRC Platform utilities with IBM DB2 databases 401
Before you begin
Before you run the Cognos backup utility (OPCCBackup) make sure to verify the following:
• You have access to both the source and target database servers.
• Full permission is granted to the CommandCenter|tools|bin folder on the target Cognos server.
Procedure
1. If necessary, log on to your production Cognos server as a user with administrative permissions.
2. Run the Cognos backup utility (OPCCBackup) to back up the Cognos configuration files on the
production server.
For more information, see “Using the Cognos backup utility” on page 430.
Tip: If the mail server for notification email is not set up for running Cognos backups, the output from
the OPCCBackup command might end with the following error:
BUILD FAILED
c:\machine3\CommandCenter\tools\bin\op-cc-backup-email-notification.xml:31:
Problem while sending mime mail:
This error can be safely ignored if the step before the error says BUILD SUCCESSFUL.
3. Copy the production Cognos server backup .zip or .tar.gz file to the Cognos backup-restore
directory on the test server.
4. Run the Cognos backup utility (OPCCBackup) to back up the Cognos configuration files on your test
server.
For more information, see “Using the Cognos backup utility” on page 430.
Procedure
1. From a browser, log on to the Cognos Analytics portal as a user with administrative privileges, for
example, OpenPagesAdministrator.
By default, the URL is http://<hostname>/ibmcognos/bi
Where <hostname> is the name of the Cognos server.
2. Click Manage > Administration Console to launch the IBM Cognos Administration page.
3. On the Configuration tab, click Data Source Connections (if not already selected).
4. On the Directory > Cognos page, click the link for the OpenPages DataSource.
5. On the Directory > Cognos > OpenPages DataSource page, do the following:
a) Under the Actions column, click the Set properties - OpenPages DataSource icon .
b) On the Set properties - OpenPages DataSource page, click the Connection tab.
6. On the Connection tab, next to the Connection String box, click the pencil icon to edit the field.
7. On the CLI tab, in the DB2 database name box, change the DB2 database name to the Catalog
Database Name of the OpenPages GRC Platform database on the target environment.
8. On the JDBC tab, in the Server name, Port number, and Database name boxes, change the values to
valid values for the OpenPages GRC Platform database on the target environment.
Procedure
1. Copy the IBM Cognos Controller database backup file from the DB2 production server to the test
database server.
2. Restore the DB2 database to the test server. For more information, see “OpenPages GRC Platform DB2
database restore” on page 395.
Procedure
1. If necessary, log on to your IBM OpenPages GRC Platform test server as a user with administrative
permissions.
2. Open a command or shell window.
3. ForWindows users only, type the following command in the Command Prompt window to initialize the
DB2 command line processor (CLP):
db2cmd
4. In the DB2 CLP, type the following command to drop the DB2 test database:
db2 drop db <DATABASE_NAME>
Where <DATABASE_NAME> is the name of the test database.
For example, if the name of the test database is op, type db2 drop database op.
Procedure
1. If necessary, log on to your test IBM OpenPages GRC Platform server as a user with administrative
permissions.
2. Update the openpages-ext.jar in the test environment as follows:
a) From the production backup .zip files in “Backing up and copying the OpenPages GRC Platform
application production files for an Oracle database” on page 442, navigate to the openpages-
ext.jar in the <OP_Home>|aurora|lib directory.
Where <OP_Home> represents the installation location of the IBM OpenPages application.
Using IBM OpenPages GRC Platform utilities with IBM DB2 databases 403
Table 117: Installation location of the OpenPages GRC Platform application
Operating Installation location
system
Windows <OP_Home>\aurora\lib\openpages-ext.jar
By default <OP_Home> is C:\OpenPages
b) Copy the openpages-ext.jar from the production backup file into the <OP_Home>|aurora|
lib directory on your test machine and overwrite the existing .jar file there.
Procedure
1. From your application production backup .zip files, extract all custom files such as JAR files, JSP
files, JavaScript files, and Image files.
2. Copy these files into their respective folders on the target machine. The target folders should match
the folders on the source installation.
For more information, see “Updating URL host pointers for reports” on page 478.
Procedure
1. To install DB2 Text Search:
a) Run the custom installation type from the DB2 Server setup CD.
b) Select Work on existing system.
Note: For other DB2 Text Search installation methods, see: Configuring DB2 Text Search (http://
www.ibm.com/support/knowledgecenter/SSEPGG_11.1.0/com.ibm.db2.luw.admin.ts.doc/doc/
t0052968.html).
2. After the component is installed, log on to the operating system as the instance owner.
3. Stop the DB2 instance by running the following commands:
Using IBM OpenPages GRC Platform utilities with IBM DB2 databases 405
Table 119: Commands for configuring the DB2 Text Search feature by using the default setting
For this operating system... Do this...
Procedure
1. Log on to a system as a user with Administrator privileges. You can use any system with access to
CLPPlus that can connect to the IBM OpenPages GRC Platform database server.
Note: For SQL tool information, see “Database tool information” on page xxv.
2. Open a command or shell window, navigate to the text-indexing directory as follows:
Windows
<OP_HOME>\aurora\bin\full-text-index
AIX and Linux
<OP_HOME>/aurora/bin/full-text-index
Note: If the database server is not on the same machine as the IBM OpenPages server, you must copy
the script and the SQL files that the script invokes to the database server.
3. Run the following SQL script:
clpplus -nw @sql-wrapper CustomIndexing_Step1_AddTextIndexing_to_DB.sql
<LOG_FILE_NAME> <DB2_SERVER_NAME> <DB2_PORT_NUMBER> <DATABASE_NAME>
<DB2_INSTANCE_OWNER_NAME> <DB2_INSTANCE_OWNER_PASSWORD> <OP_DB_USER>
For example,
Using IBM OpenPages GRC Platform utilities with IBM DB2 databases 407
clpplus -nw @sql-wrapper CustomIndexing_Step1_AddTextIndexing_to_DB.sql
CustomIndexing_Step1_AddTextIndexing_to_DB.log server1 50000 op1 db2admin
dbpassword OPENPAGES
Results
The database is now enabled for indexing. Use “Create a long string index in a DB2 database” on page
408 script to create the index.
Procedure
1. Log on to a system as a user with Administrator privileges. You can use any system with access to
CLPPlus that can connect to the IBM OpenPages GRC Platform database server.
Note: For SQL tool information, see “Database tool information” on page xxv.
2. Open a command or shell window, navigate to the text indexing directory as follows.
The following table identifies the installation location of the application on the Microsoft Windows,
AIX, and Linux operating systems.
Note: If the database server is not on the same machine as the IBM OpenPages server, you must copy
the script and the SQL files that the script invokes to the database server.
3. Run the following script:
Table 122: Create DB2 long string index required script parameters
Required Parameter Description
These examples create an index with updates that start every 5 minutes of every hour of every
weekday if there is a minimum of one update to the PROPERTYVALS_CLOB table.
Results
An index is created for long string fields.
Using IBM OpenPages GRC Platform utilities with IBM DB2 databases 409
Create a schedule job to synchronize a long string index in a DB2 database
Create a schedule to synchronize and refresh the long string index. Scripts are provided for Windows, AIX,
and Linux.
Procedure
1. Log on to a system as a user with Administrator privileges. You can use any system with access to
CLPPlus that can connect to the IBM OpenPages GRC Platform database server.
Note: For SQL tool information, see “Database tool information” on page xxv.
2. Open a command or shell window, and navigate to the bin directory as follows:
• For Microsoft Windows, type <OP_Home>\aurora\bin.
• For AIX or Linux, type <OP_Home>/aurora/bin.
Note: If the database server is not on the same machine as the IBM OpenPages GRC Platform server,
you must copy the script and the SQL files that the script invokes to the database server.
3. Run the following script:
clpplus -nw @sql-wrapper CustomIndexing_Step3_IndexRefresh.sql
<LOG_FILE_NAME> <DB2_SERVER_NAME> <DB2_PORT_NUMBER> <DATABASE_NAME>
<OP_DB_USER> <OP_DB_PASSWORD> <UPDATE_FREQUENCE_WEEKDAY>
<UPDATE_FREQUENCE_HOUR> <UPDATE_FREQUENCE_MINUTE> <MINIMUM_UPDATES>
Results
Index synchronization jobs run at the interval specified.
Note: Changes to long string fields are not available for filtering until the next scheduled index job runs.
Procedure
1. Log on to a system as a user with Administrator privileges. You can use any system with access to
CLPPlus that can connect to the IBM OpenPages GRC Platform database server.
Note: For SQL tool information, see “Database tool information” on page xxv.
2. Open a command or shell window, and navigate to the text-indexing directory as follows:
Windows
<OP_HOME>\aurora\bin\full-text-index
AIX and Linux
<OP_HOME>/aurora/bin/full-text-index
Note: If the database server is not on the same machine as the IBM OpenPages server, you must copy
the script and the SQL files that the script invokes to the database server.
3. Run the following SQL script:
Using IBM OpenPages GRC Platform utilities with IBM DB2 databases 411
clpplus -nw @sql-wrapper CustomIndexing_Step5_IndexDrop.sql <LOG_FILE_NAME>
<DB2_SERVER_NAME> <DB2_PORT_NUMBER> <DATABASE_NAME> <OP_DB_USER>
<OP_DB_PASSWORD> <FORCE_DROP_INDEX>
For example,
clpplus -nw @sql-wrapper CustomIndexing_Step5_IndexDrop.sql
CustomIndexing_Step5_IndexDrop.log server1 50000 op1 OPENPAGES opassword Y
Results
You must re-create the index before you filter on the content of long string fields again. For details on
creating a long string index, see “Create a long string index for an Oracle database” on page 452.
Procedure
1. Go to the Entity Move/Rename utility installation location as follows:
OP_Home|aurora|bin|batch_entity_move_rename_relative
2. Open the batch-entity-move-rename.ini configuration file for editing.
3. Specify appropriate values for the following parameters for a DB2 database environment:
Using IBM OpenPages GRC Platform utilities with IBM DB2 databases 413
Table 125: Parameters for a DB2 database in the batch-entity-move-rename.ini file:
(continued)
Source entity The entity on which the operation is run. /The Bank/USA/North
location East/Providence
Target entity The new parent entity for "move" and "move and For "move" and "move and
location rename" operations only. rename" operations:
Note: /Worldwide/
Americas/USA/NE
• For Oracle "rename" operations only (no move),
the value must be "-" (dash).
• For DB2 "rename" operations only (no move), the
value must be blank.
New entity name The new name after the operation for "rename" For "rename" and "move and
and "move and rename" operations only. rename" operations: Boston
Note:
• For Oracle "move" operations only (no rename),
the value must be "-" (dash).
• For DB2 "move" operations only (no rename), the
value must be blank.
The following is a short description of the data in the sample .txt file that is included in the utility
directory.
• The first line illustrates moving entity /The Bank/USA/North East/Providence to new location /
Worldwide/Americas/USA/NE. Operation is to be run as the user SOXAdministrator. This
operation is run first in the batch.
• The second line illustrates in place rename of the entity /Worldwide/Americas/USA/NE/
Providence. Entity name changes to Boston. Target location does not apply and is set to "-". This entry
has a dependency on the previous move operation and has higher number in the execution order
column. Also, it references to the new entity location that will be in effect after the first operation
completes.
• If the first operation fails for any reason, this operation fails as well and the entity location would be
incorrect.
• The third line illustrates simultaneous move of the entity /The Bank/USA/Midwest/Chicago to new
location /Worldwide/Americas/USA/MW and rename to Detroit. This operation has no dependencies
and will be run after the first two complete.
If you have an Oracle database with the 32-bit SQL*Loader utility and an IBMAIXor Linux environment,
see the topic: “Avoid error 0509-036 when you use the 32-bit Oracle SQL*Loader” on page 466.
Otherwise, run the IBM OpenPages GRC Platform Entity Move/Rename utility.
Procedure
1. Move the input file into the utility installation directory, which is at:
OP_Home|aurora|bin|batch_entity_move_rename_relative
Using IBM OpenPages GRC Platform utilities with IBM DB2 databases 415
Windows
batch-entity-move-rename.cmd
AIX or Linux
batch-entity-move-rename.sh
5. Upon completion, review the following log files for any errors:
• batch-entity-move-rename-load.log
• batch-entity-move-rename-proc.log
If any errors are reported and you are unable to fix them, contact your IBM Support representative.
Make sure you supply a copy of the screen that contains the error messages and all the log files that
are generated by the tool.
Impact of the Entity Move/Rename utility on the OpenPages GRC Platform application
The Entity Move/Rename utility works directly against the IBM OpenPages GRC Platform database
repository. As a result, the Java based OpenPages GRC application is unaware of the changes made to the
entity hierarchy and folder structure.
As a result, internal application caches might become out of sync with the data in the repository and lead
to discrepancies in the application user interface.
It is required that after you run the tool you restart application services, or run the tool when application
services are stopped.
Also, ensure that the OPBackup command is not running during execution, and that all batch rename and
move operations are completed before you run a backup.
db2cmd
Using IBM OpenPages GRC Platform utilities with IBM DB2 databases 417
418 IBM OpenPages GRC Version 7.4.0 : Administrator's Guide
Chapter 18. Using IBM OpenPages GRC Platform
utilities with Oracle databases
You can use these utilities with your Oracle database for backing up and restoring OpenPages GRC
Platform and Cognos files and databases, and setting up a test environment.
• OpenPages GRC Platform backup (OPBackup) and restore (OPRestore) are used to backup and restore
the OpenPages GRC Platform application and database
• Cognos backup (OPCCBackup) and restore (OPCCRestore) are used to backup and restore OpenPages
GRC Platform Cognos files and the content store.
• Users can choose to execute a live OPBackup. When running live OPBackup, OpenPages GRC Platform
services are not restarted on the application server, allowing for maximum uptime of the application. By
default, the services will be restarted.
Note:
• Log files for email notification are stored in the logs folder in the following location:
– For OPBackup (OpenPages GRC Platform application backup):
• Make sure to set rules in your email client to never send emails from the OpenPages GRC Platform
application server to the Spam or Junk mail folders.
Procedure
1. Open a command or shell window and do one of the following.
a) For an OPBackup (OpenPages GRC Platform application backup,
navigate to the op-backup-restore.env file in the bin directory as follows:
• For Microsoft Windows, the bin directory is <OP_Home>\aurora\bin
• For AIX and Linux, the bin directory is <OP_Home>/aurora/bin
b) For a OPCCBackup (Cognos backup), navigate to the op-cc-backup-restore.env file in the bin
directory where <cc_home> represents the installation of Cognos.
• For Microsoft Windows, the back up path is OPBackup <path-to-back-up-location>
• For AIX and Linux, the back up path is OpBackup.sh <path-to-back-up-location>
where <path-to-backup-location> is the full path of the directory where the backed up files
are located on the application server. If a file path is not specified, the OPBackup command uses,
by default, the backup location specified in the BACKUP_LOCATION parameter of the <OP_Home>|
aurora|bin|op-backup-restore.env file.
2. Open the selected .env file in a text editor.
3. Specify a value after the equal sign (=) for the parameters described in the following table and save
the .env file.
Using IBM OpenPages GRC Platform utilities with Oracle databases 421
Example
The following is a sample error log message that occurred when an OPBackup command was initiated
while the reporting schema was still being generated.
Note: The .log file name has the format op_backup_<yyyy_mm_dd_hh_mm_ss>.log
Where:
<yyyy_mm_dd_hh_mm_ss> represents the year_month_day_hour_minute_second. For example:
Windows
C:\OpenPages\openpages-backup-restore\op_backup_2010_07_26_09_35_42.log
AIX and Linux
/opt/OpenPages/openpages-backup-restore/op_backup_2010_07_26_09_35_42.log
Sample error log messages follow.
• For Oracle database environments, a sample error log message might look similar to this text:
– can-proceed:
[exec] declare
[exec] *
[exec] ERROR at line 1:
[exec] ORA-20001: There are existing processes running.
[exec] Please let them finish or terminate them before proceeding.
[exec] ORA-06512: at line 7
[exec]
– can-proceed:
[exec] declare
[exec] *
[exec] ERROR at line 1:
[exec] ORA-20001: There are existing object reset operations running.
[exec] Please let them finish or terminate them before proceeding.
[exec] ORA-06512: at line 7
[exec]
• For IBM DB2 environments, a sample error log message might look similar to this text:
– can-proceed:
[exec] ERROR near line 26:
[exec] SQL0438N Application raised error or warning with diagnostic
[exec] text: "There are existing processes running. Please let them
[exec] finish or termi".
– can-proceed:
[exec] ERROR near line 26:
[exec] SQL0438N Application raised error or warning with diagnostic
[exec] text: "There are existing object reset operations running.
[exec] Please let them finish or termi".
It is best to run all jobs to completion before you start a backup or restore operation. However, this check
can be enabled or disabled as follows.
Procedure
1. Open a command or shell window on the OpenPages GRC Platform server.
Procedure
1. Open a command or shell window on the OpenPages GRC Platform server.
2. Go to the bin directory:
• For Microsoft Windows, the directory is <OP_HOME>\aurora\bin
• For AIX or Linux, the directory is <OP_HOME>/aurora/bin
3. To encrypt changed database password parameters in the op-backup-restore.env environment
file, run the following command:
• On Windows operating systems: OPBackup.cmd secure
• On AIX and Linux operating systems: ./OPBackup.sh secure
4. To encrypt changed database password parameters in the op-cc-backup-restore.env
environment file, do the following steps:
a) Open a command or shell window on the reporting server.
b) Go to the <CC_Home>/tools/bin directory.
<CC_Home> is the installation location of Cognos.
• For Microsoft Windows, <CC_Home> is C:\OpenPages\CommandCenter.
• For AIX or Linux, <CC_Home> is opt/OpenPages/CommandCenter.
c) Type the following backup command:
Using IBM OpenPages GRC Platform utilities with Oracle databases 423
• On Windows: OPCCBackup.cmd secure
• On AIX or Linux: ./OPCCBackup.sh secure
Scenario 1: The root installation path of the OpenPages GRC Platform storage location changed after
installation
If you modify the root path of the IBM OpenPages GRC Platform storage location in the storageservers
table after installation, make sure you update the OPSTORAGE_LOCATION parameter in the <OP_Home>|
aurora|bin|op-backup-restore.env file to match the new root path (OpenPages GRC Platform
storage location).
If these locations do not match, the OPBackup utility will capture incorrect or stale storage folders.
Example
//<host_server>/openpages_storage
Where:
<host_server> is the name of the administrative server.
Procedure
1. Log on to the current OpenPages GRC Platform application server.
2. Navigate to the OP_HOME|aurora|bin directory and open the op_backup.manifest file in a text
editor.
3. Type the full path name to all custom directory names or to a specific file. Each directory or file must
be on a separate line in the file.
4. Save the manifest file using the current location and name.
Procedure
1. If global search is enabled, disable it:
a) Log in to OpenPages as an administrator.
b) Click Administration > Global Search > Disable.
Using IBM OpenPages GRC Platform utilities with Oracle databases 425
2. Open a command or shell window on the OpenPages GRC Platform application server.
3. Navigate to the bin directory as follows:
• For Microsoft Windows, the bin directory is <OP_Home>\aurora\bin
• For AIX and Linux, the bin directory is <OP_Home>/aurora/bin
4. Execute the following backup command:
OPBackup <path-to-backup-location>
Where <path-to-backup-location> is the full path of the directory where the backed up files are
located on the OpenPages GRC Platform application server. If a file path is not specified, the
OPBackup command uses, by default, the backup location specified in the BACKUP_LOCATION
parameter of the <OP_Home>|aurora|bin|op-backup-restore.env file.
Procedure
1. Make sure that no OpenPages GRC Platform processes are running, such as object reset jobs.
2. Shut down all OpenPages components: application servers (admin and non-admin), reporting servers
(active and standby), and the search server.
For more information, see Chapter 20, “Starting and stopping servers,” on page 549.
3. Open a command or shell window on the admin application server.
4. Go to the <OP_HOME>/aurora/bin directory.
5. Do a full database backup of the OpenPages schema by using OPBackup.
Windows:
Linux or AIX:
The <backup_directory> is the full path to a directory on the database server. This directory is where
the log files are saved. If the file path is not specified, the OPBackup command uses the location that
is specified by the BACKUP_LOCATION parameter in the <OP_HOME>/aurora/bin/op-backup-
restore.env file.
A dump file is created in the OP_DATAPUMP_DIRECTORY directory.
6. Examine the backup log and make note of the dump file name. The naming convention is
openpage_<timestamp>.dmp.
This might happen if there is a relatively high level of data modification transactional activity on the
system during the backup. Run live OP backup when transactional activity is low. If this is not possible or
not desirable, or if the error keeps happening, it may be possible to avoid this error by setting
UNDO_RETENTION initialization parameter to a higher (possibly much higher) value, at least for the
duration of the backup. Setting UNDO_RETENTION to a higher value, may result in a growth of UNDO table
space, so it should be done by an experienced database administrator or with the assistance of IBM
Support.
To use the OpenPages GRC Platform application backup utility live, you run the OPBackup command with
the nosrvrst option. This does the following:
• Backs up OpenPages GRC Platform application and environment files
• Exports the OpenPages GRC Platform application database
Procedure
1. Open a command or shell window on the OpenPages GRC Platform server.
2. Navigate to the bin directory as follows:
• For Microsoft Windows, the bin directory is \<OP_Home>\aurora\bin
• For AIX or Linux, the bin directory is /<OP_Home>/aurora/bin
3. Type the following backup command:
Windows
where:
Windows
<path-to-backup-location> is <oracle_base>\admin\<SID>\dpdump
AIX and Linux
<path-to-backup-location> is <oracle_base>/admin/<SID>/dpdump
Using IBM OpenPages GRC Platform utilities with Oracle databases 427
• Application server configuration files for IBM WebSphere.
• The openpages-storage directory.
• Pointers to the database schema dump extracts.
• Manifest-defined content (such as solutions-sosa-files.zip or services-sosa-files.zip).
Note:
• If a backup file is 4 GB or larger, configure the OPBackup utility to use gzip (GNU zip). Gzip produces an
archive with an extension of .tar.gz. To view and extract the contents of the archive file, use WinZip® 12
(or higher) or WinRAR® 3.71 (or higher).
• The OPBackup utility adds a military timestamp on the .zip and log files it creates.
The ZIP file can be used as a parameter to the OPRestore command to restore the installation-specific
OpenPages GRC Platform files and the database. Each time the OPBackup command is run, a separate
ZIP file is created and each data file is identified by a unique name.
Procedure
1. From a command or shell window, navigate to the op-backup-restore.env file in the bin directory
as follows.
• For Windows, the installation directory is c:\<OP_Home>\aurora\bin
• For AIX or Linux, the installation directory is <OP_Home>/aurora/bin
2. Open the op-backup-restore.env file in a text editor of your choice.
3. Change the USE_GZIP_COMPRESSION= setting from false to true.
Procedure
1. Open a command or shell window on the OpenPages GRC Platform server.
2. Navigate to the op-backup-restore.env file in the bin directory as follows.
false The storage folder and its content are not backed
up.
5. When finished, save the changes to the file and exit the editor.
Procedure
1. If you enabled the global search component during backup, recreate your search index so that your
search results are synchronised.
a) Click Administration > Global Search.
b) Click Disable to disable the global search component.
c) Click Drop to drop the search indexes.
d) Click Create to recreate the search indexes.
2. Stop the IBM Cognos service.
3. From a command or shell window, navigate to the bin directory as follows:
• For Microsoft Windows, the bin directory is <OP_Home>\aurora\bin
• For AIX and Linux, the bin directory is <OP_Home>/aurora/bin
4. Execute the following command:
Windows
OPRestore <backup-file-name> <path-to-backup-location>
Using IBM OpenPages GRC Platform utilities with Oracle databases 429
AIX and Linux
OPRestore.sh <backup-file-name> <path-to-backup-location>
Where:
<backup-file-name> is the name of the backup file (without the .zip or tar.gz file extension)
What to do next
Preferences related to the long string text index won't be exported by “Running the OPBackup command”
on page 425, and therefore are not restored. You must “Create a long string index for an Oracle database”
on page 452 pointing to the database server you are restoring to.
When you use the OPCCBackup utility, the following Cognos resources are backed up.
• Cognos reports
• Branding and environment files
You can configure e-mail notification (with an attached log file) upon the completion of an OPCCBackup.
For details, see “Email notification for backup jobs” on page 383.
Procedure
1. Log on to a machine with SQL*Plus and a connection to the CommandCenter database instance.
2. Open a command or shell window and do the following:
a) Navigate to the OP_<version>_Non_Embedded directory on your network drive or in the
installation kit.
b) Navigate to the following folder:
/OP_<version>_Non_Embedded/OP_<version>_Configuration/Database/ORACLE/
UPGRADE_SCRIPTS
3. Run the update-datapump-directory.sql script as follows and substitute values for each
parameter:
sqlplus /nolog @sql-wrapper update-datapump-directory <log_file_name>
<tns_name_alias> SYSTEM <password> <create|update> <directory_location>
<user_name>
Note: All parameters are required.
Using IBM OpenPages GRC Platform utilities with Oracle databases 431
Table 130: Parameters for Oracle Data Pump SQL script (continued)
This parameter... Represents...
<user_name> The user name to be used with the Cognos
account for the CommandCenter Database
Schema (Content Store).
Procedure
1. From a command or shell window, navigate to the bin directory as follows:, where <CC_Home>
represents the installation location of the Cognos application.
• For Microsoft Windows, navigate to <CC_Home>\tools\bin. By default, <CC_Home> is
C:\OpenPages\CommandCenter.
• For AIX or Linux, navigate to <CC_Home>/tools/bin.
2. Execute the following backup command:
Windows
OPCCBackup <path-to-backup-location>
AIX
OPCCBackup.sh <path-to-backup-location>
Where:
<path-to-backup-location> is the full path of the directory where the backed up files are located
on the Cognos server. The file path is optional.
Note: If no file path is specified, the OPCCBackup command uses, by default, the backup location
specified in the BACKUP_LOCATION parameter of the <CC_Home>|tools|bin|op-cc-backup-
restore.env file.
The following table lists the default Content Store database export location specified in the
environment file.
Where <SID> is the Oracle System Identifier (for example, OP).
The default Content Store database export locations are:
Windows: <oracle_base>\admin\<SID>\dpdump
AIX: <oracle_base>/admin/<SID>/dpdump
Procedure
1. From a command or shell window, navigate to the op-cc-backup-restore.env file in the bin
directory as follows, where <CC_Home> represents the installation location of the Cognos application
• For Microsoft Windows, the directory is: <CC_Home>\tools\bin. By default, <CC_Home> is
C:\OpenPages\CommandCenter
• For AIX or Linux, the directory is: <CC_Home>/tools/bin. By default, <CC_Home> is opt/
OpenPages/CommandCenter
2. Open the op-cc-backup-restore.env file in a text editor.
3. Change the USE_GZIP_COMPRESSION= setting in the file from false to true:
Procedure
1. Stop the IBM Cognos service on the administrative server and any non-administrative servers in the
cluster. For details, see “Starting and stopping the Cognos services” on page 560.
2. Stop the IBM Cognos Configuration tool, if it is running, on all cluster members.
3. From a command or shell window, navigate to the bin directory where the <CC_Home> represents the
installation location of the Cognos application.
• For Microsoft Windows, the installation location is <CC_Home>\tools\bin. By default, <CC_Home> is
C:\OpenPages\CommandCenter.
• For Aix or Linux, the installation location is <CC_Home>/tools/bin. By default, <CC_Home>
is /opt/OpenPages/CommandCenter
Using IBM OpenPages GRC Platform utilities with Oracle databases 433
4. On the administrative Cognos server, run the following command:
Windows
OPCCRestore <backup-file-name> <path-to-backup-location>
AIX
OPCCRestore.sh <backup-file-name> <path-to-backup-location>
Where:
<backup-file-name> is the name of the backup file (without the .zip or tar.gz file extension).
Note: <path-to-backup-location> is the full path of the directory where the backed up files are
located on the Cognos server. The file path is optional.
If no file path is specified, the OPCCRestore command uses, by default, the backup location specified
in the BACKUP_LOCATION parameter of the <CC_Home>|tools|bin|op-cc-backup-
restore.env file.
5. Start the IBM Cognos service on the administrative server and on any non-administrative servers in
the cluster. For details, see “Starting and stopping the Cognos services” on page 560.
Knowledge of basic Oracle database backup and recovery operations is necessary, as well as use of
RMAN. For more information on the use of RMAN for online database backup and recovery, see the Oracle
documentation.
Procedure
1. Log on to the IBM OpenPages GRC Platform database server as a user with administrative privileges.
2. Open a command or shell window and complete the following action:
a) Go to the OP_<version>_Non_Embedded directory on your network drive or in the installation kit.
b) Go to the INSTALL_SCRIPTS directory at the following location:
OP_<version>_Configuration|Database|ORACLE|INSTALL_SCRIPTS
3. From the INSTALL_SCRIPTS directory copy, the following scripts to a local directory on the database
server.
• Environment-specific online backup scripts:
Windows
rman-env.cmd
rman-init.cmd
rman-daily.cmd
Using IBM OpenPages GRC Platform utilities with Oracle databases 435
recover-db.cmd
AIX and Linux
rman-env.sh
rman-init.sh
rman-daily.sh
recover-db.sh
• More online backup scripts:
enable-archivelog-mode.sql
disable-archivelog-mode.sql
check-fra-size.sql
load_OP_APP_DATA.sql
no-op.sql
op-app-global-env.sql
sql-wrapper.sql
update-fra-size.sql
init_recovery_env.sql
Note:
• The name of the local directory where you are copying the scripts must not contain any space
characters.
• You can run the scripts described in the following topics from the local directory. You can add the
directory to your PATH environment variable so that you can run them from any directory.
Procedure
1. Open the rman-env.cmd (Windows) or rman-env.sh (AIX and Linux) script in a text editor on the
database server. Edit the following environment variables for your Oracle database environment as
shown in Table 131 on page 436.
Using IBM OpenPages GRC Platform utilities with Oracle databases 437
Table 131: Environment Variables in RMAN-ENV Script (continued)
Environment Variable Description
ORACLE_HOME_NAME= Name assigned to <ORACLE_HOME> at installation time.
The Oracle Home Name can be found in the SERVER
parameter in the inventory.xml file in the
<Oracle_Home>\Inventory\
ContentsXML directory.
Example: OPServer
Results
After you enable online backup mode for a database instance, do not make any changes to the
corresponding rman-env script. If you need to increase the size of the backup area, see "Adjusting the
Size of the Backup Area" for more information. Never modify the rman-env script to adjust the size of the
backup area after online database backup mode is enabled.
If you need to back up a different database instance, make a copy of the rman-env script in a different
directory and modify the parameters as appropriate. The FLASH_RECOVERY_AREA parameter must
specify a different location than that of your other online database backups.
Windows example
If there are errors when running this script, the script output will list the directory location containing the
error log. The error log file name is enable-archivelog-more.log.
Important: The script described in this section restarts the database. It is recommended that you alert
users that they will be temporarily unable to access the database until the script has finished running.
AIX example
Where:
• <log_file_name> is the directory location, including the log file name that you specify, where any
errors or messages relating to this script are logged. If you specify only the log file name, it is stored in
the current working directory.
• <tns_name_alias> is the TNS alias of the IBM OpenPages GRC Platform database instance as it is
known on the network. If necessary, you can retrieve this alias from the tnsnames.ora file.
• <system_password> is the Oracle SYSTEM account password.
The script displays the following information (in megabytes):
• Used Space — Space that is already used and not available for online database backups.
• Allocated Space — Maximum size of the backup area, including used and free space. This is the same as
the value of the FLASH_RECOVERY_AREA_SIZE parameter in the rman-env script.
• Used-Reclaimable — Space that is free for use in online database backups.
Using IBM OpenPages GRC Platform utilities with Oracle databases 439
Example:
Displays the used, allocated, and free space for database instance op.
Increase the size of the backup area to make more space available for online database backups. You can
increase or decrease the size of the backup area by running one of the scripts described in the following
section.
Important: Do not delete files manually from the backup area to free up space. Doing so causes the
following error: RMAN-06059: expected archived log not found.
Where:
• <log_file_name> is the directory location, including the log file name that you specify, where any
errors or messages relating to this script are logged. If you specify only the log file name, it is stored in
the current working directory.
• <tns_name_alias> is the TNS alias of the IBM OpenPages GRC Platform database instance as it is
known on the network. If necessary, you can retrieve this alias from the tnsnames.ora file.
• <sysdba_password> is the Oracle SYS account password.
• <new_size> is the updated size of the backup area (use M for megabytes or G for gigabytes). For
example, you would specify 20 gigabytes as 20G.
Example:
Where:
• <log_file_name> is the directory location, including the log file name that you specify, where any
errors or messages relating to this script are logged. If you specify only the log file name, it is stored in
the current working directory.
• <tns_name_alias> is the TNS alias of the IBM OpenPages GRC Platform database instance as it is
known on the network. If necessary, you can retrieve this alias from the tnsnames.ora file.
• <sysdba_password> is the Oracle SYS account password.
Example:
Important:
• The script restarts the database. Users are unable access the database while the script is running.
• After disabling online database backup mode, if you want to re-enable online database backup mode for
the database instance, do not use the rman-init or rman-daily scripts. Doing so may cause
unpredictable database behavior or other problems. To re-enable online database backup mode,
contact your IBM representative for assistance.
Prerequisites
Ensure you have access to the production server and test server.
Ensure the production server and test server have the same installed version of the IBM OpenPages GRC
Platform application, including patches.
Ensure you have access to the installation media:
• OP_version_Non_Embedded
Using IBM OpenPages GRC Platform utilities with Oracle databases 441
Backing up and copying the OpenPages GRC Platform application production files for an
Oracle database
The exported data from the production backup file will be used later to refresh data on the test server.
Procedure
1. Log on to your production IBM OpenPages GRC Platform server as a user with administrative
permissions.
2. Run the OpenPages GRC Platform backup utility (OPBackup) to back up the OpenPages application
database.
For more information, see “The OPBackup utility” on page 387.
3. Copy the backup .zip or .tar.gz file to your test server.
Backing up the OpenPages GRC Platform application test files on your Oracle test data
You can back up IBM OpenPages GRC Platform application test data.
Procedure
1. Log on to your test OpenPages GRC Platform server as a user with administrative permissions.
2. Run the backup utility (OPBackup) as described in “The OPBackup utility” on page 387 to backup the
OpenPages GRC Platform application database.
Procedure
1. If necessary, log on to your IBM OpenPages GRC Platform test server as a user with administrative
permissions.
2. Open a command or shell window and do the following:
a) Navigate to OP_<version>_Non_Embedded on your network drive or in the installation kit.
b) Navigate to the INSTALL_SCRIPTS directory at the following location:
OP_<version>_Configuration|Database|ORACLE|INSTALL_SCRIPTS
Copy the production database dump (.dmp) file to the test database server
You can copy the production database file to the test database server.
Procedure
1. Locate the database dump (.dmp) file directory on the source production and target test database
servers.
Note:
Note: Make sure to copy the .dmp file with the timestamp that matches when you ran the OPBackup
command.
Procedure
1. Open a command or shell window and set the NLS_LANG environment variable as follows.
Windows
In the Command Prompt window where you will be invoking the import commands, execute the
following command:
set NLS_LANG=AMERICAN_AMERICA.AL32UTF8
export NLS_LANG=AMERICAN_AMERICA.AL32UTF8
Save the change to the file, and either execute the .profile in your shell window or log on again.
2. Import the OpenPages GRC Platform database on the test database server from the backup files in
“Backing up and copying the OpenPages GRC Platform application production files for an Oracle
database” on page 442 as follows.
Note: The Oracle Data Pump command IMPDP is used as the IMP command is not supported.
For more information on Oracle Data Pump, see “Oracle Data Pump” on page 419.
From the same command or shell window, run the following command to import the OpenPages GRC
Platform database:
impdp <op_db_user>/<op_db_password>@<SID>
DIRECTORY=OP_DATAPUMP_DIRECTORY
DUMPFILE=<openpages_dump_file>
LOGFILE=openpages_import.log
Using IBM OpenPages GRC Platform utilities with Oracle databases 443
Table 133: Parameters and their descriptions (continued)
Parameter Description
<op_db_password> The OpenPages GRC Platform password for
accessing the OpenPages database.
<SID> The Oracle System Identifier (for example, OP or
OP).
<openpages_dump_file> The .dmp file name of the backed up OpenPages
GRC Platform application database.
Important: Do not enter an explicit path when
specifying the .dmp file name. Enter only the file
name.
Example
impdp openpages/openpages@OP
DIRECTORY=OP_DATAPUMP_DIRECTORY
DUMPFILE=openpages_backup_YYYY_MM_DD_HH_MI_SS.dmp
LOGFILE=openpages_import.log
Note: If the source schema name and target schema names are different, the schema must be
remapped during import. Add the following argument to this impdp command to remap the schema:
Remap_schema=<source_schema>:<target_schema>
Example
impdp openpages/openpages@OP
DIRECTORY=OP_DATAPUMP_DIRECTORY
DUMPFILE=openpages_backup_YYYY_MM_DD_HH_MI_SS.dmp
LOGFILE=openpages_import.log remap_schema=opuser:openpages
Update the OpenPages GRC Platform storage location in the Oracle database
After you restore the openpage-storage file from the product backup, you must update the IBM
OpenPages GRC Platform storage location in the database.
Procedure
1. Log on to a system with administrative permissions. You can use any system with access to CLPPlus
that can connect to the OpenPages database server.
2. Copy all the files under the openpages-storage folder from the production backup .zip file to the
openpages-storage location on the test server.
By default, the storage location is <OP_Home>|openpages-storage
OP_<version>_Configuration|Database|ORACLE|INSTALL_SCRIPTS
4. From the INSTALL_SCRIPTS directory, run the update-storage SQL wrapper script with the
following parameters (see Table 135 on page 445 for a description) to update the openpages-
storage directory location in the database:
Where:
Examples
• LFS
Windows
Using IBM OpenPages GRC Platform utilities with Oracle databases 445
update-storage c:\temp\upd-storage-output.log
op openpages openpages LFS eng11 eng11
Windows c:\OpenPages\openpages-storage
AIX
• UNC
Windows
AIX
Procedure
1. Log in to the OpenPages application in the target environment as a user with administrative privileges.
2. If the global search component is enabled, disable it.
a) Click Administration > Global Search.
b) Click Disable.
3. Stop the global search services.
For more information, see “Start or stop the global search services” on page 553.
4. Update the global search settings.
a) Click Administration > Settings > Applications > Common > Configuration > Show Hidden
Settings and set the value to true.
b) Click Administration > Settings > Platform > Search > Admin and update the Search Server
Administration URLwith the URL of the search server in your target environment.
c) Click Administration > Settings > Platform > Search > Index and update the Search Server URL
with the URL of the search server in your target environment.
d) Click Administration > Settings > Platform > Search > Request and update the Search Server
URL with the URL of the search server in your target environment.
5. If the source environment is using IBM OpenPages GRC Platform version 7.3 or later, do the following
steps.
a) Copy the <SEARCH_HOME>/openpages-solr-index directory to the search server in the target
environment.
The <SEARCH_HOME>/openpages-solr-index contains the global search index.
Results
Global search is enabled in the target environment.
• Full permission is granted to the CommandCenter|tools|bin folder on the target Cognos server.
Procedure
1. If necessary, log on to your production Cognos server as a user with administrative permissions.
2. Run the Cognos backup utility (OPCCBackup) to back up the Cognos database and configuration files.
For more information, see “Using the Cognos backup utility” on page 430.
Tip: If the mail server for notification e-mails has not been set up for running Cognos backups, the
output from the OPCCBackup command might end with the following error:
BUILD FAILED
c:\machine3\CommandCenter\tools\bin\op-cc-backup-email-notification.xml:31:
Problem while sending mime mail:
This error can be safely ignored as long as this step says BUILD SUCCESSFUL.
3. Copy the production Cognos server backup .zip or .tar.gz file to the Cognos backup-restore
directory on the test server.
Using IBM OpenPages GRC Platform utilities with Oracle databases 447
4. Copy the database dump (.dmp) file from the Oracle datapump directory on the source database
server to the datapump directory on the target database server.
Make sure you copy the dump file with the timestamp that matches when you ran the OPCCBackup
command. By default, the file will be named similar to OPENPAGES_CC_<timestamp>.DMP.
Note:
To find the datapump directory for either the source or target database, run the following SQL query as
the system user:
Procedure
1. If necessary, log on to your test IBM OpenPages GRC Platform server as a user with administrative
permissions.
2. Run the Cognos backup utility (OPCCBackup) as described in “Using the Cognos backup utility” on
page 430 to back up the Cognos database and configuration files.
Restoring the Cognos data and files to the Oracle test environment
You can restore data and files to the test environment.
Procedure
1. Log on to your test IBM OpenPages GRC Platform server as a user with administrative permissions.
2. From the INSTALL_SCRIPTS directory, run the AuroraDbDelete.sql script as follows:
a) Log on to SQL*Plus as the Cognos database user (for example: sqlplus cognos/cognos@test).
b) Run the following script to drop the objects in the schema on the test server:
@AuroraDbDelete.sql
c) When finished, log out of SQL*Plus.
3. Import the Cognos database on the target (test) database server from the backup file from the source
(production) database server as follows.
From a command or shell window, run the following command to import the Cognos database:
impdp <cognos_db_user>/<cognos_db_password>@<SID>
DIRECTORY=OP_DATAPUMP_DIRECTORY
DUMPFILE=<cc_dump_file> LOGFILE=cc_import.log
Where:
Example
impdp cognos/cognos@OP DIRECTORY=OP_DATAPUMP_DIRECTORY
DUMPFILE=openpages_cc_YYYY_MM_DD_HH_MI_SS.dmp
LOGFILE=openpages_cc_import.log
Note: If the source schema name and target schema names are different, the schema must be
remapped during import. Add the following argument to this impdp command to remap the schema:
Remap_schema=<source_schema>:<target_schema>
Example
Depending on the type of installation, one or both of the following Oracle data source links are displayed
in the IBM Cognos Administration tool for the reporting framework:
• The OpenPages DataSource is used for the Reporting Framework V6. V6 refers to the latest framework
version, not to any specific OpenPages release number.
• For Oracle Database environments only, the Oracle Native Driver is used for the Legacy Reporting
Framework (upgraded systems only).
Note: For Oracle Database environments only, both the OpenPages DataSource and Oracle Native
Driver data sources connect to the same database repository and use the same authentication
information (signons).
Procedure
1. From a browser, log on to the Cognos Analytics portal as a user with administrative privileges, for
example, OpenPagesAdministrator.
By default, the URL is http://<hostname>/ibmcognos/bi
Where <hostname> is the name of the Cognos server.
2. Click Manage > Administration Console to launch the IBM Cognos Administration page.
3. On the Configuration tab, click Data Source Connections (if not already selected).
4. On the Directory > Cognos page, click the More link in the same row as the data source you want (for
example, OpenPages DataSource).
5. On the Perform an Action page, under Available actions, click the View connections link.
6. On the Directory > Cognos > < name of data source > page, click the More link in the same row as
the selected data source.
7. On the Perform an Action page for the data source, under Available actions, click the View signons
link.
8. On the Directory > Cognos > < name of data source > signons page, do the following:
Using IBM OpenPages GRC Platform utilities with Oracle databases 449
a) Under the Actions column, click the Set properties - < name of data source > icon.
b) On the Set properties-< name of data source > page, click the Signon tab.
9. On the Signon tab:
a) Click the Edit the signon link.
b) Update the password.
Procedure
1. From a browser, log on to the Cognos Analytics portal as a user with administrative privileges, for
example, OpenPagesAdministrator.
By default, the URL is:
http://<hostname>/ibmcognos/bi (if you are using port 80 for Cognos)
Where <hostname> is the name of the Cognos server.
2. Click Manage > Administration Console to launch the IBM Cognos Administration page.
3. On the Configuration tab, click Data Source Connections (if not already selected).
4. On the Directory > Cognos page, click the link for the IBM OpenPages GRC Platform data source.
5. On the Directory > Cognos > OpenPages DataSource page, do the following:
a) Under the Actions column, click the Set properties - OpenPages DataSource icon .
b) On the Set properties - OpenPages DataSource page, click the Connection tab.
6. On the Connection tab, next to the Connection String box, click the pencil icon to edit the field.
7. On the edit page, do the following:
a) On the OCI tab, in the SQL*Net connect string box, change the SQL*Net connect string to the TNS
alias of the OpenPages database on the target environment.
b) On the JDBC tab, in the Server name, Port number, and Oracle Service ID boxes, change the
values to valid values for the IBM OpenPages GRC Platform database on the target environment.
8. If this is an upgraded legacy system, repeat the steps in this task for the Oracle Native Driver, if
it exists.
Procedure
1. If necessary, log on to your test IBM OpenPages GRC Platform server as a user with administrative
permissions.
2. Update the openpages-ext.jar in the test environment as follows:
a) From the production backup .zip files in “Backing up and copying the OpenPages GRC Platform
application production files for an Oracle database” on page 442, navigate to the openpages-
ext.jar in the <OP_Home>|aurora|lib directory.
b) Copy the openpages-ext.jar from the production backup file into the <OP_Home>|aurora|
lib directory on your test machine and overwrite the existing .jar file there.
Procedure
1. From your application production backup .zip files, extract all custom files such as JAR files, JSP
files, JavaScript files, and Image files.
2. Copy these files into their respective folders on the target machine. The target folders should match
the folders on the source installation.
For more information, see “Updating URL host pointers for reports” on page 478.
Using IBM OpenPages GRC Platform utilities with Oracle databases 451
• “Create a schedule job to synchronize a long string index” on page 454
• “Drop a long string index” on page 455
• “Modifying the list of stop words” on page 456
To apply filters with long string fields, you must change the OpenPages > Platform > Database > Text
Indexes setting to true.
Tip: In the user interface, the OpenPages folder is hidden in the Administration Settings folder
hierarchy. To author an XML settings path, include the OpenPages folder after the Settings folder in the
path.
For details on working with settings, see Chapter 15, “Viewing the Configuration and Settings page,” on
page 307.
Procedure
1. Log on to a system as a user with Administrator privileges. You can use any system with access to
SQL*Plus that can connect to the IBM OpenPages GRC Platform database server.
2. Open a command or shell window, navigate to the full-text-index directory as follows.
The following table identifies the installation location of the application on the Microsoft Windows,
AIX, and Linux operating systems.
Note: If the database server is not on the same computer as the OpenPages server, you must copy the
script, and the SQL files it starts, to the database server.
3. Run the following batch command:
Windows
CreateOpenPagesTextIndex.bat <SID> <OPX_USER_NAME> <OPX_USER_PASSWORD>
<MEMORY_LIMIT> <PARALLEL_INDEXING_DEGREE>
AIX and Linux
CreateOpenPagesTextIndex.sh <SID> <OPX_USER_NAME> <OPX_USER_PASSWORD>
<MEMORY_LIMIT> <PARALLEL_INDEXING_DEGREE>
Procedure
1. Log on to the Oracle database server as a user with database administrator privileges.
Note: You can enable only Oracle Text from the database server.
2. Open a command or shell window, navigate to the full-text-index directory as follows.
The following table identifies the installation location of the application on the Microsoft Windows,
AIX, and Linux operating systems.
Note: If the database server is not on the same computer as the IBM OpenPages GRC Platform server,
copy the script and the SQL files to the database server.
3. Run the following batch command:
Windows
EnableOpenPagesTextIndexing.bat <SID> <SYSDBA_USER_NAME>
<SYSDBA_PASSWORD> <OPX_USER_NAME>
AIX and Linux
EnableOpenPagesTextIndexing.sh <SID> <SYSDBA_USER_NAME> <SYSDBA_PASSWORD>
<OPX_USER_NAME>
Note: All parameters are required.
Using IBM OpenPages GRC Platform utilities with Oracle databases 453
Table 142: Parameters in the batch command (continued)
Parameter name Description
<SYSDBA_PASSWORD> Password for SYSDBA user account.
<OPX_USER_NAME> OpenPages GRC Platform application schema
owner name.
Results
The database is now enabled for indexing. Use “Create a long string index for an Oracle database” on
page 452 script to create the index.
Procedure
1. Log on to a system as a user with Administrator privileges. You can use any system with access to
SQL*Plus that can connect to the IBM OpenPages GRC Platform database server.
2. Open a command or shell window, then navigate to the full-text-index directory as follows.
The following table identifies the installation location of the application on the Microsoft Windows,
AIX, and Linux operating systems.
Note: If the database server is not on the same machine as the OpenPages server, you must copy the
script, and the SQL files it invokes, to the database server.
3. Run the following batch command:
Windows
ManageOpenPagesTextIndexRefreshJob.bat <SID> <OPX_USER_NAME>
<OPX_USER_PASSWORD> <START_JOBS_AFTER_DAYS> <JOB_START_HOUR>
<REFRESH_FREQ_IN_HOURS> <REFRESH_FREQ_IN_MINS> <MEMORY_LIMIT>
<PARALLEL_INDEXING_DEGREE> <MAX_SYNC_TIME>
AIX and Linux
ManageOpenPagesTextIndexRefreshJob.sh <SID> <OPX_USER_NAME>
<OPX_USER_PASSWORD> <START_JOBS_AFTER_DAYS> <JOB_START_HOUR>
<REFRESH_FREQ_IN_HOURS> <REFRESH_FREQ_IN_MINS> <MEMORY_LIMIT>
<PARALLEL_INDEXING_DEGREE> <MAX_SYNC_TIME>
Results
Index synchronization jobs run at the interval specified.
Note: Changes to long string fields are not available for filtering until the next scheduled index job runs.
For example, ManageOpenPagesTextIndexRefreshJob.bat OP opadmin opadmin 1 3 24 0
2G 0 60 schedules indexing synchronization to start at 3 a.m. starting on the next day, and then repeats
every day at the same time. There is a 2-gigabyte memory limit, no parallel indexing, and the job can run
no more than an hour.
Procedure
1. Log on to a system as a user with Administrator privileges. You can use any system with access to
SQL*Plus that can connect to the IBM OpenPages GRC Platform database server.
2. Open a command or shell window, then navigate to the full-text-index directory as follows.
The following table identifies the installation location of the application on the Microsoft Windows,
AIX, and Linux operating systems.
Using IBM OpenPages GRC Platform utilities with Oracle databases 455
Note: If the database server is not on the same machine as the OpenPages server, you must copy the
script, and the SQL files it invokes, to the database server.
3. Run the following batch command:
Windows
DropOpenPagesTextIndex.bat <SID> <OPX_USER_NAME> <OPX_USER_PASSWORD>
AIX and Linux
DropOpenPagesTextIndex.sh <SID> <OPX_USER_NAME> <OPX_USER_PASSWORD>
What to do next
You must recreate the index before filtering on the content of long string fields again. For details on
creating a long string index, see “Create a long string index for an Oracle database” on page 452.
Procedure
1. Open CustomIndexing_ManageStopWords.sql with a text editor
2. Add a stop word for each word you would like to add by copying the following, commented out
sections:
/*
ADD_STOPWORD_TO_ARRAY
(
p_name => 'me'
);
*/
For example, if you want to add the stop word "the", copy the preceding section, remove the comment
sign, and replace "me" with "the" as follows. Repeat the same step for each word you want to add.
ADD_STOPWORD_TO_ARRAY
(
p_name => 'the'
);
Stop words added to this file will not take effect until the next time you re-index. This file is used as the
most updated list of stop words when the index is recreated. When running
CustomIndexing_Step2_IndexCreate.sql, all current stop words in OP_STOPLIST are removed.
It is a good idea to keep this file up to date.
Procedure
1. Log on to a system as a user with Administrator privileges. You can use any system with access to
SQL*Plus that can connect to the IBM OpenPages GRC Platform database server.
2. Stop all services (see Chapter 20, “Starting and stopping servers,” on page 549).
3. Navigate to the field-concat-utility folder located in the bin directory:
5. Edit the new SQL file to provide the values necessary. Only edit the values in the declaration section of
the SQL file. For details, see “The string concatenation SQL file” on page 458.
Important: Many of the parameters specified in the SQL file have requirements, restrictions, and
cautions noted. These are important for a successful concatenation.
Tip: When editing your copy of the field_concat_template.sql file with multi-byte characters,
and saving the file in Unicode, your editor may insert a Byte Order Mark (BOM) into the file. Some
applications (such as a text editor or a browser) display the BOM as an extra line in the file, while
others display unexpected characters, such as . If you save the file in UTF-8 encoding (leaving the
BOM in the file) and run the string concatenation script, you get an error message (SP2-0734:
Using IBM OpenPages GRC Platform utilities with Oracle databases 457
unknown command beginning "---------..."), but the script continues to run without a
problem. This error has no effect on the script running, but if you prefer not to see the error, save the
file without a Byte Order Mark.
6. Execute the following command:
Windows
AIX
Tip: To see details on database operation messages, run the following SQL statement:
7. Start all services (see Chapter 20, “Starting and stopping servers,” on page 549).
8. Optional: Apply a field level security rule to the large long text field. For more information, see “Field
level security” on page 69.
Results
If the destination long text field does not exist, it is created and populated with values according to the
values specified in the SQL file.
If the destination long text field exists, but is not used in any way, it is populated with values according to
the values specified in the SQL file.
For details on the SQL file, see “The string concatenation SQL file” on page 458.
Parameters
Using IBM OpenPages GRC Platform utilities with Oracle databases 459
Table 149: field_concat_template.sql parameters (continued)
Parameter Description
l_separator The separator to use between concatenated fields.
The default separator is null.
If you concatenate only one source into the
destination, the separator character is not used.
• To use "&" as a separator, encode it as chr(38).
For example:
l_separator OP_GLOBALS.DB_Max_String_T
:= chr(38);
l_separator OP_GLOBALS.DB_Max_String_T
:= chr(38)||'lt ';
Using IBM OpenPages GRC Platform utilities with Oracle databases 461
Table 149: field_concat_template.sql parameters (continued)
Parameter Description
l_override_objtp_logic Set to true to override any logic applied to the
object types, such as their relationships. The
default is OP_Globals.sc_False.
Valid values are:
• OP_Globals.sc_True
• OP_Globals.sc_False
If l_object_type_name is left blank, and the
source and destination field groups are associated
to different object types, the script will fail unless
you set this parameter to OP_Globals.sc_True.
Each source field group and destination field group
must associate with the same object type or set of
object types.
For example, the following scenario will fail unless
this parameter is set to OP_Globals.sc_True:
• Source field group A is associated to object types
X and Y.
• Source field group B is associated only to object
type X.
• Destination field group is associated only to
object type X.
Sample
Note: The following sample includes only those declarative statements that are subject to your changes.
declare
l_actor_name ACTORINFO.NAME%type := 'OPAdmin';
l_field_group_name_src01 BUNDLEDEFS.NAME%type := 'QA10_SS_1';
l_property_name_src01 PROPERTYDEFS.NAME%type := 'QA10_Simple2';
l_field_group_name_src02 BUNDLEDEFS.NAME%type := 'QA10_LargeText';
l_property_name_src02 PROPERTYDEFS.NAME%type := 'QA10_S3';
l_field_group_name_src03 BUNDLEDEFS.NAME%type := 'Core Attributes';
l_property_name_src03 PROPERTYDEFS.NAME%type := 'Resource Description';
l_field_group_name_src04 BUNDLEDEFS.NAME%type := 'MG_7';
l_property_name_src04 PROPERTYDEFS.NAME%type := 'MG_S7';
l_field_group_name_src05 BUNDLEDEFS.NAME%type := 'MG_4';
l_property_name_src05 PROPERTYDEFS.NAME%type := 'MG_S4';
l_field_group_name_src06 BUNDLEDEFS.NAME%type := 'MG_5';
l_property_name_src06 PROPERTYDEFS.NAME%type := 'MG_S5';
l_field_group_name_src07 BUNDLEDEFS.NAME%type := 'MG_6';
l_property_name_src07 PROPERTYDEFS.NAME%type := 'MG_S6';
l_field_group_name_src08 BUNDLEDEFS.NAME%type := 'MG_3';
l_property_name_src08 PROPERTYDEFS.NAME%type := 'MG_S3';
l_separator OP_GLOBALS.DB_Max_String_T := ',';
l_object_type_name ASSETTYPES.NAME%type := 'SOXBusEntity';
l_field_group_name BUNDLEDEFS.NAME%type := 'QA10_LargeText';
l_property_name PROPERTYDEFS.NAME%type := 'TEST101';
l_property_desc PROPERTYDEFS.DESCRIPTION%type := 'MGMGMGMGDescription';
l_large_text_length PROPERTYDEFS.DATA_LENGTH%type :=
OP_OBJ_MODEL_MGR.g_dl_longtext_medium;
l_is_done_by_vendor OP_Globals.Flag_String_T := OP_Globals.sc_False;
l_remote_address i18n_audit_trail.remote_address%type := '';
l_remote_host i18n_audit_trail.remote_host%type := '';
l_preview_only OP_Globals.Flag_String_T := OP_Globals.sc_False;
l_override_objtp_logic OP_Globals.Flag_String_T := OP_Globals.sc_False;
Procedure
1. Go to the Entity Move/Rename utility installation location as follows:
OP_Home|aurora|bin|batch_entity_move_rename_relative
2. Open the batch-entity-move-rename.ini configuration file for editing.
3. Specify appropriate values in the following parameters for an Oracle database environment:
connect_string Oracle database connection details. Use either the TNS alias or EZCONNECT
format.
TNS:
<user>/<password>@<TNS alias>
EZCONNECT:
<user>/<password>@//<host>:<port>/<sid>
Using IBM OpenPages GRC Platform utilities with Oracle databases 463
Table 150: Parameters for an Oracle database in the batch-entity-move-rename.ini file:
(continued)
Source entity The entity on which the operation is run. /The Bank/USA/North
location East/Providence
Target entity The new parent entity for "move" and "move and For "move" and "move and
location rename" operations only. rename" operations:
Note: /Worldwide/
Americas/USA/NE
• For Oracle "rename" operations only (no move),
the value must be "-" (dash).
• For DB2 "rename" operations only (no move), the
value must be blank.
New entity name The new name after the operation for "rename" For "rename" and "move and
and "move and rename" operations only. rename" operations: Boston
Note:
• For Oracle "move" operations only (no rename),
the value must be "-" (dash).
• For DB2 "move" operations only (no rename), the
value must be blank.
The following is a short description of the data in the sample .txt file that is included in the utility
directory.
• The first line illustrates moving entity /The Bank/USA/North East/Providence to new location /
Worldwide/Americas/USA/NE. Operation is to be run as the user SOXAdministrator. This
operation is run first in the batch.
• The second line illustrates in place rename of the entity /Worldwide/Americas/USA/NE/
Providence. Entity name changes to Boston. Target location does not apply and is set to "-". This entry
has a dependency on the previous move operation and has higher number in the execution order
column. Also, it references to the new entity location that will be in effect after the first operation
completes.
• If the first operation fails for any reason, this operation fails as well and the entity location would be
incorrect.
• The third line illustrates simultaneous move of the entity /The Bank/USA/Midwest/Chicago to new
location /Worldwide/Americas/USA/MW and rename to Detroit. This operation has no dependencies
and will be run after the first two complete.
If you have an Oracle database with the 32-bit SQL*Loader utility and an IBMAIXor Linux environment,
see the topic: “Avoid error 0509-036 when you use the 32-bit Oracle SQL*Loader” on page 466.
Otherwise, run the IBM OpenPages GRC Platform Entity Move/Rename utility.
Using IBM OpenPages GRC Platform utilities with Oracle databases 465
Avoid error 0509-036 when you use the 32-bit Oracle SQL*Loader
This task applies only to the Entity Move/Rename operation if you use the 32-bit SQL*Loader utility with
Oracle databases in IBM AIX or Linux environments. Skip this task if you are using the 64-bit SQL*Loader
utility.
If you use the 32-bit SQL*Loader (sqlldr) utility, the following system error might be displayed:
exec(): 0509-036 Cannot load program sqlldr because of the following errors:
0509-026 System error: There is not enough memory available now.
Failure while executing the Oracle SQL*Loader. Exit code is 255
If the 0509-036 system error is displayed, you can set the Loader Control environment variable by
opening a shell window and running the following command:
Tip: If you are running the IBM OpenPages GRC Platform Entity Move/Rename utility as a scheduled cron
job, make sure to set the Loader Control environment variable in the cron environment.
When finished, run the IBM OpenPages Entity Move/Rename utility. See “Running the entity move/
rename utility interactively” on page 466 or “Running the Entity Move/Rename utility as a scheduled
task” on page 416.
Procedure
1. Move the input file into the utility installation directory, which is at:
OP_Home|aurora|bin|batch_entity_move_rename_relative
Impact of the Entity Move/Rename utility on the OpenPages GRC Platform application
The Entity Move/Rename utility works directly against the IBM OpenPages GRC Platform database
repository. As a result, the Java based OpenPages GRC application is unaware of the changes made to the
entity hierarchy and folder structure.
As a result, internal application caches might become out of sync with the data in the repository and lead
to discrepancies in the application user interface.
It is required that after you run the tool you restart application services, or run the tool when application
services are stopped.
Also, ensure that the OPBackup command is not running during execution, and that all batch rename and
move operations are completed before you run a backup.
Using IBM OpenPages GRC Platform utilities with Oracle databases 467
468 IBM OpenPages GRC Version 7.4.0 : Administrator's Guide
Chapter 19. System Maintenance
You can perform system maintenance tasks such as changing the default port numbers, changing
password references, updating values in property files, and so on.
Port assignments
Both dedicated ports and ports that are dynamically assigned for each installation are used for the IBM
OpenPages GRC Platform installation. These default ports can be changed after installation.
Default ports
The following table lists the default ports.
Search server (used for indexing and searching OpenPages data) 8983
On Windows computers, additional OpenPages installations increment the port numbers by two.
AIX
netstat -an | grep <port_number>
Changing OpenPages GRC Platform application ports for an IBM WebSphere Application
Server environment
Because the IBM OpenPages GRC Platform application on the IBM WebSphere Application Server uses
port ranges, if you need to change one of the OpenPages environment port numbers, you should change
all of the OpenPages application server ports to a new range.
Important: This information applies only to IBM WebSphere environments.
By default, the OpenPages GRC Platform application on the IBM WebSphere Application Server uses the
port range 10101-10120.
Procedure
1. Log on to the admin server as a user with administrator privileges.
2. To stop an OpenPages application server, do the following:
a) Open an AIX or Linux shell and navigate to the <OP_Home>/profiles/<server_name>-
OPNode1/bin directory where <OP_Home> represents the installation location of the OpenPages
application.
By default:
/opt/OpenPages
b) Enter the commands as follows to stop each OpenPages application server for which you want to
change the port numbers:
./stopServer.sh <host_name>-OPNode1Server<#>
Procedure
1. Open a browser window and navigate to the following address to launch IBM WebSphere Integrated
Solutions Console for the OpenPages GRC Platform application, by default:
http://<server_name>:<port>/ibm/console where <server_name> is the name of the server
where the IBM WebSphere Application Server is installed and <port> is the OpenPages GRC Platform
application port. For more information see “Port assignments” on page 469.
2. Log on to the IBM WebSphere Integrated Solutions Console as a user with administrative privileges.
3. Expand Servers then Server Types and click the WebSphere application servers link.
4. In the list on the Application servers page, click the name of the application server for which you want
to change port numbers. For example:
<server_name>-OPNode1Server<#>
Procedure
“Updating the Java Messaging ports on the OpenPages GRC Platform server” on page 473
Updating the Java Messaging ports on the OpenPages GRC Platform server
Launch the IBM WebSphere Integrated Solutions Console for the IBM OpenPages GRC Platform
application and update the OpenPages ports used by the Java Messaging Service.
Procedure
1. On the IBM WebSphere Integrated Solutions Console for the OpenPages GRC Platform application
(http://<server_name>:<port>/ibm/console), update the OpenPages topic connection
factories with the new port number(s) set previously.
A topic connection factory is used by the IBM WebSphere Application Server to send messages
between Java clients within your environment.
a) Expand Resources then JMS and click the Topic Connection Factories link.
b) In the list on the Topic connection factories page, click the OPTCF link.
c) Under General Properties, locate the Provider endpoints field in the Connections group.
d) Update the port number in the Provider endpoints field for the IBM WebSphere SIB messaging
service with the new SIB endpoint address for the OpenPages server:
<server_name>:<SIB_ENDPOINT_ADDRESS>:BootstrapBasicMessaging.
If necessary, refer to the Application servers >
<server_name>-OPNode1Server# > Ports page for the current OpenPages SIB Endpoint Address
port.
e) Click Apply.
f) In the Messages box that appears, click Save to commit the changes to the master configuration.
2. Update the OpenPages server activation specifications with the new port number(s) set previously.
a) In the Resources > JMS tree, click the Activation specifications link.
b) In the list on the Activation Specifications page, click NotificationTopic for the server which you
changed the SIB port.
c) Under General Properties, locate the Provider endpoints field in the Destination group.
d) Update the port number in the Provider endpoints field to the new OpenPages SIB port number:
<server_name>:<SIB_ENDPOINT_ADDRESS>:BootstrapBasicMessaging.
e) Click Apply.
f) In the Messages box that appears, click Save to commit the changes to the master configuration.
g) In the list on the Activation Specifications page, click SQNotificationTopic for the server which
you changed the SIB port.
Procedure
1. Log on to the IBM OpenPages GRC Platform admin server associated with the application server for
which you changed ports as a user with administrator privileges.
2. Open an AIX or Linux shell window and navigate to the <OP_Home>|aurora|conf directory where
<OP_Home> represents the installation location of the OpenPages application.
By default, AIX and Linux
/opt/OpenPages
3. Locate the aurora.properties file in the conf directory and open the file in a text editor of your
choice.
a) If you changed the OpenPages application port number (10108) update the port in the following
property:
application.url.path=
b) If you changed the OpenPages bootstrap port number (10101) update the port in the following
property:
url.service.port=
Updating port values in the OpenPages GRC Platform Sosa property file
You can update port values in the -sosa.properties file.
Procedure
1. In the AIX or Linux shell window, remain in the <OP_Home>|aurora|conf directory.
2. Locate the <server_name>-OPNode1Server<#>-sosa.properties file for the application server
for which you changed ports and make a backup copy of the file. File names have the following format:
<server_name>-OPNode1Server<#>-sosa.properties where <server_name> is the name of
the IBM OpenPages GRC Platform application host server.
<#> is the number of the server.
3. Open the selected -sosa.properties in a text editor of your choice and do the following:
a) If you changed the OpenPages GRC Platform application port number (by default, 10108) update
the port in the following property:
application.url.path=
openpages.service.port=
Procedure
1. In the AIX or Linux shell, navigate to the following directory:
<OP_Home>/bin
2. Open the ObjectManager.properties file in a text editor of your choice and do the following:
a) Update the following property with the new OpenPages bootstrap port:
openpages.service.port=
Procedure
1. Go to the <OP_HOME>/bin directory.
2. Open the op-backup-restore-env.sh file in a text editor.
3. Update the following variables:
WAS_ADMIN_USERNAME=admin
WAS_ADMIN_PASSWORD=$admin
For example:
WAS_ADMIN_USERNAME=IBMWASAdmin
WAS_ADMIN_PASSWORD=$IBMWASAdmin
Procedure
1. In the AIX or Linux shell, navigate to the following directory:
<OP_Home>/bin
2. Open the RunTool.sh file in a text editor of your choice and do the following:
If the launchClient.sh command contains the following parameters:
-CCBootstrapHost=<server_name>
-CCBootstrapPort=<openpages_bootstrap_port>
Procedure
1. Log on to a machine with SQL*Plus and access to the database server.
2. Run the following SQL commands to update the port number in the REGISTRY_ENTRIES table:
update registryentries set value='<new_port_number>'
where path='/OpenPages/Platform/Reporting Schema/Object URL Generator/Port';
commit;
where <new_port_number> is the new OpenPages application server port number.
3. When the commands are complete, log out of SQL*Plus.
Procedure
1. Log onto the reporting server as a user with administrator privileges.
2. Open an AIX or Linux shell window and navigate to the <Cognos_Home>|configuration directory
where <Cognos_Home> represents the installation location of the Cognos application.
3. Locate the OpenPagesSecurityProvider_OpenPagesSecurityRealm.properties file and
make a backup copy of the file.
4. Open the OpenPagesSecurityProvider_OpenPagesSecurityRealm.properties file in a text
editor of your choice and do the following:
a) Replace the existing OpenPages GRC Platform application port number (10108) update the
following property with the new OpenPages application port number:
openpages.application.url=
Procedure
1. Log on to the IBM Cognos Reporting Server as the owner of the OpenPages CommandCenter
installation.
<CommandCenter_Home>/wlp/bin
3. In the server.xml file, update the HTTP and HTTPS port and allow a connection to the host from
the remote system. For example:
<op_home>\CommandCenter\wlp\usr\servers\defaultServer
5. Change port="8080" to the port number you want the services to run on.
6. Start the OpenPages Framework Model Generator Service.
Windows:
Right-click the IBMOpenPagesFrameworkModelGenerator service and select Start.
AIX and Linux:
a. Open an AIX or Linux shell as a user with administrative privileges and navigate to the
following directory:
<CommandCenter_Home>/wlp/bin
7. Log on to the OpenPages server as the OS owner of the OpenPages software and stop the services by
using stopAllServers.
8. Go to the <OPENPAGES_HOME> | aurora | conf, where <OPENPAGES_HOME> is the installation
location of the OpenPages software. Typically, the location is C:\OpenPages for Microsoft Windows
servers and /opt/OpenPages for AIX and Linux systems.
9. In the aurora.properties file, change the port number for the following entry to the value that
you set it to in step 5:
cognos.framework.refresh.servlet=http\://reporting-server\:8080/crf-refresher/
In this case, you would change 8080 to the new port number.
What to do next
• Application server names - After OpenPages is installed, the application server name cannot be
changed. Many configuration files, such as aurora.properties, include the application server names
as an embedded string. The name cannot be changed after installation.
• Restart services - After you complete the port changes, restart OpenPages. For details, see Chapter 20,
“Starting and stopping servers,” on page 549.
• Update the reporting schema and Framework - After services are restarted, you must re-create the
reporting schema and regenerate the Reporting Framework. Doing so allows the port change to be
reflected in any redirects of reports. For more information, see “Creating or recreating the reporting
schema” on page 91.
Procedure
1. Start the IBM OpenPages GRC Platform services on the admin application server.
2. Log on to the OpenPages GRC Platform application user interface as a user with administrator
privileges.
3. Change the Object URL Generator settings.
a) From the menu bar, click Administration > Settings.
b) Expand Platform > Reporting Schema > Object URL Generator.
c) Update the Object Generator URL settings, as required, to point to the application server (such as a
test application server). Make sure to click Save after you modify each setting.
4. To update the changed URL setting on the application server, update the reporting schema using one
of the following methods:
• Method 1: Run the following SQL script to incrementally update the reporting schema
(recommended):
a. From a machine with a SQL tool and access to the database server, log on to SQL as the
OpenPages GRC Platform database user (for example, openpages).
b. Run the following SQL statements to update the reporting schema:
begin
OP_RPS_MGR.SET_DETAIL_PAGE_URL_IN_RPS_RT;
end;
/
• Method 2: Re-create the entire reporting schema by using the application user interface. For details,
see the topic "Creating or recreating the reporting schema" in the IBM OpenPages GRC
Administrator's Guide.
Procedure
1. From the menu bar, select Reporting and do one of the following:
• Select OpenPages V6, Audit Reports, Configuration.
• Click All Reports, and navigate to the IBM OpenPages GRC Platform V6 folder (if necessary, click the
plus sign to expand the folder tree). In the folder tree, expand the Audit Reports, Configuration
folders.
Important: In reference to Reporting Framework V6, V6 refers to the latest framework version, not
to any specific OpenPages release number.
2. Click Configuration Audit to run the report.
3. On the Configuration Audit Report page, specify the date range for the reporting data as follows:
a) In the start date box, type a start date or click the calendar arrow and select a start date.
b) In the end date box, type an end date or click the calendar arrow and select an end date.
c) Click Finish to generate the report.
Procedure
1. Open a browser window and log on to the IBM WebSphere Integrated Solutions Console as a user with
administrative privileges.
By default, the URL is http://<host_name>:<port>/ibm/console
Where:
<host_name> is the name of the admin server where IBM WebSphere is installed.
<port> is the admin server port number. By default, the installation port numbers are:
• 9060 for the IBM OpenPages GRC Platform server (OpenPagesCell)
2. Expand Resources then JDBC and click the Data sources link.
3. In the Data sources pane, depending on your server selection, do the following:
For updating this server... Click this link in the Data Sources table...
application CWTxDataSourceXA
4. On the Configuration tab, under the Related Items heading, click the link for JAAS - J2C
authentication data.
5. In the JAAS - J2C authentication data pane, depending on your server selection, do the following:
For updating this server Click this link in the JAAS-J2C authentication
data table
6. In the pane for the selected authentication data table, under the General Properties heading, do the
following:
Updating the application server database password in the Aurora properties file
To change the database password on the IBM OpenPages GRC Platform application servers, one task that
you must do is to edit the Aurora properties file.
Note: This information applies to Windows, AIX and Linux environments.
Procedure
1. Open a command or shell window and navigate to the <OP_Home>|aurora|conf directory.
Procedure
1. Log on to the Cognos server as a user with administrative permissions.
2. Stop the OpenPages Framework Model Generator service.
3. Navigate to the CommandCenter|framework|conf folder.
By default, the path is:
Windows: C:\OpenPages\CommandCenter\framework\conf
AIX and Linux: /opt/OpenPages/CommandCenter/framework/conf
4. Locate the framework.properties file in the conf folder and do the following:
a) Make a backup copy of the file before modifying it.
b) Open the framework.properties file in a text editor of your choice.
c) Locate the following code lines in the file:
op.password=<password value>
op.user=OpenPagesAdministrator (this is the default user)
Procedure
1. Make sure that the following services are running:
• OpenPagesDmgr
• OPNode1
2. Navigate to the <OP_Home>|temp|perlinstall directory.
<OP_Home> in the file path represents the installation location of the OpenPages GRC Platform
application. The default path for a Windows installation is c:\OpenPages. The default path for an AIX
and Linux installation is /opt/OpenPages.
3. Open the install.properties file in a text editor, and do the following.
a) Type the password values for the following properties:
Note: The password values that you type will be in plain text. After all tasks are complete and the
member has been added to the cluster, you will have to manually mask these values with asterisks
(***). For details, see “Masking passwords in the Install property file and Restart Services” on page
493.
• ADMIN_USERNAME= <opadmin_WAS_username>
Note: If IBM WebSphere global security is enabled, update accordingly. Otherwise, leave blank.
• ADMIN_PASSWORD= <opadmin_WAS_password>
Note: If IBM WebSphere global security is enabled, update accordingly. Otherwise, leave blank.
Procedure
1. Open a command or shell window.
2. Change directory to <ORACLE_HOME>|bin as follows:
Windows
cd %ORACLE_HOME%\bin
AIX and Linux
cd $ORACLE_HOME/bin
3. Type the following command to deconfigure the Oracle Enterprise Manager tool:
4. Type the following command to reconfigure the Oracle Enterprise Manager tool:
Procedure
1. Open a browser window and log on to the IBM WebSphere Integrated Solutions Console as a user with
administrative privileges.
By default, the URL is http://<host_name>:<port>/ibm/console
Where:
<host_name> is the name of the admin server where IBM WebSphere is installed.
<port> is the admin server port number. By default, the installation port numbers are:
• 9060 for the IBM OpenPages GRC Platform server (OpenPagesCell)
2. Expand Resources then JDBC and click the Data sources link.
3. In the Data sources pane, depending on your server selection, do the following:
For updating this server... Click this link in the Data Sources table...
application CWTxDataSourceXA
4. On the Configuration tab, under the Related Items heading, click the link for JAAS - J2C
authentication data.
5. In the JAAS - J2C authentication data pane, depending on your server selection, do the following:
For updating this server Click this link in the JAAS-J2C authentication
data table
6. In the pane for the selected authentication data table, under the General Properties heading, do the
following:
a) In the Password box, type the new password.
b) When finished, click Apply.
7. In the Messages box, click Save.
Procedure
1. Stop all IBM OpenPages application services except for the following administrative service:
If changing the reference on this server... Then only this service should be running...
application OpenPagesAdminServer
2. Open a browser window and log on to the Oracle WebLogic Server Administration Console as a user
with administrative privileges.
By default, the URL is http://<host_name>:<port><>/console
Where:
<host_name> is the name of the server where Oracle WebLogic is installed.
<port> is the admin server port number. By default, the installation port numbers are:
• 7001 for the IBM OpenPages server (OpenPagesDomain)
3. In the Change Center pane of the Console, click Lock & Edit (if not already selected).
4. On the Home page, in the Domain Configurations pane, under the heading JDBC, click the Data
Sources link.
5. On the Summary of JDBC Data Sources page, depending on your server selection, do the following
activity:
Table 162: Servers and data source links for Oracle WebLogic
For updating this server... Click this link in the Data Sources table...
jdbc:oracle:thin:@//<host-name>:<port>/<SID>
Where:
– host-name is the name of the database server, such as eng11.
– port is the database port number, such as 1521.
– SID is the Oracle System Identifier, such as OP.
• For IBM DB2 environments, the URL format might look similar to the following example.
jdbc:db2://<host-name>:<port>/<DATABASE_NAME>
Where:
– host-name is the name of the database server, such as eng11.
Procedure
1. Open a browser window and log on to the IBM WebSphere Integrated Solutions Console as a user with
administrative privileges.
By default, the URL is http://<host_name>:<port>/ibm/console
Where:
<host_name> is the name of the admin server where IBM WebSphere is installed.
<port> is the admin server port number. By default, the installation port numbers are:
• 9060 for the IBM OpenPages GRC Platform server (OpenPagesCell)
2. Expand Resources then JDBC and click the Data sources link.
3. In the Data sources pane, depending on your server selection, do the following:
Table 163: Servers and data source links for IBM WebSphere
For updating this server... Click this link in the Data Sources table...
application CWTxDataSourceXA
4. On the Configuration tab in the Data sources > <Data-source-name>, do the following:
a) Navigate to the heading Common and required data source properties.
b) In the URL box, type the new database connection URL.
• For Oracle database environments, the URL format might look similar to the following example.
jdbc:oracle:thin:@//<host-name>:<port>/<SID>
Where:
– host-name is the name of the database server, such as eng11.
– port is the database port number, such as 1521.
– SID is the Oracle System Identifier, such as OP.
• For IBM DB2 environments, the URL format might look similar to the following example.
jdbc:db2://<host-name>:<port>/<DATABASE_NAME>
Where:
– host-name is the name of the database server, such as eng11.
– port is the database port number, such as 50000.
– DATABASE_NAME is the name of the DB2 database, such as OP.
c) For IBM DB2 environments, in the Database name box, type the new database name.
d) Click Apply.
Procedure
1. Open a command or shell window and go to the <OP_Home>|aurora|conf directory.
2. Locate the aurora.properties file in the conf directory and do the following tasks:
a) Make a backup copy of the file before you modify it.
b) Open the file in a text editor of your choice.
c) Search the file for the string ‘database.URL’.
d) Change the value that follows the equal sign to the new database connection URL.
• For Oracle database environments, the URL format might look similar to the following example.
database.URL=jdbc\:oracle\:thin\:@//<host-name>\:<port>/<SID>
Where:
– host-name is the name of the database server, such as eng11.
– port is the database port number, such as 1521.
– SID is the Oracle System Identifier, such as OP.
• For IBM DB2 environments, the URL format might look similar to the following example.
database.URL=jdbc\:db2\://<host-name>\:<port>/<DATABASE_NAME>
Where:
– host-name is the name of the database server, such as eng11.
– port is the database port number, such as 50000.
– DATABASE_NAME is the name of the DB2 database, such as OP.
e) Save your changes and exit the editor.
Oracle only - Modify Database References in the IBM OpenPages Backup and Restore Environment
File
This task applies only to Oracle database environments. You must modify Oracle database references in
the op-backup-restore.env file.
Procedure
1. Open a command or shell window and navigate to the <OP_Home>|aurora|bin directory.
For information about OP_Home, see “Installation locations” on page xxvi.
2. Locate the op-backup-restore.env file in the bin directory and do the following:
a) Make a backup copy of the file before modifying it.
b) Open the file in a text editor of your choice.
Procedure
1. Ensure that both the IBM OpenPages GRC Platform and IBM Cognos servers are running.
2. Open a browser window and log on to the OpenPages GRC Platform application user interface as a
user with administrative permissions.
3. From the navigation bar, select Reporting > Cognos Analytics.
4. Click Manage > Administration Console to launch the IBM Cognos Administration page.
5. In the IBM Cognos Administration window, click the Configuration tab.
6. On the Directory > Cognos page, click the link for the OpenPages DataSource.
7. On the Directory > Cognos > <data-source-name> page, do the following:
a) Under the Actions column, click the Set properties - OpenPages DataSource icon .
b) On the Set properties - OpenPages DataSource page, click the Connection tab.
8. On the Connection tab, do the following:
a) Next to the Connection String box, click the pencil icon.
b) On the OCI tab, on the Edit the connection string - Oracle page, edit the SID value in the
SQL*Net connect string field.
c) On the JDBC tab, edit the values in the Server name, Port number, and Oracle Service ID boxes.
Modifying the Oracle database reference in the Cognos backup and restore environment file
You must modify Oracle database references in the Cognos backup and restore environment file. This task
applies only to Oracle database environments.
Procedure
1. Open a command or shell window and go to the <CC_Home>|tools|bin directory.
2. Locate the op-cc-backup-restore.env file in the bin directory and do the following tasks:
a) Make a backup copy of the file before you modify it.
b) Open the file in a text editor of your choice.
c) Search the file for the string DB_ALIAS.
d) Change the value that follows the equal sign to the new Cognos database alias. The format might
look similar to the following example:
Example
DB_ALIAS=OP
What to do next
After the values are updated, you will need to restart all administrative and managed servers to effect the
changes.
Procedure
1. Log on to the reporting server as a user with administrative privileges.
Note: For AIX and Linux installs, log on as a non-root user.
2. Start the IBM Cognos Configuration tool as follows:
a) Open a Command Prompt window (using the Run as Administrator option), or AIX or Linux shell
and navigate to the <Cognos_Home>|bin64 directory.
b) Execute one of the following commands to open the tool:
Windows:
cogconfig.bat
AIX and Linux:
./cogconfig.sh
3. In the Explorer pane, do the following:
a) Expand Data Access (if not already expanded).
b) Under Content Manager, click Content store.
4. In the properties pane, modify the values for the following properties:
a) Database server and port number (for example, eng11:1527).
b) User ID and password
What to do next
When finished modifying the database reference values in the files, restart the Cognos server to effect the
changes.
See “Starting and stopping the Cognos services” on page 560 for details.
Procedure
1. In the <OP_Home>|aurora|conf directory, do the following:
<OP_Home> in the file path represents the installation location of the IBM OpenPages GRC Platform
application. The default path for a Windows installation is c:\OpenPages. The default path for an AIX
and Linux installation is /opt/OpenPages.
a) Create a copy of the following property file:
<server_name>-OPNode1Server1-sosa.properties
b) Rename the copy of the file to:
<server_name>-OPNode1Server<server#>-sosa.properties
2. Open the renamed file in a text editor and update the parameter values for the following properties:
• openpages.service.port= <OpenPages_bootstrap_port#>
• application.url.path= http\://<server_name>
\:<OpenPages_default_server_port#>/openpages
3. When finished, save the file.
Procedure
1. Navigate to the <OP_Home>|bin directory.
<OP_Home> in the file path represents the installation location of the IBM OpenPages GRC Platform
application. The default path for a Windows installation is c:\OpenPages. The default path for an AIX
and Linux installation is /opt/OpenPages.
AIX and Linux only: do steps “2” on page 491-“4” on page 492.
2. Open the stopAllServers.sh script in a text editor.
if "%IS_SECURED_MODE%" == "true" (
call %WAS_HOME%\bin\stopServer.bat OP-OPNode1Server1
-user %ADMIN_USERNAME% -password %ADMIN_PASSWORD%
) else (
call %WAS_HOME%\bin\stopServer.bat OP-OPNode1Server1
)
7. Copy that code after the existing and change the value to match the server number.
For example:
if "%IS_SECURED_MODE%" == "true" (
call %WAS_HOME%\bin\stopServer.bat OP-OPNode1Server2
-user %ADMIN_USERNAME% -password %ADMIN_PASSWORD%
) else (
call %WAS_HOME%\bin\stopServer.bat OP-OPNode1Server2
)
Procedure
1. Navigate to the <OP_Home>|bin directory.
<OP_Home> in the file path represents the installation location of the IBM OpenPages GRC Platform
application. The default path for a Windows installation is c:\OpenPages. The default path for an AIX
and Linux installation is /opt/OpenPages.
AIX and Linux only: do steps “2” on page 492-“4” on page 492.
2. Open the startAllServers.sh script in a text editor.
3. After the line of startServer.sh code for the highest numbered OPNode1Server# managed server
instance in the file, do the following.
a) Add the following line of code:
$WAS_HOME/bin/startServer.sh <server_name>-OPNode1Server<server#>
b) Update the parameter values in the line that you added.
4. When finished, save the file.
Windows only: do steps “5” on page 492-“8” on page 493.
5. Open the startAllServers.cmd script in a text editor.
6. Locate the code to start the <server_name>-OPNode1Server1 server.
For example:
if "%IS_SECURED_MODE%" == "true" (
call %WAS_HOME%\bin\startServer.bat OP-OPNode1Server1
-user %ADMIN_USERNAME% -password %ADMIN_PASSWORD%
) else (
7. Copy that code after the existing and change the value to match the server number.
For example:
if "%IS_SECURED_MODE%" == "true" (
call %WAS_HOME%\bin\startServer.bat OP-OPNode1Server2
-user %ADMIN_USERNAME% -password %ADMIN_PASSWORD%
) else (
call %WAS_HOME%\bin\startServer.bat OP-OPNode1Server2
)
Procedure
1. Navigate to the following directory:
<OP_Home>|temp|perlinstall
<OP_Home> in the file path represents the installation location of the OpenPages GRC Platform
application. The default path for a Windows installation is c:\OpenPages. The default path for an AIX
and Linux installation is /opt/OpenPages.
2. In the <OP_Home>|bin directory, open the updateOPPatch.pl script in a text editor.
3. Change the $DMGR_HOST= value to the name of the application server.
Example: $DMGR_HOST="aix_OP_Host"
4. Save and close the file.
5. At a shell prompt, run the updateOPPatch.pl perl script on a single line to update the OpenPages
GRC Platform server as follows:
perl updateOPPatch.pl <server_name>-OPNode1
<server_name>-OPNode1Server<server#>
Procedure
1. Navigate to the <OP_Home>|temp|perlinstall directory.
<OP_Home> in the file path represents the installation location of the IBM OpenPages GRC Platform
application. The default path for a Windows installation is c:\OpenPages. The default path for an AIX
and Linux installation is /opt/OpenPages.
2. Open the install.properties file in a text editor.
3. Use asterisks (***) to overwrite the plain text password values for the following properties. The
overwritten password values will look similar to the following:
• ADMIN_PASSWORD= *****
Procedure
Open a browser window, and enter the following URL:
https://<server_name>:<ssl_port>/openpages
Where <server_name> is the name of the server machine hosting the OpenPages GRC Platform
application, and <ssl_port> is the SSL port number that is associated with the application server.
For example:
https://server01.com:10111/openpages
Procedure
1. Log on to cluster administrator server as a user with administrative privileges.
2. Go to the IBM WebSphere Integrated Solutions Console:
For example, http://<server_name>:<port>/ibm/console .
3. Log on to the IBM WebSphere Integrated Solutions Console with an administrator account.
4. Expand the tree for Servers | Server Types | WebSphere Application servers.
5. In the Application servers list, click on the name of the server to be configured.
6. Under Container Settings, click Web Container Settings | Web Container Transport Chains.
Procedure
1. Log on to the cluster administration server.
2. In the IBM WebSphere Integrated Solutions Console, expand the tree for Environment | Virtual
Hosts.
3. Select default_host.
4. On the Host Aliases page, check that the SSL ports are added by the OpenPages GRC Platform
Installer.
For example, if the OpenPages application SSL ports are not listed, add port 10111 for the OpenPages
application.
Note: The OpenPages default port is 9060.
5. If any SSL ports are missing, click New.
6. On the Configuration page, enter the port number in the Port field. Optionally, enter a name in the
Host Name field.
7. Click OK.
8. On the Host Aliases page, click Save.
Verifying the SSL protocol before you deploy a new non-administrative server
Before you can deploy a new non-administrative application server to a horizontal cluster, you must
ensure that the SSL protocol is set correctly. You must verify the SSL protocol for the OpenPages
application server.
For example, if you are using either the TLSv1.1 or TLSv1.2 protocols, the deployment will fail.
After you complete the configuration, you can change the SSL protocol back to your original selection.
But, you cannot use TLSv1.1 or TLSv1.2 during the deployment of the new server.
Procedure
1. Go to the IBM WebSphere Integrated Solutions Console for the OpenPages Deployment Manager
server:
For example, http://<server_name>:<port>/ibm/console
Where <server_name> is the name of the application server and <port> is the WebSphere port that
is assigned during the WebSphere installation. The default port value is 9060.
2. Log on to the IBM WebSphere Integrated Solutions Console with an administrator account.
3. Expand Security, and select SSL certificate and key management.
4. In the Related Items list, click SSL configurations.
5. Click CellDefaultSSLSettings.
6. In the Additional Properties list, click Quality of protection (QoP) settings.
7. In the Protocol box, ensure that you have an option other than TLSv1.1 or TLSv1.2 selected.
Procedure
1. Log on to the cluster administrator server by using the appropriate port value in the URL: http://
<server_name>:<port>/ibm/console.
2. In the IBM WebSphere Integrated Solutions Console, expand the tree for Security | SSL certificate
and key management.
3. On the SSL certificate and key management page, in the Related Items list, click Key stores and
certificates.
4. On the SSL Certificates and key management page, click New.
5. On the Key store and certificates page, use the following table to select or enter the appropriate
values:
6. Click Apply.
Procedure
1. Log on to the cluster administrator server.
2. In the IBM WebSphere Integrated Solutions Console, open the Key store and certificates page.
3. Select the opkeystore.
4. In the Additional Properties list, click Personal certificate requests to create a certificate request.
The list becomes active after clicking Apply.
5. On the Personal certificates requests page, click New.
Enter the following values:
• Name - Enter a name for the certificate request, such as ServerCertificateRequest.csr
• Key label - Enter a label for the certificate, such as the server name.
• Common name - Enter a name for the certificate and any other identifying information.
Note: The common name is the fully qualified domain name.
6. Click Apply and OK.
7. Click Save.
8. Repeat steps 5 to 7 for each secondary application server.
Procedure
1. In the IBM WebSphere Integrated Solutions Console, open the SSL certificate and key management
page.
2. Select the Certificate Signing Request you created and click Extract.
3. Enter a name for the file where the extracted certificate request is to be placed.
On UNIX, the file is created in <OP_Home>/profiles/OpenPagesDmgr/etc/ unless you enter a
specific path.
On Windows, the file is create in <OP_Home>\profiles\OpenPagesDmgr\etc\ unless you enter a
specific path.
4. Follow the instructions to submit your Certificate Signing Request file to an appropriate Certification
Authority.
5. Download the approved root and Certificate Authority certificates to a local directory.
6. Check that the certificates are named to distinguish the root from the Certificate Authority certificate.
7. Repeat steps 2 to 6 for each secondary application server.
Procedure
1. Log on to each IBM OpenPages GRC Platform server as a user with administrative privilege.
2. Start a web browser and go to the IBM WebSphere Integrated Solutions Console.
For example: http://<server_name>:<port>/ibm/console.
3. Log on to the IBM WebSphere Integrated Solutions Console with an administrator account.
4. Expand the tree for Security | SSL certificate and key management.
5. On the SSL certificate and key management page, in the Related Items list, click Key stores and
certificates.
6. In the list of keystores and certificates, click the keystore you want to configure.
7. Under Additional Properties, select Signer certificates.
8. On the Signer Certificate page, click Add.
9. On the General Properties page, enter the following values:
• Alias. Enter the name used to identify the Root CA certificate in the keystore.
• File name. Enter the full path to the Root CA certificate.
• Data type. Select Base64-encoded ASCII data from the list.
10. Click Apply and OK.
11. Click Save.
12. To import server certificates to the keystore, under Additional Properties, select Personal
Certificates.
13. Click [Receive Certificate from CA].
14. On the General Properties page, enter the following values:
a) File name. Enter the full path to the server certificate.
b) Data type. Select Base64-encoded ASCII data from the list.
15. Click Apply and OK.
16. Click Save.
17. Repeat steps 13 to 16 for each secondary application server.
Procedure
1. Log on to each IBM OpenPages GRC Platform server as a user with administrative privileges.
2. Start an AIX or Linux shell or Windows command prompt.
3. Go to the <WebSphere_Home>|java|jre|lib|security directory.
4. Type the following Keytool command to import the root certificate.
What to do next
If you are using self-signed certificates for OpenPages and Cognos that are not issued by a known CA, you
must import the self-signed root certificate from any Cognos server connected to the current OpenPages
server. Use the following Java keytool command to import the certificates into the <OP_Home>|jre|
lib|security directory.
keytool -import -alias certificate_name -trustcacerts -file file_name -keystore
keystore_name
Procedure
1. On any system that accesses the OpenPages environment, open a web browser.
2. Click Tools, then Internet Options.
3. Click the Content tab, and then click Certificates.
4. To start the Certificate Import Wizard, click the Trusted Root Certification Authority tab, and then
click Import.
5. On the Certificate Import Wizard Welcome page, click Next.
6. On the File to Import page, enter the path to the root certificate. For example, C:\OP_Home
\profiles\OpenPagesDmgr\etc\root-certificate.cer.
7. On the Certificates Store page, select Place all certificates in the following store. Ensure that
Trusted Root Certification Authorities is selected.
8. On the Completing the Certificate Import Wizard page, review the settings, and click Finish.
9. If you are required to install an authenticated certification authority certificate, follow these steps:
a) Click the Intermediate Certification Authority tab.
b) Click Import to start the Certification Import Wizard.
c) Repeat steps 5 - 8 to ensure that Intermediate Certification Authorities is selected on the
Certificate Store page.
10. After you receive the certification authority certificate, follow these steps:
a) Click the Trusted Publishers tab.
b) To start the Certification Import Wizard, click Import.
c) Repeat steps 5 - 8 to ensure that Trusted Publishers is selected on the Certificate Store page.
Procedure
1. Log on to each IBM OpenPages GRC Platform server as a user with administrative privileges.
2. Open a command prompt window by using the Run as Administrator option.
3. Go to the <OP_Home>\aurora\conf directory.
4. Open the aurora.properties properties file in a text editor.
a) Edit the following lines to change http to https and update the port number.
application.url.path=http\://<server_name>\:<port>/openpages
cognos.server=http\://<server_name>\:<port>/ibmcognos/cgi-bin/cognos.cgi
logout.url.cognos=http\://<server_name>\:<port>/ibmcognos/cgi-bin
cognos.cgi?b_action\=xts.run&m\=portal/logoff.xts&h_CAM_action\=logoff
For example, in a load balanced environment, the application.url.path value is the fully
qualified domain name of the load balancer and port.
b) Save and close the file.
5. Open each server_name-OPNode1Server#-sosa.properties file in a text editor.
a) Edit the following lines to change http to https and update the port number.
application.url.path= http://<server>:\<port>/openpages
Note: In a load-balanced environment, this value is the fully qualified domain name of the load
balancer and port.
b) Save and close the file.
6. Open each server_name-OPNode#Server#-server.properties in a text editor.
a) Edit the following lines to change the http to https and update the port number.
url.path.openpages=http\://<server>:<port>/openpages
webclient.http.server.protocol=http
webclient.http.server.port=<port>
Procedure
1. Open a browser window and log on to the IBM WebSphere Integrated Solutions Console as a server
administrator.
The default URL is http://<server_name>:<port>/ibm/console.
2. In the Integrated Solutions Console:
a) Expand Servers | Server Types
b) Click the WebSphere Application Server in the list.
3. In the list on the Application servers page, click the name of the application server you want to
configure.
Procedure
1. Log on to each IBM OpenPages GRC Platform server as a user with administrative privileges.
2. Open the <WebSphere_Java_Home>/jre/lib/security/java.security file in a text editor.
3. Locate ssl.SocketFactory.provider and ssl.ServerSocketFactory.provider properties.
4. Comment out WebSphere socket factories, and uncomment the default JSSE socket factories as
follows:
Procedure
1. Log on to each Cognos Analytics server as a user with administrative privileges.
2. Start the Microsoft Management Console.
a) Click the Windows Start menu.
b) Type mmc in the Search Programs and Files field and press Enter.
3. In the MMC dialog box, click File > Add/Remove Snap-Ins.
4. In the Available snap-ins list, double-click Certificates.
5. In the Certificates Snap-ins dialog box, select Computer account, and then click Next.
6. In the Select Computer dialog box, select Local Computer, and then click Finish.
7. Click OK to close the dialog box.
Procedure
1. Log on to the primary reporting server as a user with administrative privileges.
2. In the Microsoft Management Console dialog box on the reporting server, expand the Certificates and
select Personal.
3. In the Actions panel, right-click the Certificates icon and select All Tasks > Advanced Options >
Create Custom Request.
4. In the Certificate Enrollment dialog box, click Next.
5. On the Select Certificate Enrollment Policy pane, select Proceed without enrollment policy, and
click Next
6. On the Custom request pane, accept the default values of CNG key and PKCS#10, and click Next.
7. In the Certificate Information pane, click the Details icon, and click Properties.
8. In the Certificate Properties dialog box, click the Subject tab to supply details for the certificate's
Distinguished Name.
9. To specify at a common name and organization value.
a) In the Type list, select Common Name, and enter a value for the certificate common name, and
click Add.
b) Select Organization in the Type list and enter a value for the certificate common name, and click
Add.
10. Click the Private Key tab and then:
a) Click the arrow next to Key Options, and select Make private key exportable.
b) Click the arrow next to Select Hash Algorithm, select sha1 from the Hash Algorithm list, and
click OK.
11. In the Certificate Information pane, click Next.
12. In the Certificate Enrollment pane:
a) Click Browse and in the Save as dialog box, enter a name for the certificate request file in the File
name field. Use a .csr extension.
b) From the Save as type list, select All Files, and then click Save.
13. Click Finish.
14. Close the Microsoft Management Console.
Procedure
1. Download the approved root and server certificates to a local directory, such as the
OpenPagesDomain directory.
2. Check that the certificates are named to distinguish the root from the server certificate.
3. Follow the instructions provided by the Certificate Authority.
Procedure
1. Log on to each Cognos server as a user with administrative privileges.
2. Start the Microsoft Management Console (MMC).
What to do next
If you are using self-signed certificates for OpenPages GRC Platform and Cognos, that are not issued by a
known Certificate Authority, you must import the OpenPages GRC Platform signed root certificate from
any OpenPages server connected to the current Cognos server. Use the following Java keytool command
to import the certificates into the <Cognos_Home>\analytics\jre\8.0\lib\security directory.
Procedure
1. On the Cognos server, open the Windows Internet Information Services Manager, by clicking the Start
menu, then selecting Administrative Tools > Internet Information Services Manager.
2. Expand the folder structure for the server you want to configure and select Sites.
3. In the Sites pane, select the website to configure.
4. In the Action panel, select Bindings.
5. In the Site Bindings dialog box, select HTTPS and click Edit.
Procedure
1. Log on to the reporting server as a user with administrative privileges.
Note: For AIX and Linux installs, log in as a non-root user, such as the opuser user that you created for
the IBM OpenPages GRC Platform installation.
2. Open an AIX or Linux shell, or Windows command prompt.
Procedure
1. Download the approved root and server certificates to a local directory, such as the
OpenPagesDomain directory.
2. Check that the certificates are named to distinguish the root from the server certificate.
3. Follow the instructions provided by the Certificate Authority.
Procedure
1. Log on to the reporting server as a user with administrative privileges.
Note: Log on as a non-root user, such as the opuser user you created for the IBM OpenPages GRC
Platform installation.
2. Go to the <Apache_Home>/conf/extra directory.
3. Open the httpd-ssl.conf file in a text editor.
4. Under Server Certificate, uncomment the SSLCertificateFile parameter, and enter the path to the PEM
encoded certificate.
5. Under Server Private Key, uncomment the SSLCertificateKeyFile parameter, and enter the path to the
keyfile on this server.
6. Under Certificate Authority (CA), uncomment the SSLCACertificateFile parameter, and enter the path
to the root certificate.
7. Save and close the file.
What to do next
If you are using self-signed certificates for OpenPages and Cognos that are not issued by a known
Certificate Authority, you must import the OpenPages self-signed root certificate from any OpenPages
<Cognos_Home>\analytics\jre\8.0\lib\security
keytool
-import -alias certificate_name -trustcacerts -file file_name
-keystore keystore_name
Procedure
1. Log on to the reporting server as a user with administrative privileges.
Note: Log on as a non-root user, such as the opuser user you created for the IBM OpenPages GRC
Platform installation.
2. Go to the <Apache_Home>/conf/extra directory.
3. Open the httpd-ssl.conf file in a text editor.
4. Under Server Certificate, uncomment the SSLCertificateFile parameter, and enter the path to the PEM
encoded certificate.
5. Under Server Private Key, uncomment the SSLCertificateKeyFile parameter, and enter the path to the
keyfile on this server.
6. Under Certificate Authority (CA), uncomment the SSLCACertificateFile parameter, and enter the path
to the root certificate.
Procedure
1. Log on to the Cognos server as a user with administrative privileges.
Note: For AIX and Linux, you log on as a non-root user, such as the opuser user you created for the
OpenPages GRC Platform installation.
2. On Windows computers, start a Command Prompt using the Run as Administrator option, or on a AIX
or Linux computer open an AIX or Linux shell.
3. Go to the following directory.
• Windows: <Cognos_Home>\configuration
• AIX and Linux:<Cognos_Home>/configuration
4. Open the OpenPagesSecurityProvider_OpenPagesSecurityRealm.properties in a text
editor.
5. Edit the openpages.application.url value, replacing http with https and changing the <port> to the
SSL port.
Procedure
1. Log on to the load balance server as a user with administrative privileges.
2. Start iKeyman by running the following command:
IHS_root/bin/ikeyman
Where IHS_root is the location of the IHS.
The default location is IHS_root is /usr/IBM/HTTPServer/.
3. Create the keystore file to store the key pair.
a) Select Key Database File > New.
b) In the dialog box that displays, select CMS from the Key database type list.
c) In the File Name field, enter a file name for the new key database file.
d) In the Location field, enter the location where you want to store the keystore file, and click OK
For example: usr/IBM/HTTPServer/bin.
e) In the Password Prompt dialog box that displays, enter a password for the keystore. Re-enter the
password.
f) In iKeyman, select Stash password to file to create a .sth file. This file encrypts and stores the
keystore password which is assigned an expiration time. You must change the password
periodically.
g) Click OK.
Procedure
1. Log on to the load balance server as a user with administrative privileges.
2. Start iKeyman by running the following command: IHS_root/bin/ikeyman
Where IHS_root is the location of the IBM HTTP Server installation. The default location is /usr/IBM/
HTTPServer/.
3. In the iKeyman tool, open the keystore created in Step 2.
a) Select Key Database File > Open.
b) Specify the type of keystore. The default type is CMS.
c) In the File Name and Location fields, enter the name and path to the keystore. You can also click
Browse to locate the keystore, and click OK.
d) In the Password Prompt dialog box, enter the password for the keystore, and click OK.
4. Generate the certificate request for the open keystore.
a) Select Create > New Certificate Request.
b) In the Create New Key and Certificate Request dialog box, in the Key Label field, provide an
identifier for the certificate.
Importing the Root and Signed Server Certificates using the iKeyman tool
You must install a signed certificate from a third-party certificate authority or self-signed certificates in
both the keystore created and the keystore used by IBM HTTP Server. You must install a server certificate
into the keystore created.
Procedure
1. Log on to the load balance server as a user with administrative privileges.
2. Start iKeyman by running the following command: IHS_root/bin/ikeyman
Where IHS_root is the location of the IHS. The default location is/usr/IBM/HTTPServer/.
3. In the iKeyman tool, open the keystore you created in Step 2.
a) Select Key Database File > Open.
b) Specify the type of keystore, by default CMS.
c) In the File Name and Location fields, enter the name and path to the keystore.
d) In the Password Prompt dialog box, enter the password for the keystore.
4. Import the signed CA certificate.
a) In the Key database content list, select Signer Certificates, and click Add.
b) In the Open window, in the File Name and Location fields, enter the name and path to the
keystore.
c) In the Enter a Label dialog box that displays, in the Enter a label for the certificate field, enter a
name for the certificate.
5. Select Key Database File > Close.
6. In the iKeyman tool, open the plugin-key.kdb keystore.
a) Select Key Database File > Open.
b) Specify the type of keystore. The default type is CMS.
c) In the File Name and Location fields, enter the name and path to the keystore.
The default directory for the plugin-key.kdb keystore is <IHS root>/Plugins/config/
server_name/plugin-key.kdb, and click OK.
d) In the Password Prompt dialog box, enter the password for the keystore. The default password
is WebAS, and click OK.
7. Select Signer Certificates in the Key database content list, and click Add.
8. In the Add CA's Certificate from a file window, enter the following information.
Procedure
1. On Windows computers, start a Command Prompt window by using the Run as Administrator option,
or on AIX or Linux computers, open an AIX or Linux shell.
2. Go to the IHS root/conf directory.
3. Open the httpd.conf file using a text editor.
a) Uncomment the following in the file.
LoadModule was_app22_module modules/mod_was_ap22_http.so
LoadModule negotiation_module module8s/mod_negotiation.so
b) Uncomment the following lines in the file and add any missing lines.
Listen 443
<VirtualHost *:443>
ServerName <server_name>
SSLEnable
SSLProtocolDisable SSLv2
SSLClientAuth None
<Directory />
Options FollowSymLinks
AllowOverride None
Order allow,deny
Allow from all
</Directory>
</VirtualHost>
SSLDisable
KeyFile <IHS_root>/<keystore_name>.kdb
c) Add the following line to point to the WebSphere plug-in Configuration.
WebSpherePluginConfig
<IHS root>/Plugins/config/<server_name>/plugin-cfg.xml
d) Save and close the file.
4. To apply the changes, restart the IBM HTTP Server.
Generating a key pair and request with an Apache load balancer server
If you are using Apache as your load balancer server, you must generate a key pair and specify the
keystore.
Procedure
1. Log on to the load-balancing server as a non-root user with administrative privileges.
2. Start a Command Prompt window by using the Run as Administrator option.
3. Go to the \bin directory in the web server home directory to use as the keystore.
4. To generate a certificate request, enter the following command :
Submitting a Certificate Signing Request to a Certificate Authority for an Apache load balancer
server
Submit the Certificate Signing Request file for an Apache load balancer server to an appropriate
Certification Authority (CA) for approval.
Procedure
1. Download the approved root and server certificates to a local directory, such as the
OpenPagesDomain directory.
2. Check that the certificates are named to distinguish the root from the server certificate.
3. Follow the instructions provided by the Certificate Authority.
Procedure
1. Log on to the load-balancing server as a non-root user with administrative privileges.
2. Start a Command Prompt window by using the Run as Administrator option.
3. Go to the <Apache_Home>/conf/extra directory.
4. Open the httpd-ssl.conf file in a text editor.
5. Under Server Certificate, uncomment the SSLCertificateFile parameter, and enter the path to the PEM
encoded certificate.
6. Under Server Private Key, uncomment the SSLCertificateKeyFile parameter, and enter the path to the
key file on this server.
7. Under Certificate Authority (CA), uncomment the SSLCACertificateFile parameter, and enter the path
to the root certificate.
8. Save and close the file.
Procedure
1. Log on to load-balancing web server as a user with administrative privileges.
2. Stop the Apache web Server.
3. Start a Command Prompt window by using the Run as Administrator option.
4. Copy the WL_Home\server\plugin\win\32\mod_wl_22.so file to the Apache_Home\modules
directory.
Procedure
1. Log on to the reporting server as a user with administrative privileges.
2. Start iKeyman by running the following command:
IHS_root/bin/ikeyman
Where IHS_root is the location of the IHS.
The default location is IHS_root is /usr/IBM/HTTPServer/.
3. Create the keystore file to store the key pair.
a) Select Key Database File > New.
b) In the dialog box that displays, select CMS from the Key database type list.
c) In the File Name field, enter a file name for the new key database file.
d) In the Location field, enter the location where you want to store the keystore file, and click OK
For example: usr/IBM/HTTPServer/bin.
e) In the Password Prompt dialog box that displays, enter a password for the keystore. Re-enter the
password.
f) In iKeyman, select Stash password to file to create a .sth file. This file encrypts and stores the
keystore password which is assigned an expiration time. You must change the password
periodically.
g) Click OK.
Procedure
1. Log on to the reporting server as a user with administrative privileges.
2. Start iKeyman by running the following command: IHS_root/bin/ikeyman
Where IHS_root is the location of the IBM HTTP Server installation. The default location is /usr/IBM/
HTTPServer/.
Downloading and importing the root and signed server certificates using the iKeyman tool
You must install a signed certificate from a third-party Certificate Authority or self-signed certificates in
both the keystore created and the keystore used by IBM HTTP Server. You must install a server certificate
into the keystore created.
Procedure
1. Follow the instructions provided by the Certificate Authority to download the root and signed server
certificates.
2. Download the approved root and Certificate Authority certificates to a local directory.
3. Check that the certificates are named to distinguish the root from the Certificate Authority certificate.
4. Log on to the reporting server as a user with administrative privileges.
5. Start iKeyman by running the following command: IHS_root/bin/ikeyman
Where IHS_root is the location of the IHS. The default location is/usr/IBM/HTTPServer/.
6. In the iKeyman tool, open the keystore you created for Cognos.
a) Select Key Database File > Open.
b) Specify the type of keystore, by default CMS.
c) In the File Name and Location fields, enter the name and path to the keystore.
d) In the Password Prompt dialog box, enter the password for the keystore.
7. Import the root certificate.
a) In the Key database content list, select Signer Certificates, and click Add.
b) In the Open window, in the File Name and Location fields, enter the name and path to the root
certificate file.
Procedure
1. On Windows computers, start a Command Prompt window by using the Run as Administrator option,
or on AIX® or Linux computers, open an AIX or Linux shell.
2. Go to the IHS root/conf directory.
3. Open the httpd.conf file using a text editor.
a) Uncomment the following in the file.
LoadModule ibm_ssl_module modules/mod_ibm_ssl.so
Listen 443
<VirtualHost *:443>
SSLEnable
</VirtualHost>
KeyFile /home/opuser/IBM/HTTPServer/<yourkeystore.kdb>
SSLDisable
b) Save and close the file.
Note: You must also replace <yourkeystore.kdb> with your keystore file and replace port 443 with your
SSL port for IBM HTTP Server.
4. To apply the changes, restart the IBM HTTP Server.
Procedure
1. Stop all OpenPages GRC Platform services.
2. Open and edit the <OP_Home>/aurora/conf/aurora_auth.config file in a text editor.
Where:
<OP_Home> is the installation location of the OpenPages GRC Platform application.
3. Find the Openpages module and change its name to OpenpagesDefault.
base.dn="DC=LDAPTesting,DC=local;CN=Users,DC=LDAPTesting,DC=local;
OU=Auditors,OU=External Auditors,OU=Staff,DC=LDAPTesting,DC=local"
user.attr.id
The attribute name of the user identifier (for example, uid, cn, etc.).
Additional custom parameters
You can add additional custom parameters that are supported by the Java Naming and Directory
Interface (JNDI). Precede a JNDI property with the ctx.env. prefix.
For example, if you want to use the JNDI property com.sun.jndi.ldap.connect.timeout,
use ctx.env.com.sun.jndi.ldap.connect.timeout="<value>" in the
aurora_auth.config file.
For information about JNDI properties, see the Java SE documentation (http://docs.oracle.com/
javase/7/docs/technotes/guides/jndi/jndi-ldap.html#JNDIPROPS).
For example:
Openpages
{
com.openpages.aurora.service.security.namespace.LDAPLoginModule
required debug=false
provider.url="ldaps://myserver.company.com:636"
security.authentication="simple"
security.search.user.dn="cn=Directory Manager"
security.search.user.credentials="openpages"
base.dn="ou=people,o=IBM,c=US"
user.attr.id="uid"
;
};
6. When you are finished editing the file, save your changes and exit.
7. Import the root certificate and any intermediate signer certificates for your LDAP server to the trust
store on the IBM WebSphere Application Server that you are using for OpenPages.
For more information, see “Importing root and signer certificates to the local trust store ” on page 513.
8. Restart all services.
Results
You have configured the OpenPages GRC Platform system to use an external LDAP user authentication
server over SSL.
Procedure
1. Generate a key pair and request.
a) Log on to the reporting server as a user with administrative privileges.
b) Launch the Windows Internet Information Services Manager, by clicking the Start menu, then
selecting Administrative Tools | Internet Information Services Manager.
c) In the Internet Information Services Manager, select the application server you want to configure.
d) In the Features view, double-click Server Certificates.
e) In the Actions pane, click Create Certificate Request to launch the Request Certificate Wizard.
f) On the Distinguished Name Properties screen of the wizard:
Table 167: .
In this text box Do this
g) Click Next.
h) On the Cryptographic Service Provider Properties screen, select a cryptographic service provider
from the list:
• Microsoft RSA SChannel Cryptographic Provider
• Microsoft DH SChannel Cryptographic Provider
By default, IIS 7 uses the Microsoft RSA SChannel Cryptographic Provider.
i) On the Cryptographic Service Provider Properties screen, select a bit length that can be used by
the provider from the Bit length drop-down list.
By default, the RSA SChannel provider uses a bit length of 1024. The DH SChannel provider uses a
bit length of 512. A longer bit length is more secure, but it can affect performance.
j) Click Next.
k) On the File Name page, in the Specify a file name for the certificate request field, use the Browse
icon or type a name for the certificate file.
l) Click Finish.
2. Submit the Certificate Signing Request (CSR) to Certification Authority (CA) for approval.
Results
At this point, the IIS web server has been fully configured for IIS. Next, you must configure Cognos to use
the IBM OpenPages GRC Platform HTTPS address and SSL port.
Procedure
1. Log on to the reporting server as a user with administrative privileges.
Note: Log in as a non-root user, such as the user you created for the IBM OpenPages GRC Platform
installation, for example: opuser.
2. Perform the following tasks to renew your certificate(s):
a) Generate a key pair and request.
b) Submit CSR to CA for approval.
c) Apache uses OpenSSL which requires the server keys and certificate locations be updated in
extras/httpd-ssl.conf.
For more information, see “SSL configuration for Apache Web Server” on page 504.
Procedure
1. Log on to cluster administrator server as a user with administrative privileges.
2. Create the certificate request.
a) Navigate to the IBM WebSphere Integrated Solutions Console:
http://<server_name>:<port>/ibm/console
Procedure
1. If the global search component is enabled, you must disable it.
a) Log on to OpenPages as a user with administrative privileges.
b) Click Administration > Global Search.
c) Click Disable.
2. Stop the global search services.
For more information, see “Start or stop the global search services” on page 553.
3. Create a certificate for the secure connection.
a) Go to the <SEARCH_HOME>/solr/server/etc folder and run the following command.
In the following example, the command creates a self-signed certificate in a key store named
solr-ssl.keystore.jks. The key store contains a key with an alias of solr-ssl, a key store
password of secret, a trust store password of secret. It specifies Subject Alternative Name
(SAN) values of DNS:host1.companya.com and IP:127.0.0.1,192.168.7.1 to include in
the certificate. (SAN values are not mandatory, and might not be specified in your environment).
When prompted, type a destination key store password, and the source key store password that
you specified in the step 3a.
c) Convert the PKCS12 format key store, including the certificate and the key, into PEM format.
To run this command, openssl must be installed, and added to the PATH environment variable.
When you are prompted for the import password and PEM pass phrase, you can use the same
password that you specified for the <key_pass> value in step 3a.
When you are prompted for the key store password, type the password that you specified for the
<key_pass> value in step 3a.
5. Update the solr.in file.
a) Edit the following file in a text editor:
<SEARCH_HOME>\solr\bin\solr.in.cmd (on Windows)
<SEARCH_HOME>/solr/bin/solr.in.sh (on UNIX)
b) Uncomment and set the following SSL properties.
SOLR_SSL_KEY_STORE=etc/jks_keystore
SOLR_SSL_KEY_STORE_PASSWORD=keystore_passwd
SOLR_SSL_TRUST_STORE=etc/jks_keystore
SOLR_SSL_TRUST_STORE_PASSWORD=keystore_passwd
SOLR_SSL_NEED_CLIENT_AUTH=false
SOLR_SSL_WANT_CLIENT_AUTH=true
On Windows, you might need to use server/etc as the path name for the
SOLR_SSL_KEY_STORE and SOLR_SSL_TRUST_STORE properties.
6. Log in to the OpenPages application as a user with administrative privileges. Update the following
settings to use https instead of http.
Administration > Settings > Platform > Search > Admin > Search Server Administration URL
Administration > Settings > Platform > Search > Index > Search Server URL
Administration > Settings > Platform > Search > Request > Search Server URL
7. Copy the certificate file that you exported to the following folder on the application server.
<WAS_HOME>/AppServer/Java/8.0/jre/lib/security
8. Add the certificate to the IBM JRE key store file.
a) Open a Windows command prompt by using the Run as Administrator option, or open a UNIX
shell with administrative privileges.
b) Back up the <WAS_HOME>/WebSphere/AppServer/Java/8.0/jre/lib/security/cacerts
file.
c) Go to <WAS_HOME>/WebSphere/AppServer/Java/8.0/jre/lib/security folder and run
the following command.
When prompted, type the key store password of the cacerts key store. The default password is
typically changeit.
d) Confirm that you want to trust the certificate.
e) Restart all OpenPages services.
9. Import the certificate to the IBM WebSphere trust store.
a) Log on to the WebSphere Integrated Solutions Console.
http://<server_name>:<port>/ibm/console
The default port is 9060.
b) Click Security > SSL certificate and key management > Key stores and certificates >
CellDefaultTrustStore > Signer certificates.
c) Click Add.
d) Update the following fields:
c) When prompted, type the key store password of the cacerts key store. The default password is
typically changeit.
12. Continue with the post installation or post upgrade steps for global search.
Enabling SSL database connection between the search server and the database server
When you install the global search server, it uses a plain connection to communicate with the database
server. If your organization requires that you use a SSL connection, you must complete these steps.
Procedure
1. Disable global search.
a) Log in to IBM OpenPages GRC Platform with administrative privileges.
b) Navigate to Administration > Global Search and select Disable.
2. Configure SSL on the database server and exchange the certificate between the database server and
the global search server.
3. On the search server, follow these steps to enable SSL:
a) If you are using Windows, open a command prompt with the Run As Administrator option.
b) Go to the <SEARCH_HOME>/OPSearch/opsearchtools/ directory.
c) Enable SSL by running the following command.
For example:
Disabling the SSL database connection between the search server and the database
server
If you need to disable the SSL connection between the search server and the database server, follow
these steps.
Procedure
1. Disable global search.
a) Log in to IBM OpenPages GRC Platform with administrative privileges.
b) Navigate to Administration > Global Search and select Disable.
2. Disable SSL on the database server.
3. Start global search.
a) Log in to IBM OpenPages GRC Platform with administrative privileges.
b) Navigate to Administration > Global Search and select Enable.
Procedure
1. Log on to the OpenPages database instance as the instance owner.
2. Start SQL*Plus.
3. Verify that the database compatible parameter is set to 11.2.0.0 or later.
AURORA
INDX
AURORA_SNP
AURORA_NL
AURORA_NLI
AURORA_CLOB_DATA
AURORA_DOMAIN_INDX
CRN
Run the following query as a DBA user get a list of the existing table spaces:
b) Run the following query to collect information about the table spaces.
You will use this information in a later step.
If you use custom table space names, modify the WHERE clause.
select dt.tablespace_name,
df.file_name,
ceil(df.bytes/1048576)||' M' as file_size
from DBA_TABLESPACES dt,
DBA_DATA_FILES df
where dt.tablespace_name = df.tablespace_name
and dt.tablespace_name in
('AURORA','INDX','AURORA_SNP','AURORA_NL','AURORA_NLI',
'AURORA_CLOB_DATA','AURORA_DOMAIN_INDX','CRN');
Example output:
Attention: If a table space name appears twice in the output, the database uses more than
one data file per table space. In this case, contact your database administrator before you
continue.
c) Delete the database objects.
Log in to SQL*Plus as the OpenPages database user and run the following script:
@AuroraDbDelete.sql
------------------------------------------------------------------------------
-- **** Oracle Transparent Data Encryption ****
-- You can modify the encryption variable below or use one of the provided
-- options. To use a provided option, uncomment the desired algorithm from
-- the list below.
------------------------------------------------------------------------------
define encrypt_var=''
--define encrypt_var='ENCRYPTION USING ''3DES168'' DEFAULT STORAGE(ENCRYPT)'
--define encrypt_var='ENCRYPTION USING ''AES128'' DEFAULT STORAGE(ENCRYPT)'
--define encrypt_var='ENCRYPTION USING ''AES192'' DEFAULT STORAGE(ENCRYPT)'
--define encrypt_var='ENCRYPTION USING ''AES256'' DEFAULT STORAGE(ENCRYPT)'
Sample file:
------------------------------------------------------------------------------
-- **** Oracle Transparent Data Encryption ****
-- You can modify the encryption variable below or use one of the provided
-- options. To use a provided option, uncomment the desired algorithm from
-- the list below.
------------------------------------------------------------------------------
--define encrypt_var=''
--define encrypt_var='ENCRYPTION USING ''3DES168'' DEFAULT STORAGE(ENCRYPT)'
define encrypt_var='ENCRYPTION USING ''AES128'' DEFAULT STORAGE(ENCRYPT)'
--define encrypt_var='ENCRYPTION USING ''AES192'' DEFAULT STORAGE(ENCRYPT)'
--define encrypt_var='ENCRYPTION USING ''AES256'' DEFAULT STORAGE(ENCRYPT)'
b) Log in to SQL*Plus as a DBA user and run the file that you created.
For example, if your file is named tbsp_create.sql, log into SQL*Plus as a DBA user and run the
following commands:
spool tbsp_create.log
@tbsp_create.sql
exit;
8. Grant space privileges to the OpenPages and Cognos users on the new table spaces.
Use the following syntax. If you use custom table space names, replace the table space names with
the names from step 6a.
Example:
8 rows selected.
10. Restore the OpenPages schema, and then restore the Cognos schema.
For more information, see “DB2 databases for OpenPages GRC Platform backup and restore” on page
394 or “Import the production data into the test environment” on page 443 if you are using Oracle.
11. Restart all OpenPages and Cognos components: application servers (admin and non-admin),
reporting servers (active and standby), and the search server.
For more information, see Chapter 20, “Starting and stopping servers,” on page 549.
Procedure
1. Stop the Cognos service and the OpenPages GRC Platform Framework Model Generator service. For
more information, see “Starting and stopping the Cognos services” on page 560.
2. Log on to the IBM WebSphere administration console. Navigate to Applications > Application Types,
and click WebSphere enterprise applications.
a) Click the application op-apps.
b) Under Web Module Properties, click Context root for Web modules.
c) For the web module Sarbanes-Oxley Self-Assessment Application Module, replace the current
value for the Context Root with the new value:
Table 168: Shorten URL, property values for use with IBM Websphere application server
File name Current value New value
aurora.properties application.url.path=http\:// application.url.path=http\://
server_name\:10108/ server_name\:10108
openpages
server_name- url.path.openpages=http\:// url.path.openpages=http\://
OPNode1Server1- server_name\:10108/ server_name\:10108
server.properties openpages
server_name- application.url.path=http\:// application.url.path=http\://
OPNode1Server1- server_name\:10108/ server_name\:10108
sosa.properties openpages
server_name- application.context=/ application.context=
OPNode1Server1- openpages
sosa.properties
4. On the Cognos server, navigate to the following folder:
Windows:
<Cognos_Home>\configuration
AIX or Linux:
<Cognos_Home>/configuration, where <Cognos_Home> might be /opt/ibm/Cognos/
analytics.
a) Open the OpenPagesSecurityProvider_OpenPagesSecurityRealm.properties file in a
notepad or XML editor.
b) Change the current value to the new value, and then save the file:
Current value
openpages.application.url=http\://server_name\:10108/openpages
New value
openpages.application.url=http\://server_name\:10108
5. Restart the OpenPages GRC Platform application servers. For more information, see “Starting all
application services in Windows using a script” on page 551 or “Starting all application servers in AIX
and Linux using a script” on page 552.
6. Start the Cognos service and the OpenPages Framework Model Generator service. For more
information, see “Starting and stopping the Cognos services” on page 560.
<server_name> The host name of the machine on which you are adding the
managed server instance.
For example, OP_Host
<server#> The number of the managed server you are adding to the
cluster.
For example, If you currently have one managed server on
OP_Host, this parameter value would be 2.
<OP_Home>|temp|wasconfig|OpenPagesCell.
<server_name>-OPNode1Server<server#>.
config.props
<OP_Home>|temp|wasconfig|OpenPagesCell.
<server_name>-OPNode1Server<server#>.
config.props
For IBM OpenPages GRC Platform application servers, HTTP compression is installed during the
installation process.
By default, HTTP compression is disabled on the application servers to reduce processor usage and
improve performance over a local area network (LAN). On systems that use a router or switch to
compresses data, you may also want to disable HTTP compression on both the OpenPages GRC Platform
application and, or Cognos servers in your environment to avoid double compression.
In situations where clients are primarily accessing the servers using a narrow network bandwidth (such as
modems), we recommend enabling HTTP compression on both application and Cognos servers.
Note: Files that are already compressed, such as image files, PDF, and ZIP files will not be compressed to
improve performance.
See these topics for details:
• “Enabling or disabling HTTP compression on OpenPages GRC Platform Application Servers” on page
530
• “Enabling or disabling compression on the Cognos Server using Windows IIS” on page 531
• “Enabling compression on the Cognos Server using Apache Web Server” on page 532
• “Disabling compression on the Cognos Server using Apache Web Server” on page 533
For information on installing and configuring HTTP Compression for Microsoft Windows IIS 7 only, see
Appendix C, “Installing and configuring HTTP compression,” on page 767
Procedure
1. From the Windows Start menu on the Cognos server, select Control Panel.
2. Open Administrative Tools as follows:
a) Do one of the following:
Table 170: Microsoft Windows server versions and instructions to open Administrative Tools
For Windows Server... Do this...
2008 Click System and Maintenance.
2008 R2 Click System and Security.
b) Click the Administrative Tools link.
3. Administrative Tools window, double-click Internet Information Services (IIS) Manager.
4. In the Connections pane:
a) Expand Sites > Default Web Site.
b) Select the name of the Cognos folder (for example, cognos).
5. In Features View, under IIS:
a) Double-click Compression.
b) For the following check boxes, do one of the following:
• To enable compression, select both Enable dynamic content compression and Enable static
content compression.
• To disable compression, clear both Enable dynamic content compression and Enable static
content compression.
c) In the Actions pane, click Apply when finished.
Procedure
1. On the Cognos server, navigate to the <Apache_Home>|conf directory.
Where: <Apache_Home> is the installation location of the Apache Web Server. For example, for
Windows, a directory structure could be C:\Program Files (x86)\Apache2.2 and for AIX and
Linux, the directory structure could be /opt/pware/.
2. Navigate to the httpd.conf file and do the following:
a) Make a backup copy of the file before modifying it.
b) Open the httpd.conf file in a text editor of your choice.
3. In the httpd.conf file, load the mod_deflate module as follows.
a) Verify that the following statement is present at the beginning of the file:
LoadModule deflate_module modules/mod_deflate.so
b) If the mod_deflate module statement in Step 3a is commented out (has a # (number sign) at the
beginning of the line), then remove the # (number sign) so the compression module will be loaded.
4. At the bottom of the httpd.conf file, add the following block of configuration code to enable
compression:
<IfModule deflate_module>
SetOutputFilter DEFLATE
<IfModule setenvif_module>
# Netscape 4.x has some problems
BrowserMatch ^Mozilla/4 gzip-only-text/html
# Netscape 4.06-4.08 have some more problems
BrowserMatch ^Mozilla/4\.0[678] no-gzip
# MSIE masquerades as Netscape, but it is fine
BrowserMatch \bMSI[E] !no-gzip !gzip-only-text/html
# Don't compress already-compressed files
SetEnvIfNoCase Request_URI \.(?:gif|jpe?g|png)$ no-gzip dont-vary
SetEnvIfNoCase Request_URI \.pdf$ no-gzip dont-vary
SetEnvIfNoCase Request_URI \.(?:exe|t?gz|zip|bz2|sit|rar)$ no-gzip dont-vary
# Make sure proxies don't deliver the wrong content
Header append Vary User-Agent env=!dont-vary
</IfModule>
</IfModule>
5. Depending on your environment, do one of the following to restart the Apache Web Server.
• For Windows:
– Click the Windows Start menu and select All Programs.
– From the Administrative Tools list, select Services.
– Right-click the Apache2.2 service and select Restart.
• For AIX and Linux:
– Log on to the Cognos server as the root user.
– Navigate to the <Apache_Home>/bin directory.
– Enter the following command to stop the server:
./apachectl stop
./apachectl start
Procedure
1. On the Cognos server, navigate to the <Apache_Home>|conf directory.
Where: <Apache_Home> is the installation location of the Apache Web Server. For example, for
Windows, a directory structure could be C:\Program Files (x86)\Apache2.2 and for AIX and
Linux, the directory structure could be /opt/pware/.
2. Navigate to the httpd.conf file and do the following:
a) Make a backup copy of the file before modifying it.
b) Open the httpd.conf file in a text editor of your choice.
3. From the bottom of the httpd.conf file, remove the following block of configuration code to disable
compression:
<IfModule deflate_module>
SetOutputFilter DEFLATE
<IfModule setenvif_module>
# Netscape 4.x has some problems
BrowserMatch ^Mozilla/4 gzip-only-text/html
# Netscape 4.06-4.08 have some more problems
BrowserMatch ^Mozilla/4\.0[678] no-gzip
# MSIE masquerades as Netscape, but it is fine
BrowserMatch \bMSI[E] !no-gzip !gzip-only-text/html
# Don't compress already-compressed files
SetEnvIfNoCase Request_URI \.(?:gif|jpe?g|png)$ no-gzip dont-vary
SetEnvIfNoCase Request_URI \.pdf$ no-gzip dont-vary
SetEnvIfNoCase Request_URI \.(?:exe|t?gz|zip|bz2|sit|rar)$ no-gzip dont-vary
# Make sure proxies don't deliver the wrong content
Header append Vary User-Agent env=!dont-vary
</IfModule>
</IfModule>
./apachectl stop
./apachectl start
db2cmd
Procedure
1. Open the database console running as a DB2 administrator.
2. Set the tuning parameters using the following command:
Procedure
1. Log on to the Cognos server as a user with administrative permissions.
2. Go to the <COGNOS_Home>\bin64 directory.
3. Double-click the cogconfigw.exe file to start IBM Cognos Configuration, the Cognos Analytics
configuration tool.
4. In the Explorer pane, expand IBM Cognos services, and click the IBM Cognos service.
5. In the properties pane, set the Maximum memory for Tomcat in MB property to 1024.
Procedure
1. Log on to the IBM OpenPages GRC Platform application server as a user with administrative privileges.
2. Open a command or shell window and navigate to the <OP_Home>|aurora|conf directory.
3. Locate the aurora.properties file in the conf directory and do the following:
a) Open the aurora.properties file in a text editor of your choice.
Results
Note: You do not have to restart OpenPages GRC Platform servers after changing the value of this
property as the application monitors this property for changes.
<host_name>-OPNode<#>Server<#>
<OP_Home>|profiles|<host_name>-OPNode<#>|logs|<host_name>-OPNode<#>Server<#>
where <OP_Home> is the installation location of the OpenPages GRC Platform application. By default, this
is c:\OpenPages on Windows, and /opt/OpenPages on AIX and Linux.
<host_name> is the name of the OpenPages GRC Platform application server.
<#> is the number of the node or server within that node (for example, OPNode1Server1).
Property Description
DB_OP_USER The OpenPages database user name
DB_OP_PASSWORD The OpenPages database user's password
DB_TYPE The database type. This value can be db2 or
oracle.
--target or -t to specify a target package file. If you do not include this option, the default is
LogCollector_<timestamp>.zip. Using --target or -t is optional.
--help or -h to display command help.
This video demonstrates how to collect log files:
https://youtu.be/81X6H0bSlDg
Table 175: DMGR server log files and the information they contain
This log file... Contains this type of information...
startServer.log Log entries that monitor the status of starting the
various application server components.
stopServer.log Log entries that monitor the status of stopping the
various application server components.
SystemErr.log Error log entries that are written by the underlying
IBM WebSphere application server.
Table 176: Node agent log files and the information they contain
This log file... Contains this type of information...
startServer.log Log entries that monitor the status of starting
administrative agents.
stopServer.log Log entries that monitor the status of stopping
administrative agents.
SystemErr.log Error log entries written by the underlying IBM
WebSphere application server.
SystemOut.log Log entries written by the underlying IBM
WebSphere application server about the status of
various J2EE resources being used.
<OP_Home>|profiles|<host_name>-OPNode<#>|logs|<host_name>-OPNode<#>Server<#>
where <host_name> is the name of the IBM OpenPages GRC Platform application server.
<#> is the number of the node or server within that node (for example, OPNode1Server1).
Table 177: Application cluster member log files and the information they contain
This log file... Contains this type of information...
startServer.log Log entries that monitor the status of starting the
cluster member.
stopServer.log Log entries that monitor the status of stopping the
cluster member.
SystemErr.log Error log entries written by the underlying IBM
WebSphere application server.
SystemOut.log Log entries written by the underlying IBM
WebSphere application server about the status of
various J2EE resources being used.
Procedure
1. Log on to the OpenPages application server.
2. Go to <OP_HOME>|aurora|conf where <OP_HOME> is the OpenPages installation location.
The default OP_HOME location for AIX and Linux operating systems is /opx/OpenPages. The default
OP_HOME location for the Microsoft Windows operating system is C:\OpenPages.
3. Back up the auroralogging.properties file.
4. Open the auroralogging.properties file with a text editor.
5. To change the maximum file size of the auroralogging.properties file, modify the
log4j.appender.FILE.MaxFileSize property.
For example, to change the maximum file size to 5120 KB, change the property to the following:
log4j.appender.FILE.MaxFileSize=5120KB
log4j.appender.FILE.MaxBackupIndex=20
Procedure
1. From the Internet Explorer toolbar, click the Tools menu and select Internet Options.
2. Click the General tab.
3. Under Browsing history, click Settings.
4. In the Temporary Internet Files and History Settings box, enter 200 in the disk space box.
5. Restart the browser to effect the change.
Procedure
1. Log on to the IBM OpenPages GRC Platform application server as a user with administrative
permissions.
2. Stop all OpenPages GRC Platform services.
3. Navigate to the <OP_Home>/profiles/<server_name>-<node>/config/cells/
OpenPagesCell/applications/op-apps.ear/deployments/op-apps/sosa.war/WEB-INF/
directory.
Where: <OP_Home> is the location of the OpenPages GRC Platform application. By default, this is
c:\OpenPages on Windows, and /opt/OpenPages on AIX. <server_name> is the name of
the application server.
4. In a text editor, open the web.xml file and look for the following lines:
Procedure
1. Log on to the IBM Cognos server as a user with administrative permissions.
2. Go to the <COGNOS_Home> bin64 directory.
https://test.my-company.com/ibmcognos/cgi-bin/cognos.cgi?
b_action=xts.run&m=portal/launch.xts&ui.tool=CognosViewer&ui.action
=run&encoding=UTF8 &method=newQuery&backURL=http%3a%2f%2fwww.google.com
&m=qs%2fqs.xts&cafcontextid=&obj=%2fcontent%2fpackage%5b%40name%3d%27OpenPages%27%5d
The Cognos Analytics V11.0 Installation and Configuration Guide, Configuration options chapter, section
"Configure IBM Cognos Components to Use IBM Cognos Application Firewall", indicates that the standard
method for performing positive validation of URL input parameters and data is to use the CAF (Cognos
Application Firewall) setting in the Cognos Configuration tool. If the data does not match a CAF rule, it is
rejected.
The IBM OpenPages GRC Platform Installer for OpenPages CommandCenter enables the Cognos
Application Firewall (CAF) by default.
CAF can be configured with a list of host names, including port numbers and domains that a user can
access through the backURL parameter. If a backURL parameter contains a host or a domain name that
does not appear in the list, the request will be rejected. An error message, similar to the following, will be
displayed to users who try to access invalid domains or hosts through the backURL parameter:
DPR-ERR-2079 Firewall Security Rejection. Your request was rejected by the
security firewall.
The CAF setting has a known issue where enabling the firewall sometimes obscures useful error
messages. For example, if a report author developed a report and that report had a logic flaw, a generic
firewall error message (as shown previously) would be displayed rather than a more useful message
containing information about the cause of the actual problem.
Although generic firewall messages are considered a safe way to protect information, this type of
nondescript CAF error message would make troubleshooting of report authoring/development and certain
kinds of configuration issues more difficult.
Procedure
1. Log on to the reporting server as a user with administrative privileges.
2. Start IBM Cognos Configuration:
To ensure proper display of messages in the browser, users must set their browsers to a supported locale.
For a list of supported locales, see Chapter 13, “Localizing text,” on page 277.
Procedure
1. Open the log file specified in the following table.
Where
<OP_HOME> represents the installation location of the OpenPages GRC Platform application.
<OpenPages-node-name> is the name of the node in which the servers run.
<OpenPages-node-server-name>Server <#> is the name of the current server within the <OpenPages-
node-name> node that the current server is in, and <#> is the number of the server within that node.
2. Scroll to the end of the log file and search for a message stating that the server is "open for e-business;
process id is <process-id>". If this line appears, the server is running in production mode and the
application is ready to be accessed.
Procedure
1. Log on to the OpenPages GRC Platform application server as a user with administrative privileges.
2. Open a Command Prompt window (using the Run as Administrator option) and do the following:
a) Navigate to the <OP_HOME>\bin directory.
Where <OP_HOME> is the installation location of the OpenPages GRC Platform application. By
default, this is: c:\OpenPages.
b) Run the following command to start the OpenPages GRC Platform services:
StartAllServers.cmd
When all services have been started, the Command Prompt window closes.
Procedure
1. Log on to the OpenPages GRC Platform application server as a user with administrative privileges.
2. Click the Windows Start menu and select All Programs.
3. From the Administrative Tools list, click Services.
4. Start the IBMWAS<version>Service - <OpenPages-dmgr-name> service, if present.
5. Start the IBMWAS<version>Service - <OpenPages-node-name> service.
6. Start the IBMWAS<version>Service - <OpenPages-node-server-name>Server<#> services, where <#>
represents the number of the cluster member.
Note: If there is more than one cluster member on the current system, you must start the service
(<OpenPages-node-server-name>Server<#>) for each cluster member in sequence.
When the services are starting, Windows Services may indicate that the services have started, but
background OpenPages processes may still be running. It might take a few minutes for the OpenPages
services to be operational.
Procedure
1. Log on to the OpenPages GRC Platform application server as a user with administrative privileges.
2. Open an AIX or Linux shell window.
3. Go to the <OP_HOME>/bin directory.
4. Run the following script to start OpenPages GRC Platform services:
./startAllServers.sh
Procedure
1. Log on to the OpenPages GRC Platform application server as a user with administrative privileges.
2. Use an AIX or Linux shell to navigate to the <DMGR profile directory>/<OpenPages-dmgr-
name>/bin directory, where <DMGR profile directory> is the same directory as the one provided
on the installer's Deployment Manager card.
./startManager.sh
./startNode.sh
./startServer.sh <OpenPages-node-server-name>Server<#>
Procedure
1. Start the search services:
• For Windows, at a command prompt enter the following commands:
cd <SEARCH_HOME>\opsearchtools\
StartSearchServer.cmd
cd <SEARCH_HOME>/opsearchtools/
./StartSearchServer.sh
2. Open a browser and point to your search server at ports 8983 and 8985. Make sure that the Solr
search platform can be reached.
For example, http://<search-server>:8983/ and http://<search-server>:8985/.
If the verification fails, repeat the preceding step.
3. Log on to IBM OpenPages GRC Platform as an administrator.
4. Click Administration > Global Search > Enable.
Procedure
1. Log on to IBM OpenPages GRC Platform as an administrator.
2. Click Administration > Global Search > Disable.
3. Stop the search services:
• For Windows, at a command prompt, enter the following commands:
cd <SEARCH_HOME>\opsearchtools\
StopSearchServer.cmd
cd <SEARCH_HOME>/opsearchtools/
./StopSearchServer.sh
4. For either Windows or UNIX, verify that global search is fully stopped.
a) In the directory <SEARCH_HOME>/opsearchtools/, examine the files
opsearchtool_openpages.state and opsearchtool_folderacl.state and verify that the
PID value is -1.
b) Open a browser and point to your search server at ports 8983 and 8985. Make sure that the Solr
search platform cannot be reached.
For example, http://<search-server>:8983/ and http://<search-server>:8985/.
If the stop verification fails, repeat the preceding step and then follow the steps in “ Forcing a reset
of global search” on page 792.
Procedure
1. Log on to the search server as a user with administrative privileges.
2. Open the Services snap-in (services.msc).
3. Locate the service that is called IBM OpenPages GRC - Global Search.
4. Click Start.
5. If you want the service to start automatically when Windows starts, change the Startup Type to
Automatic.
6. Open a browser and point to your search server at ports 8983 and 8985. Make sure that the Solr
search platform can be reached.
For example, http://<search-server>:8983/ and http://<search-server>:8985/.
Procedure
1. Log on to the search server.
2. Open a shell as the root user.
3. Copy the <SEARCH_HOME>/opsearchtools/openpages-search file to the /etc/init.d/
directory.
4. Copy the <SEARCH_HOME>/opsearchtools/openpages-searchcfg file to the /etc/
sysconfig/ directory.
5. Set the execution permission on the openpages-search file by running the following command:
chmod +x /etc/init.d/openpages-search
6. If you want the service to start automatically when the system restarts, run the following commands:
7. Start the global search services by running the following command: service openpages-search
start
8. Open a browser and point to your search server at ports 8983 and 8985. Make sure that the Solr
search platform can be reached.
For example, http://<search-server>:8983/ and http://<search-server>:8985/.
If the verification fails, repeat the preceding step.
9. Log on to IBM OpenPages GRC Platform as an administrator.
10. Click Administration > Global Search > Enable.
Procedure
1. Log on to IBM OpenPages GRC Platform as an administrator.
2. Click Administration > Global Search > Disable.
Procedure
1. Log on to the OpenPages GRC Platform application server as a user with administrative privileges.
2. Launch a Command Prompt window (using the Run as Administrator option).
3. Navigate to the <OP_HOME>\bin directory.
4. Enter the following command to launch a script that stops the OpenPages services:
Where <username> and <password> are the administrative user name and password for IBM
WebSphere Application Server.
When all services have been stopped, the Command Prompt window closes.
Procedure
1. Log on to the OpenPages GRC Platform application server as a user with administrative privileges.
2. Click the Windows Start menu and select All Programs.
3. From the Administrative Tools list, select Services.
4. Stop the IBMWAS<version>Service - <OpenPages-node-server-name>Server<#> services.
5. Stop the IBMWAS<version>Service - <OpenPages-node-name> service.
6. Stop the IBMWAS<version>Service - <OpenPages-dmgr-name> service, if present.
Results
When the services are stopped successfully, the OpenPages application is properly shut down.
Procedure
1. Log on to the OpenPages GRC Platform application server as a user with administrative privileges.
2. Use an AIX or Linux shell to navigate to the <DMGR profile directory>/<OpenPages-dmgr-
name>/bin directory, where <DMGR profile directory> is the same directory as the one provided
on the installer's Deployment Manager card.
3. Enter the following command to launch a script that stops OpenPages GRC Platform services:
Where <username> and <password> are the administrative user name and password for the IBM
WebSphere Application Server.
Procedure
1. Log on to the OpenPages GRC Platform application server as a user with administrative privileges.
2. Go to the <OP_HOME>/profiles/<OpenPages-node-name>/bin directory.
3. Enter the following commands, in the order specified, to launch a script that stops the OpenPages
application server and the OpenPages Node Agent.
Where <username> and <password> are the administrative user name and password for the IBM
WebSphere Application Server.
Use the following steps to start or stop database services using Windows Services.
Procedure
1. Log on to the database server as a user with administrative privileges.
2. Click the Windows Start menu and select All Programs.
3. From the Administrative Tools list, select Services.
4. For each database service listed in the previous table, do the following:
• To start the server, right-click the service name and select Start.
• To stop the server, right-click the service name and select Stop.
Starting and stopping the Oracle database server in an AIX and Linux
environment
Use the following steps to start or stop the Oracle database server.
Procedure
1. Log on to the database server as a user with administrative privileges.
2. In a shell window, navigate to the following directory:
<ORACLE_HOME>/bin
sqlplus / as sysdba
startup
sqlplus / as sysdba
stop immediate
Using the IBM Cognos configuration tool to start and stop the IBM Cognos service
You can use the IBM Cognos Configuration tool to start or stop the IBM Cognos service.
Note: The IBM Cognos Configuration tool displays the status of the start-up, which can be helpful with
troubleshooting, if necessary.
Procedure
1. Log on to the reporting server as a user with administrative privileges.
2. Start the IBM Cognos Configuration tool as follows:
a) Open a Command Prompt window (using the Run as Administrator option), or AIX or Linux shell,
and navigate to the <COGNOS_HOME>/bin64 directory.
<COGNOS_HOME> represents the installation location of the Cognos application. By default, this is:
Windows
cogconfig.bat
AIX and Linux
./cogconfig.sh
b) Execute one of the following commands to open the tool:
3. Do one of the following:
• To start the server, click Actions | Start. (It may take several minutes for the service to start the
first time.) If the Start option is not available, the service has already started.
• To stop the service, click Actions | Stop.
Procedure
1. Log on to the reporting server as a user with administrative privileges.
2. Click the Windows Start menu and select All Programs.
3. From the Administrative Tools list, select Services.
4. Do one of the following:
• To start the server, right-click the IBM Cognos service and select Start.
• To stop the server, right-click the IBM Cognos service and select Stop.
Using the AIX or Linux operating system to start and stop IBM Cognos service
Use the following steps to start or stop the IBM Cognos service in an AIX or Linux environment using
command-line scripts.
Procedure
1. Log on to the reporting server as a non-root user with administrative privileges.
2. Launch an AIX or Linux shell and navigate to the bin directory as follows:
<COGNOS_HOME>/bin64
Where
<COGNOS_HOME> is the installation location of the Cognos application.
3. Do one of the following:
• To start the service, enter the following command: ./cogconfig.sh -s
• To stop the service, enter the following command: ./cogconfig.sh -stop
Starting and stopping the OpenPages GRC Platform Framework Model Generator service
on Windows
Use the following steps to start or stop the IBM OpenPages GRC Platform Framework Model Generator
service in a Microsoft Windows environment.
Procedure
1. Log on to the reporting server as a user with administrative privileges.
2. Click the Windows Start menu and select All Programs.
3. From the Administrative Tools list, select Services.
4. Do one of the following:
• To start the server, right-click the IBMOpenPagesFrameworkModelGenerator service and select
Start.
• To stop the server, right-click the IBMOpenPagesFrameworkModelGenerator service and select
Stop.
Starting and stopping the OpenPages GRC Platform Framework Model Generator service
on AIX or Linux
Use the following steps to start or stop the IBMOpenPagesFrameworkModelGenerator service in an
AIX or Linux environment.
Procedure
1. Log on to the reporting server as a non-root user with administrative privileges.
<CommandCenter_Home>/wlp/bin
The source and target files can be from environments that are running different versions of IBM
OpenPages GRC Platform. Further, you can run Compare Environments on a system that is running a
version that is different from both the source and target environments.
Note: Compare Environments compares only the content of the XML files that you specify. It does not
compare any other aspects of your source and target environments.
Compare Environments can use significant system resources. Follow these guidelines when you are using
it:
• Do not run Compare Environments on production environments.
• Do not run Compare Environments on servers that are busy with other activities.
• The XML files that you want to compare might be very large. If so, the time it takes to upload the files to
the system might take several minutes or longer. Consider this factor before using a connection with
slow upload speeds.
Use the following process to compare environments:
• Decide what you want to compare.
• Generate an XML file in the source environment.
• Generate an XML file in the target environment.
• Use the filters on the Compare Environments page to filter on the configuration data that you want to
compare.
By using the filters, you can reduce the amount of time it takes to compare the XML files. Filters can also
help you to focus on the results that you need by removing potentially distracting information from the
results. Comparison results can include hundreds of thousands of rows.
• Run the comparison.
• Download the detailed results.
• Analyze the results.
• Fix any errors and review any warning messages.
When you compare environments, keep the following points in mind:
• Compare Environments uses the source environment file as the point of reference. If you reverse the
source and target files, the results are different, and this is expected.
• Compare Environments ignores any data that it does not support.
• The source environment, the target environment, and the environment where you run Compare
Environments can each have a different version of OpenPages installed.
• Currency fields are different from other fields. Currency fields have a different XML structure from other
types of fields.
81 <includedField name="Year"
82 readOnly="false"
83 required="false">
• If you added a custom object type in OpenPages, the object type definition in the XML file contains at
least two contentTypeRelationship elements, attachment and association. These content type
relationships are added by default. Compare Environments reports on these elements.
For example, suppose that you added a custom object type in the source environment and it does not
exist in the target environment. When you defined the custom object type, you set up a parent
association. When you generate and compare the XML files, Compare Environments logs two
information messages about object type associations: one about the parent object association that you
added, and another about the attachment association, which was added by default.
• In certain cases, when you use the Administration pages, default configuration elements are created in
the background. These changes might not be apparent in the user interface at the time.
For example, when you view the details of a profile for the first time and add an included object type
such as SOXBusEntity, default entries for the Overview navigation view are added automatically. If you
export object profiles without making any additional changes, the XML file includes the additional
elements for the Overview view in the object profile.
This video demonstrates how to use Compare Environments to identify and resolve issues before you
migrate configurations from one environment to another:
https://youtu.be/knGObg_VGXs
Supported items
Compare Environments supports the comparison of many configuration items. Compare Environments
ignores any items that it does not support.
Compare Environments supports the following items:
• Object types, including object type associations (parent or child), associated field groups, and file type
information
• Field groups
• Fields, including field types, display types, and display type attributes
• Computed field details, including equation, primary namespace, alternative namespaces, object ID, and
reporting period ID
• Enumerated string values for enumerated string fields
• Object profiles, including object profile views
• Settings
• Object text
• Application text
For information about how items are represented in XML, export results from the Compare Environments
tool and then click the Legend tab of the exported workbook.
Compare Environments does not support some items, for example:
• Filters
• Field dependencies
• Dependent picklists
• Workflows in IBM Business Process Manager
• Security (groups, users, role templates, custom security, security rules)
• Object resets
• Configuration settings for apps and features that have their own configuration pages, such as the
approval app, IBM OpenPages Loss Event Entry, IBM Regulatory Compliance Analytics data import, IBM
OpenPages Regulatory Compliance Management, and classifiers for cognitive services
• Questionnaire Assessments
• Triggers
• Custom query subjects
• JSPs
• For activity views, a maximum of three levels of associated object types is supported
• Instance data
Procedure
1. Export configurations in the source environment.
For more information, see “Exporting configuration items from the source environment” on page 583.
The tool generates a .jar file.
2. Download the .jar file.
3. Decompress the .jar file.
Note: You might need to change the extension to .zip, depending on the data extraction tool that you
are using.
4. Go to the loader-data directory and locate the openpages-env-mig-<timestamp id>-op-
config.xml file.
5. Give the file a meaningful name.
For example, source-openpages-env-mig-<timestamp id>-op-config.xml
6. Repeat these steps in the target environment. Give the XML file a meaningful name such as target-
openpages-env-mig-<timestamp id>-op-config.xml.
Procedure
1. In the source environment, go to the <OP_HOME>/bin/ directory.
2. Edit the <OP_HOME>/bin/ObjectManager.properties file. Configure the areas that you want to
export.
• To export all configuration data, set the following setting to true:
configuration.manager.migrate.configuration.objects=true
This setting extracts more data than is supported by the Compare Environments tool. The Compare
Environments tool ignores any data that is not supported.
• To export all configuration data that Compare Environments supports, see “ObjectManager
properties for comparing environments” on page 568.
• To specify the configuration data that you want to export, look for the settings that begin with
configuration.manager.dump.*
configuration.manager.dump.bundle.type=true
For more information, see “Modifying the ObjectManager properties file” on page 601.
3. Save the ObjectManager.properties file.
4. Run the following command:
The XML output file is created in the output directory that you specified and is named <output file
prefix>-op-config.xml.
5. Repeat these steps in the target environment.
configuration.manager.dump.modules=false
configuration.manager.dump.file.types=false
configuration.manager.dump.bundle.types=true
configuration.manager.dump.file.upload.content.types=true
configuration.manager.dump.jsp.based.content.types=true
configuration.manager.dump.content.type.relationship.sets=true
configuration.manager.dump.app.permissions=false
configuration.manager.dump.actors=false
configuration.manager.dump.actor.group.memberships=false
configuration.manager.dump.actor.object.profile.associations=false
configuration.manager.dump.admin.objectprofile.views=true
configuration.manager.dump.non.form.based.resources=false
configuration.manager.dump.form.based.content.types=true
configuration.manager.dump.form.based.resources=false
configuration.manager.dump.channels=false
configuration.manager.dump.resource.sets=false
configuration.manager.dump.associated.resources=false
configuration.manager.dump.rule.sets=false
configuration.manager.dump.rule.set.execute.sessions=false
configuration.manager.dump.registry=true
configuration.manager.dump.object.profiles=true
configuration.manager.dump.recursive.hierarchy=false
configuration.manager.dump.date.dimension.type=false
configuration.manager.dump.object.type.dimension=false
configuration.manager.dump.date.dimension.type.associations=false
configuration.manager.dump.locales=false
configuration.manager.dump.application.string.key.categories=true
configuration.manager.dump.application.string.keys=true
configuration.manager.dump.application.strings=true
configuration.manager.dump.recursive.hierarchy.strings=false
configuration.manager.dump.date.dimension.type.strings=false
configuration.manager.dump.object.type.dimension.strings=false
configuration.manager.dump.error.strings=false
configuration.manager.dump.object.strings=true
configuration.manager.dump.job.types=false
configuration.manager.dump.currency.exchange.rates=false
configuration.manager.dump.currencies=false
configuration.manager.dump.query.definitions=false
configuration.manager.dump.user.preferences=false
configuration.manager.dump.role.templates=false
configuration.manager.dump.role.administrators=false
configuration.manager.dump.role.assignments=false
configuration.manager.dump.field.dependency=false
configuration.manager.dump.field.dependency.picklist=false
configuration.manager.dump.subsystem.exclusion.fields=false
Procedure
1. Log in as a user with the Compare Environments permission.
2. Click Administration > Compare Environments.
3. Select the XML file for the source environment.
4. Select the XML file for the target environment.
5. Choose the categories that you want to include.
6. Choose the severity levels that you want to include.
7. Select the types of changes you want to include:
• In Source, Not in Target: Find items that exist in the source environment XML file and do not exist
in the target.
• In Target, Not in Source: Find items that exist in the target environment XML file and do not exist in
the source.
• Validation Issue: Find validation issues.
8. Click Compare.
Depending on the size of the XML files, the options that you selected, and your upload connection
speed, the process might take several minutes to complete.
Important: Stay on the Compare Environments page until the process completes. If you leave the
page, you will need to select the files again and re-run the comparison to get the results.
9. Click Export Details. Save or open the .xlsx file.
10. Analyze the results. For more information, see “Interpret results” on page 569.
Interpret results
When you export results from Compare Environments, you get a .xlsx file. The workbook provides
details about the comparison, along with the results.
Context tab
Lists the options that you used to do the comparison.
Differences tab
Lists the differences that were found. Look for any errors or warnings.
Context The path to the XML element where the error, warning, or
difference was found.
XML Element The XML element that contains the error, warning, or
difference.
Description A description of the error, warning, or difference.
You can find more information about errors and warnings
on the Validation_Rules tab.
Source XML Line No. The line number in the source XML file.
If an element spans multiple lines, the tool reports the
line number where the closing tag is located.
Target XML Line No. The line number in the target XML file.
If an element spans multiple lines, the tool reports the
line number where the closing tag is located.
Validation_Rules tab
Lists the rules that the tool uses to validate the source and target XML files.
Legend tab
Lists the configuration items that the tool compares and the name of the elements that represent
them in the XML files.
If you want to migrate from the source environment to the target environment, fix any errors and review
all warnings. Regenerate the XML files, and then run the Compare Environments tool again. Verify the
results.
Example: A field group exists in the source environment, but not in the target
Suppose that the source environment has a field group that is called CustomFG. The field group does not
exist in the target environment.
You export field groups from each environment by using Export Configuration. You then compare the two
XML files by using Compare Environments. You choose to compare all categories. You also choose to
include errors, warnings, and information messages in the results.
In this case, the tool generates the following message:
The bundleType message indicates that the field group that is called CustomFG is not in the target
environment.
If you added fields to the CustomFG field group, you also see messages about the fields. For example, if
the CustomFG field group has a field that is called CustomField and this field does not exist in the
target, you see the following messages:
Figure 22: Results of the export: A field group and its fields are not in the target environment
• The bundleType message indicates that the CustomFG field group is not in the target environment.
• The propertyType message indicates that the field that is called CustomField is not in the target
environment.
• The fieldString messages are generated for each locale that is defined for the field called
CustomField.
Figure 23: Results of the export: A profile does not exist in the source environment
• The objectProfile message indicates that the profile that is called NewVendor does not exist in the
source environment.
• When the NewVendor profile was created, a new view definition was created automatically. The
objectProfileViews message indicates that this view definition does not exist in the source
environment.
• When the NewVendor profile was created, a new registry setting was added automatically. The
registryEntry message indicates that this setting does not exist in the source environment.
If the profile uses fields groups, fields, or other items that are not in the source environment, you see
messages about these differences also.
Example: A custom object type exists in the target environment, but not in the source
Suppose that the target environment has a custom object type that is not in the source environment.
The custom object has the following characteristics:
• Name: CustomObject2
• Parent: Incident
• Included field groups: OPSS-Inc-IT
You export object types from each environment by using Export Configuration. You then compare the two
XML files by using Compare Environments. You choose to compare all categories. You also choose to
include errors, warnings, and information messages in the results.
In this case, the tool generates the following messages:
• The contentType message indicates that the object type that is called CustomObject2 does not exist
in the source environment.
• When you created the CustomObject2 object type, you defined a parent relationship with the Incident
object type. The contentTypeRelationship message in row 13 indicates that the parent association
is not in the source environment.
• Although you did not define an attachment association when you created the CustomObject2 object
type, the association was added by default when you created it. The contentTypeRelationship
message in row 14 indicates that the association is not in the source environment.
• The objectTypeString messages are generated for each locale.
opapp-OPNode1Server11982-1499351409947-compareenvironments.log
Delete old Compare Environments log files periodically to clean up the <OP_HOME>/aurora/logs
directory.
The log files for the Compare Environments tool are included when you run the LogCollector tool. For
more information, see “Collect log files and diagnostic data” on page 539.
An OpenPages GRC Platform environment is a set of OpenPages GRC Platform servers that target a single
database instance, inclusive of that database instance.
Many organizations use different OpenPages GRC Platform environments for specific purposes. For
example, a company might use the following environments:
• Development environment - A specific set of servers where changes are made to the OpenPages GRC
Platform metadata.
• Test environment - A specific set of servers where configuration changes from the development
environment are tested.
• UAT environment - A specific set of servers where configuration changes from the test environment are
reviewed by end users before being released to the production environment.
• Production environment - A specific set of servers where tested and reviewed metadata changes are
made available to the end users.
Other organizations may combine development and testing into a single environment for generating and
testing metadata changes, and use a second environment for production.
The environment from which you want to export data is referred to as the source and the environment into
which you want to import data is referred to as the target.
\ / | * : { } [ ] " ?
Maximum String Controls how many rows are displayed in the Review selected items box when
Items exporting items with environment migration. Permissible values are any integer
greater than zero. The default is 10000.
Certain categories of items that can be exported with Environment Migration
(such as Application Text) contain many tens of thousands of items. To reduce
the page size and make Internet Explorer more responsive when reviewing these
categories, you can now set a limit on the number of items that are shown. When
a limit is set you can still use the search feature to find items beyond the row
limit.
Process Log Report The location of the Process Log Report Page Spec. This value was previously
Page Spec fixed and can now be set. The default is /_cw_channels/Reporting/Hidden
Reports/CommandCenter/Administrative Reports/Environment
Migration/Process Log Report.pagespec
Special Character Specifies whether or not special characters are checked while validating names
Validation of metadata. The default is true. Set to false to preserve legacy special
character rules.
For information on ObjectManager, see Chapter 23, “The ObjectManager tool,” on page 589.
The environment migration process creates a file in the Java ARchive (JAR) format (referred to in this
document as a migration file) that is automatically saved to the repository.
The exported migration file is named in the <export file name prefix>-env-mig-
<MMddYYkkmmss> format; where:
• the <export file name prefix> is the export file name prefix setting (see “Settings that apply to
environment migration” on page 575), truncated if the prefix exceeds 15 characters;
• the timestamp portion of the file name represents the month (MM), the day (dd), the year (YY), hour
(kk), minute (mm), and seconds (ss) when the export was started.
For example, openpages-env-mig-011712031416.
Exporting dependencies
When exporting configuration items, the export process automatically determines if there are any
dependencies required by the configuration items and adds those dependencies to the migration file.
The dependencies that will be exported for each type of item are listed in the following table.
Import validation
The environment migration import process automatically validates all migrated configuration items as the
first step of an import, verifying that:
• The XML is well-formed, according to the DTD.
• The metadata attributes are valid, according to IBM OpenPages GRC Platform validation rules.
• All dependent items that a particular item requires are present in either in the migration file or in the
target system.
• Special characters are validated if the special character validation setting is true (see “Settings that
apply to environment migration” on page 575).
For example, if a particular profile is selected for import, validation will check for any missing object types,
fields, or field groups, allowing you to take corrective actions before the profile is loaded into the target
environment.
Additionally, you can manually run the validation process separate from the import.
Important: Manually validate all data before importing the configuration items into the target
environment.
The validation process provides feedback through a detailed Cognos-style report on the current status,
the number of correctly validated items, and any inconsistencies or failed validations.
Table 188: Tasks for Migrating Data Items Using Environment Migration
Use this environment... To do this task...
Source Export the configuration items into a JAR file. See “Exporting configuration
items from the source environment” on page 583.
Target Verify that all the configuration items are valid in the target environment.
See “Validating the migration file” on page 585.
Target Import the configuration items into the current environment. See
“Importing configuration items to the target environment” on page 584.
Procedure
1. Log on to the source OpenPages application as an administrator.
2. Disable System Administration Mode, if enabled. For details, see “Enabling and disabling System
Administration Mode” on page 17.
3. From the menu bar, select Administration and click Export Configuration.
4. On the Export Options tab, do one of the following:
a) Under Create a new migration package, select Export local configuration to create a new
migration file and click Submit.
b) Under Create new export based on a previously saved migration package (JAR) select either
Local disk or Server repository. Click the Browse icon to locate the migration file to use, then
click Submit.
Note: If you selected the wrong package, reload the Export Configuration page or click the
browser's Back icon.
5. In the Choose items to export tab, select the type of item to export from the Choose type drop-
down list.
6. In the Select items pane, use the list or the tree structure to select specific items to export or click
All to select all the items of that type. Click None to clear the list of selected items.
The Review items pane displays the current count of each type.
7. Repeat Steps 5 and 6 for each type of item you want to export.
8. Optional: To review the details of the selected items, click the links in the Review selected items
pane. All items of that type selected for export are displayed in the Selected item details pane.
9. Click the Clear icon to remove the items from the display. Clearing the list will not remove the items
from the file.
Procedure
1. Access the Settings page (see Chapter 15, “Viewing the Configuration and Settings page,” on page
307).
2. Expand the Administration > Settings > Applications > GRCM > Environment Migration folder
hierarchy.
Tip: In the user interface, the OpenPages folder is hidden in the Administration Settings folder
hierarchy. To author an XML settings path, include the OpenPages folder after the Settings folder in
the path.
3. Click the Special Character Validation setting to open its detail page.
4. In the Value box, type one of the following values:
true The import will check for special characters in the name of metadata items
being imported.
This value is set by default.
false The import will allow metadata items with special characters in the name to
be imported.
5. Click Save.
Procedure
1. Log on to the target IBM OpenPages GRC Platform application as a user with the Import Configuration
permission.
2. From the menu bar, select Administration and click Import Configuration.
3. On the Import Options tab, select one of the following based on where the migration file is located:
a) Local Disk to import a file from the local machine. The migration file can be in either JAR or XML
format.
b) Server repository to import a migration file from the OpenPages GRC Platform repository. Click
Browse to locate the migration file to import.
4. Click Submit.
5. To review the details of the selected items, click the links in the Review items in the migration
package pane. If you are importing a JAR format file, all items of that type selected for import are
displayed in the Selected item details pane. If you are importing an XML format file, supplemental
information types are validated but not displayed in the Selected item details pane. For more
information about, see “Supported migration items” on page 577.
Click Clear to remove the items from the display. Clearing the list will not remove the items from the
file.
Note: If you selected the wrong migration file, reload the Import Configuration page or click Back in
the browser.
6. Click Validate to begin the validation process.
The Import History pane shows the progress of the validation. You can view a detailed status by
clicking View Log.
7. Click Refresh in the Import History pane to update the progress on screen. When the validation is
complete, the Import History pane will display a message indicating if the validation completed
successfully or with errors.
Results
If the Completed With Errors message appears, you can use the migration reports to determine the
nature of the error. See “Log summary migration report ” on page 587 and “Log details migration report”
on page 587. If there are any validation errors, these errors will need to be addressed before importing.
If there are warnings in the migration reports, these can be safely ignored, and you can continue with the
import.
Procedure
1. Log on to the target IBM OpenPages GRC Platform application as a user with the ImportConfiguration
permission and access to the Migration Documents folder.
2. From the menu bar, select Administration and click Import Configuration.
3. On the Import Options tab, select one of the following, based on where the migration file is located:
a) Local Disk to import a file from the local machine. The migration file can be in either JAR or XML
format.
b) Server repository to import a file from the OpenPages repository. Click Browse to locate the
migration file to import.
4. Click Submit.
5. To review the details of the selected items, click the links in the Review items in migration package
pane. If you are importing a JAR file, all items of that type selected for import are displayed in the
Selected item details pane. If you are importing an XML file, supplemental information types are
validated but not displayed in the Selected item details pane. For more information about, see
“Supported migration items” on page 577.
Click Clear to remove the items from the display. Clearing the list will not remove the items from the
file.
Note: If you selected the wrong migration file, reload the Import Configuration page or click Back in
the browser.
6. When you are satisfied with the data to import, click Import. The environment migration process
automatically validates the data before importing.
The process will either:
• Import the data, if there are no validation errors;
• Stop the import if there are validation errors. If there are errors that need to be corrected, see
“Environment migration best practices” on page 581.
The Import History pane shows the progress of the import. You can view a detailed status, by clicking
View Log.
7. Click Refresh in the Import History pane to update the progress on screen. When the import is
complete, the Import History pane will display a message indicating if the import completed
successfully or with errors. If the Completed With Errors message appears, you can use the
migration reports to determine the nature of the error. See “Log summary migration report ” on page
587 and “Log details migration report” on page 587.
Results
• After a successful import, you can view detailed feedback by clicking View Log to download a report
with feedback on the current status, number of correctly validated items, and any inconsistencies or
failed validations.
Note: After importing a migration file, the repository will list the imported file using the end time of the
import in the <export file name prefix>-<YYYY_MM_dd_kk_mm> format. If you need to import
the migration file into another system, you should select the exported migration file.
For example, if the Import History window indicates that the migration file
migration-100311120839 was imported, then after that file was imported, the repository shows that
migration-100411031232.jar was created. If you need to import this package of changes into
another system, you would select the migration-100311120839.jar file. (The name indicates that
the Export File Name Prefix is migration.)
• If, as part of the Configuration Migration import operation, updates are made to the Platform >
Reporting Framework V6 > Configuration > Supported Triangle Relationships setting, you must
update the Reporting Schema with the new triangle views. For instructions, see “Changes that require
the reporting schema to be regenerated” on page 89.
<loader-file-prefix>-op-config.xml
Where:
<loader-file-prefix> is the user-defined portion of the loader file name.
-op-config.xml is the standard string that follows the prefix and identifies the file as a loader file to the
ObjectManager tool. Do not change this portion of the file name.
Note:
• When you pass a loader file parameter to the ObjectManager tool, you only pass the prefix portion of the
loader file name.
• If no prefix is provided, the ObjectManager tool will attempt to load from or write to the file op-
config.xml.
Import example
If you want to load (import) data into the OpenPages GRC Platform repository, you could, for example,
create a loader file with the name mydata-op-config.xml (prefix + standard string). When you pass the
prefix mydata to the ObjectManager tool, the ObjectManager tool would automatically look for a loader
file named mydata-op-config.xml.
Export example
If you want to extract (dump) data from OpenPages GRC Platform, you could, for example, pass the prefix
myconfig to the ObjectManager tool. The ObjectManager tool would automatically create an export
(dump) file named myconfig-op-config.xml.
Where:
parent-element is a tag identifying the type of information to be loaded.
child-element is a nested tag within a given information type that usually contains attributes and/or
text content.
The following code example shows the structure of an XML data loader file that, when loaded through the
ObjectManager tool, would update the currency exchange rates for the Canadian dollar (CAD) and
Mexican peso (MXN).
The exchangeRates element contains the exchangeRate child-element, which has attributes for the 3-
letter ISO code for the country or region and the updated exchange rate for that currency.
Procedure
1. Open a Command Prompt window.
2. Navigate to the bin installation directory, such as:
cd C:\OpenPages\bin
3. Run the following command on a single line to load the 'data1-op-config.xml loader file:
Procedure
1. Open a Command Prompt window.
2. Navigate to the bin installation directory, such as:
cd C:\OpenPages\bin
3. Run the following command on a single line to export data from OpenPages GRC Platform into the
config1-op-config.xml loader file:
The file named config1-op-config.xml will automatically be created in the c:\export folder.
Procedure
To use this mode, the argument -server must be added as the first argument on the command line. All
other arguments remain the same, but are shifted by one position. The REST API must be enabled on the
server. For example:
ObjectManager.cmd -server l c <username> <password> <file_path> <file_name
without op-config.xml>
ObjectManager.cmd -server load configuration <username> <password> <file_path>
<file_name without op-config.xml>
Additionally, in the Object Manager properties file, openpages.service.host must be set to the fully
qualified host name of the admin server, and openpages.rest.port must be set to the port used for the
REST API.
Because the program waits for the processing to be complete, a timeout might occur for large files with a
long processing time. To resolve this issue, either run the job without the argument -server, or break the
file into smaller files.
A warning message Class path contains multiple SLF4J bindings might occur. This warning
can be safely ignored.
Attention: The ObjectManager.log is not updated when using the –server switch. A
Results.log is generated under the logs subfolder where the output XML file is generated.
Check server logs when ObjectManager errors occur.
A batch loader list file is typically a text (.txt) file that contains a list of the XML loader files for batch
processing by the ObjectManager tool.
The ObjectManager tool uses the following syntax for batch loading multiple loader files.
For example, you save this batch loader list file with the name load-reports.txt in the
c:\OpenPages default installation directory.
The instructions in the following example show how to run the sample load-reports.txt batch loader
list file to load or import data into IBM OpenPages GRC Platform. The top-level directory (c:\temp) is
used for the <batch-loader-dir> parameter as it includes the loader files in the \loaders subfolder
under it.
Procedure
1. Open a Command Prompt window.
2. Navigate to the bin installation directory, such as:
cd C:\OpenPages\bin
3. Run the following batch command to load the load-reports.txt batch loader list file:
<openpagesConfiguration xmlFormatVersion="1.31">
<moveResources>
<targetFolder name="{fullpath of target folder}">
<sourceResource name="{fullpath of the object to be moved}"/>
Procedure
1. Log onto the application server.
2. Open a text editor.
3. Copy the previous syntax example.
4. Update the example to reflect the target folder location(s) and source folder location(s).
For example:
<openpagesConfiguration xmlFormatVersion="1.31">
<moveResources>
<targetFolder name="/_op_sox/Project/Default/ICDocumentation/
Processes/ENTITY01">
<sourceResource name="/_op_sox/Project/Default/ICDocumentation/
Processes/ENTITY02/
PROC01.txt"/>
</targetFolder>
</moveResources>
</openpagesConfiguration>
D:\OpenPages\bin>ObjectManager l c
OpenPagesAdministrator OpenPagesAdministrator
D:\temp samplemove
9. Restart the OpenPages services. For more information, see Chapter 20, “Starting and stopping
servers,” on page 549.
10. If an administrator needs to move multiple objects via ObjectManager, the following is the sample
syntax:
<openpagesConfiguration xmlFormatVersion="1.31">
<moveResources>
<targetFolder name="{target fullpath folder for object 1}">
<sourceResource name="{fullpath of the object 1 to be moved}"/>
</targetFolder>
<targetFolder name="{target fullpath folder for object 2}">
<sourceResource name="{fullpath of the object 2 to be moved}"/>
</targetFolder>
<targetFolder name="{target fullpath folder for object 3}">
<sourceResource name="{fullpath of the object 3 to be moved}"/>
</targetFolder>
</moveResources>
</openpagesConfiguration>
<openpagesConfiguration xmlFormatVersion="1.31">
<renameResources>
<renameResource oldFullName="{fullpath of the object to be renamed}"
newShortName="{name new of the object}.txt"/>
</renameResources>
</openpagesConfiguration>
Procedure
1. Log onto the application server.
2. Open a text editor.
3. Copy the previous syntax example.
4. Update the example to reflect the target folder location(s) and source folder location(s).
For example:
<openpagesConfiguration xmlFormatVersion="1.31">
<renameResources>
<renameResource oldFullName="/_op_sox/Project/Default/
BusinessEntity/ENTITY01/ENTITY01.txt"
newShortName="ENTITY01A.txt"/>
</renameResources>
</openpagesConfiguration>
5. Save the file using the ObjectManager file name format, such as samplerename-op-config.xml.
D:\OpenPages\bin>ObjectManager l c OpenPagesAdministrator
OpenPagesAdministrator D:\temp samplerename
Total Exceptions: 0
9. Restart the OpenPages services. For more information, see Chapter 20, “Starting and stopping
servers,” on page 549.
If an administrator needs to rename multiple objects via ObjectManager, the following is the sample
syntax:
<openpagesConfiguration xmlFormatVersion="1.31">
<renameResources>
<renameResource oldFullName="{fullpath of the object 1 to be renamed}"
newShortName="{name new of the object 1}.txt"/>
<renameResource oldFullName="{fullpath of the object 2 to be renamed}"
newShortName="{name new of the object 2}.txt"/>
<renameResource oldFullName="{fullpath of the object 3 to be renamed}"
newShortName="{name new of the object 3}.txt"/>
</renameResources>
</openpagesConfiguration>
Using the following example, an administrator can revoke the user "johndoe" from the root level security
domain.
Procedure
1. Log on to the application server.
2. Open a text editor.
3. Copy the syntax example.
4. Update the example to reflect the correct role assignment type: whether to assign or revoke the role;
the security domain path; name of actor; and the role template name. For example:
5. Save the file using the ObjectManager file name format, such as groupmem-revoke-op-
config.xml.
6. Open a command prompt or shell. Alternatively, you can use Administration > Import Configuration
to import the XML file. For information, see “Performing the import for environment migration” on page
586.
7. Go to OP_Home \bin folder.
8. Run the command to load the ObjectManager file.
Total Exceptions: 0
Processing finished at Fri Jun 13 14:00:58 EDT 2014
Elapsed time: 5703 milliseconds
9. Restart the OpenPages services. For more information, see Chapter 20, “Starting and stopping
servers,” on page 549.
<openpagesConfiguration xmlFormatVersion="1.31">
<actors>
<actor
name="{username}"
type="User"
password="{password}"
firstName="{firstname}"
middleName=""
lastName="{lastname}"
canChangePassword="{true/false}"
isTemporaryPassword="{true/false}"
passwordExpiresInDays="0"
description=""
emailAddress="{email_address}"
locale="{locale}"
adminLevel="Default"
Procedure
1. Log on to the application server.
2. Open a text editor.
3. Copy the syntax example that is included earlier in this topic into the text editor.
4. Modify the example to reflect the actual users and groups details. For example, you can modify the
example in the following way:
<openpagesConfiguration xmlFormatVersion="1.31">
<actors>
<actor
name="johndoe"
type="User"
password="openpages123"
firstName="John"
middleName=""
lastName="Doe"
canChangePassword="true"
isTemporaryPassword="false"
passwordExpiresInDays="0"
description=""
emailAddress="[email protected]"
locale="U.S. English"
adminLevel="Default"
enabled="true"
hidden="false"
editable="true">
</actor>
</actors>
<actorGroupMemberships>
<actorGroupMembership name="johndoe" isEntityGroup="false">
<group name="All_Users" isEntityGroup="false"/>
<group name="OpenPages" isEntityGroup="false"/>
</actorGroupMembership>
</actorGroupMemberships>
</openpagesConfiguration>
5. Save the file using the ObjectManager file name format, such as loadusers-op-config.xml.
6. Open a command prompt or a shell and follow the instructions below. Alternatively, you can use
Administration > Import Configuration to import the XML file. For information, see “Performing the
import for environment migration” on page 586.
7. Go to OP_Home|bin directory where OP_Home represents the installation location of the OpenPages
GRC Platform application. On Microsoft Windows operating system, the default location is
C:\OpenPages. On AIX and Linux operating systems, the default location is /opt/OpenPages.
8. Run the command to load the ObjectManager file. The following is the sample output for the example:
===================
ObjectManager Admin Utility V7.0.0.2
===================
List of command line arguments:
Arg 1: <l>
Arg 2: <c>
Arg 3: <OpenPagesAdministrator>
Arg 4: <****>
Arg 5: <C:\temp>
Arg 6: <loadusers>
Total number of arguments: 6
OpenPages Server environment initialized.
Total Exceptions: 0
C:\OpenPages\bin>
9. Restart the OpenPages services. For more information, see Chapter 20, “Starting and stopping
servers,” on page 549.
configuration.manager.dump.associated.resources.include.content.type.
[number]
configuration.manager.dump.associated.resources.exclude.content.type.
[number]
configuration.manager.dump.associated.resources.exclude.content.type.
[number]
You can create multiple entries with this setting if you increment the [number] part of the name.
Enter one object type name per entry that you want to exclude in the export. As the export
process navigates the object tree structure in the system, when it encounters an object that is not
of a type listed in these entries, it will not export that object or any of its children. In this way you
can limit the scope of exported objects. A blank entry value will include all object types.
configuration.manager.dump.rule.sets
Exports all object reset rule sets.
configuration.manager.dump.rule.set.execute.sessions
Exports the history of object reset executions.
configuration.manager.dump.registry
Exports all settings in the system.
To filter the scope of the export, you can use the following settings:
configuration.manager.migrate.configuration.exclude.registry.entry.
[number]
Excludes entries listed in this setting from export.
configuration.manager.dump.registry.root.entry.
[number]
Sets the scope of settings to be exported.
You can create multiple entries with this property by incrementing the [number] part of the name.
configuration.manager.dump.recursive.hierarchy
Exports recursive object levels.
configuration.manager.dump.date.dimension.type
Exports date dimension types.
configuration.manager.dump.object.type.dimension
Exports object type dimensions.
configuration.manager.dump.date.dimension.type.associations
Exports date dimension type associations (what date dimension types are enabled for what fields).
configuration.manager.dump.locales
Exports supported locales (languages). No translations are included.
configuration.manager.dump.application.string.key.categories
Exports the application text folders.
configuration.manager.dump.application.string.keys
Exports application text keys – the list of entries on the Application Text page – without translations.
configuration.manager.dump.application.strings
Exports translations for application text.
configuration.manager.dump.recursive.hierarchy.strings
Exports translations for recursive object levels.
configuration.manager.dump.date.dimension.type.strings
Exports translations for date dimension types.
configuration.manager.dump.object.type.dimension.strings
Exports translations for object type dimensions.
configuration.manager.dump.<property>=true
C:/OpenPages/ObjectManagerExportFilters.xml
The XML tags used for specifying the predefined filters are the same as the current ObjectManager
configuration loader XML tags. Most filters are defined on the ‘name’ attribute of an object. Some filters
have either additional or different filter attributes.
For a list of predefined filters, see Table 191 on page 608.
Example
The following sample filter code shows how you can use the ObjectManager tool to export only the Object
Profile with the name "Default". No other type of objects or any other profile will be exported.
<objectProfiles>
<!-- List of names of profiles to export -->
<objectProfile name="Default"/>
</objectProfiles>
After defining the filters in the filters configuration file, you can use the ObjectManager dump command to
export the objects.
<openpagesConfigurationFilters xmlFormatVersion="1.0">
<objectProfiles>
<!-- List of names of profiles to export -->
<objectProfile name="Default"/>
</objectProfiles>
<objectProfileViewsSet>
<!-- Specifiy the name of the profile -->
<objectProfileViews name="Default">
<!-- Specifiy the name of the object type in the profile -->
<objectProfileViewsForObjectType name="SOXProcess">
<!-- Specifiy the views and their names -->
<objectProfileView type="Detail"/>
<objectProfileView type="Activity" name="Process AV"/>
</objectProfileViewsForObjectType>
</objectProfileViews>
</objectProfileViewsSet>
</openpagesConfigurationFilters>
Procedure
1. Open the ObjectManager.properties file in a text editor of your choice (see “Modifying the
ObjectManager properties file” on page 601).
2. Set the value of the
configuration.manager.load.resource.ignore.undefined.property.value property. If
you set the value to:
• true - then ObjectManager creates the object without validation errors. This value is the default.
• false - then ObjectManager reports validation errors, does not create the object, and moves to the
next object in the loader file.
3. Run the ObjectManager tool (see “Running ObjectManager commands” on page 590).
Procedure
1. Create an XML data loader file (see “Creating a data loader file” on page 590).
2. To load exchange rate data:
• If the exchange rate data is specified in a loader file - use the element tags in the following example
and substitute the values of the attributes that are listed in the table:
The following example loads currency exchange rates for the Canadian dollar (CAD) and Mexican
peso (MXN).
• If the exchange rate data is contained in a CSV file for upload, use the element tag in the following
example to upload a .csv file. Substitute the value of the attribute that is listed in the table:
For example:
3. Use the ObjectManager load command to import the data. See the “Load command example” on page
592.
Procedure
1. In the ObjectManager.properties file:
a) Set the values of the following properties as shown:
configuration.manager.migrate.configuration.objects=false
configuration.manager.dump.currency.exchange.rates=true
Procedure
1. Create an XML data loader file (see “Creating a data loader file” on page 590).
2. To enable or disable one or more currencies, use the element tags in the following example and
substitute the values of the attributes that are listed in the table:
The following example enables Euros and disables United Kingdom pounds.
<currencies>
<currency isoCode="EUR"
enabled="true"/>
<currency isoCode="BBP"
enabled="false"/>
</currencies>
3. Create an XML data loader file (see “Creating a data loader file” on page 590).
Procedure
1. Create an XML data loader file (see “Creating a data loader file” on page 590).
2. To import currency field definitions, use the element tags in the following example and substitute the
values of the attributes listed in the table:
propertyType multiValued If you set the element to one of the following values::
• true - multiple values can be selected from the list
• false - only one value can be selected from the list
The following example loads the definition for the currency field "testCurrency" that belongs to a group
of the same name.
<bundleTypes>
<bundleType name="testCurrency"
description="Sarbanes-Oxley Self-Assessment system bundle"
type="Content Type">
<propertyType name="testCurrency"
description="Annualized Value may be used to capture the account
balance from operational systems."
dataType="Currency"
minValue=""
maxValue=""
defaultValue=""
required="false"
currencyCode=""
multiValued="false">
</propertyType>
</bundleType>
</bundleTypes>
3. Use the ObjectManager load command to import the data. See the “Load command example” on page
592.
Procedure
1. In the ObjectManager.properties file, set the values of the following properties as shown:
configuration.manager.migrate.configuration.objects=false
configuration.manager.dump.bundle.types=true
Tip: When you use ObjectManager to export all object instances and their relationships, and you have
a large dataset, Object Manager will report an exception in ObjectManager.log. To avoid the exception,
limit the size of the data that is exported by specifying a folder path or selecting the specific objects in
the hierarchy. To specify a folder path, add the following property:
configuration.manager.dump.resources.root.folder=folder_path. To specify multiple objects whose
hierarchies are to be exported, add the following property, where number is a positive integer:
configuration.manager.dump.associated.resources.root.node.n=number
Procedure
1. Create an XML data loader file (see “Creating a data loader file” on page 590).
2. To import computed field definitions, use the element tags in the following example and substitute the
values of the attributes listed in the table:
<computationHandler name="CognosComputationHandler">
<computationHandlerAttribute name="Equation"
value="count(distinct
[DEFAULT].[SOXTEST].[TE_TEST_ID])"/>
<computationHandlerAttribute name="Namespace"
value="DEFAULT"/>
<computationHandlerAttribute name="Object ID Column"
value="Just some text"/>
<computationHandlerAttribute name="Reporting Period ID
Column"
value="Value for testing"/>
</computationHandler>
3. Use the ObjectManager load command to import the data. See the “Load command example” on page
592.
Procedure
1. In the ObjectManager.properties file, set the value of the following property as shown:
configuration.manager.migrate.configuration.objects=true
Tip: When you use ObjectManager to export all object instances and their relationships, and you have
a large dataset, Object Manager will report an exception in ObjectManager.log. To avoid the exception,
Multi-deployment environments
If you have a multi-deployment environment where changes to the IBM OpenPages GRC Platform
application are tested and validated prior to implementation, you can use ObjectManager, a command
line interface (CLI) tool, to migrate configuration changes from one deployment environment to another.
Multi-deployment environments may vary from company to company. For example, a multi-deployment
environment for "Company 1" may contain the following deployments:
• Development Deployment - configuration changes are made to the user interface and tested to validate
that the changes are applied correctly. The OpenPages GRC Platform repository used in this deployment
may contain fewer objects (partial instance data) than the "Production" deployment.
• Test Deployment - configuration changes from the "Development" configuration are imported (to avoid
error) and validated through the ObjectManager tool and tested. The OpenPages GRC Platform
repository used in this deployment generally mirrors the instance data in the "Production" deployment.
• Production Deployment - The tested configuration changes from the "Test" configuration are imported
(to avoid error) and validated through the ObjectManager tool, and then made available to end users
("Live Production").
"Company 2" may, for example, combine "Development" and "Test" into a single "Test" deployment
before migrating configuration changes to a "Production" environment.
Production 4. Import the configuration changes (from See “Importing configuration changes” on
task 3) into the current deployment. page 621 for step-by-step instructions
on how to update configuration changes.
Production 5. To verify or validate that all the updates See “Validating or verifying configuration
were applied, compare the configuration changes” on page 619 for step-by-step
changes from the previous deployment (in instructions on how to verify or validate
task 2) against the newly updated configuration changes.
deployment.
Procedure
1. In a text editor of your choice, open the ObjectManager.properties file (see “Modifying the
ObjectManager properties file” on page 601).
2. Navigate to the following setting in the file:
configuration.manager.migrate.configuration.objects=false
configuration.manager.migrate.configuration.exclude.registry.entry.<n>=<setting>
Where:
<n> is a sequential number.
<setting> is the full path and name of the setting you want to exclude.
By default, OpenPages GRC Platform excludes the following configuration settings from the export
process. These settings are listed by number in the order in which they appear in the
ObjectManager.properties file along with their full path and name.
1=/OpenPages/Applications/Common/Email/Mail Server
2=/OpenPages/Applications/Common/Email/SMTP User Name
3=/OpenPages/Applications/Common/Email/SMTP Password
4=/OpenPages/Applications/Common/Email/SOCKS Proxy Private IP Address
5=/OpenPages/Platform/Application Server Guest Password
6=/OpenPages/Platform/Publishing/Mail/From Address
7=/OpenPages/Platform/Publishing/Mail/Host
8=/OpenPages/Platform/Publishing/Mail/Username
9=/OpenPages/Platform/Reporting Schema/Object URL Generator/Host
10=/OpenPages/Platform/Reporting Schema/Object URL Generator/Port
11=/OpenPages/Platform/Global Caches/JMS/Listener Urls
12=/OpenPages/Platform/Reporting Schema/Object URL Generator/Detail Page
13=/OpenPages/Platform/Reporting Schema/Object URL Generator/Protocol
14=/OpenPages/Applications/GRCM/Environment Migration/Export File Name Prefix
15=/OpenPages/Platform/Search/Index/Search Server URL
16=/OpenPages/Platform/Search/Request/Search Server URL
17=/OpenPages/Platform/Search/Admin/Search Server Administration URL
18=/OpenPages/Platform/Search/Solr User ID
19=/OpenPages/Platform/Search/Solr Password
20=/OpenPages/Platform/Workflow Implementations/IBM BPM/Server URL
You can add additional settings to the list for exclusion or remove an existing setting from the list to
include it in the export.
Note: To preserve the SMTP configuration in the target environment, you must add the following settings
to the list of exclusions:
23=/OpenPages/Applications/Common/Email/SMTP Port
24=/OpenPages/Applications/Common/Email/SMTP Security Type
If you import the settings, you can overwrite existing values in the target environment. These settings are
not, by default, in the list of exclusions.
configuration.manager.migrate.configuration.exclude.registry.entry.
1=/OpenPages/Applications/Common/Email/Mail Server
3. To exclude additional settings from export, copy the line of code in Step 2 and do the following:
a) Paste the code at the end of the list (for example, after 21).
b) Increment the number (for example, 22).
c) Specify a full setting path and name.
For example (do not wrap - use a single line):
configuration.manager.migrate.configuration.exclude.registry.entry.
22=/OpenPages/Platform/Reporting Schema/
Object URL Generator/Populate Past Periods
4. To export a configuration setting that is on the excluded list, remove the line of code for that setting
from the list.
5. When finished, save your changes to the properties file.
6. Use the ObjectManager dump command to export the data. See “Dump command example” on page
592. Not all items in the exclude list will be in the XML dump file.
Note: Make changes to the exclusion list by editing the ObjectManager.properties file in
ObjectManager. Changes to ObjectManager.properties are ignored if you use Environment Migration.
Procedure
1. Access the Settings page (see Chapter 15, “Viewing the Configuration and Settings page,” on page
307).
2. Expand the Applications > GRCM folder hierarchy.
Tip: In the user interface, the OpenPages folder is hidden in the Administration Settings folder
hierarchy. To author an XML settings path, include the OpenPages folder after the Settings folder in
the path.
3. Click the Disable Triggers setting to open its detail page.
4. In the Value field, type true.
5. Click Save.
Procedure
1. Verify that the OpenPages GRC Platform application is running.
2. Open a command or shell window and change to the <OP_Home>|bin directory of your OpenPages
GRC Platform installation.
3. From the command or shell window, run an ObjectManager command on a single line.
a) On a computer running a Microsoft Windows operating system:
Where:
• <admin-user> is the user name of the Super Administrator account (for example,
OpenPagesAdministrator).
• <password> is the password of the Super Administrator account.
• <config-folder-path> is the file path to the folder where the exported file will reside. If the
folder does not already exist, the ObjectManager will create it.
• <prefix> is the prefix for the file name that will be used by the ObjectManager.
For example, on a Windows operating system:
4. To compare the exported configuration data against the configuration data in the OpenPages GRC
Platform repository of the next deployment environment, see “Validating or verifying configuration
changes” on page 619.
Note: If you are using OpenPages GRC Platform version 7.1, you must verify configuration data. If you
are using OpenPages GRC Platform version 7.1.0.1 or a later version, you must validate configuration
data.
Procedure
1. Copy the exported configuration file from the previous deployment environment (for example,
"Development") to a folder in the current deployment environment (for example, "Production").
2. From the <OP_Home>\bin directory of your OpenPages GRC Platform installation, open a command or
shell window.
3. From the command or shell window, run an ObjectManager command on a single line (optionally re-
direct the output to a file):
a) On a computer running a Microsoft Windows operating system:
If you are using OpenPages GRC Platform version 7.1:
If you are using OpenPages GRC Platform version 7.1.0.1 or a later version:
If you are using OpenPages GRC Platform version 7.1.0.1 or a later version:
Where:
• <admin-user> is the user name of the Super Administrator account (for example,
OpenPagesAdministrator).
• <password> is the password of the Super Administrator account.
• <config-folder-path> is the file path to the folder where the exported file will reside. If the
folder does not already exist, the ObjectManager will create it.
• <prefix> is the prefix for the file name that will be used by the ObjectManager.
On a Windows operating system and using OpenPages GRC Platform version 7.1.0.1 or a later version,
the command in the following example compares configuration data in the export file myconfig-op-
config.xml located in the c:\temp folder to configuration data in the current deployment, and
redirects the display output (from a Windows server) to a text file called config_log.txt also
located in the c:\temp folder:
4. Review the output for any errors (see the sample output following these steps for more information).
5. To import the configuration changes and update the repository of the current deployment environment
with these changes, see the topic “Importing configuration changes” on page 621.
6. To verify or validate that the updated repository of the current deployment matches the configuration
changes from the export file, repeat Steps 2-4.
Procedure
1. Verify that the OpenPages GRC Platform application is running.
2. Open a command or shell window and change to the <OP_Home>|bin directory of your OpenPages
GRC Platform installation.
3. From the command or shell window, run an ObjectManager command on a single line:
a) On a computer running a Microsoft Windows operating system:
Where:
• <admin-user> is the user name of the Super Administrator account (for example,
OpenPagesAdministrator).
• <password> is the password of the Super Administrator account.
• <config-folder-path> is the file path to the folder where the exported file will reside. If the
folder does not already exist, the ObjectManager will create it.
• <prefix> is the prefix for the file name that will be used by the ObjectManager.
4. To see the configuration changes in the application, stop and then restart the OpenPages GRC Platform
application service (OpenPagesAdminServer).
5. To validate that the newly updated OpenPages GRC Platform repository matches the configuration
changes from the export file, see the topic “Validating or verifying configuration changes” on page 619.
6. To export the configuration data to a file, see the topic “Exporting configuration changes” on page 619.
Sample scenario
You have 150 Process and 175 Risk objects (records) that require either creation or updating. Rather than
manually creating or updating individual Process and Risk objects through the OpenPages GRC Platform
application interface, you use a FastMap data load template to capture the data for batch processing.
After the data is captured, log on to the OpenPages GRC Platform application and import the template
(in .xls or .xlsx format) through FastMap for validation. During the validation phase, you receive a few
validation errors. You fix the errors in the template and resubmit it. This time, no validation errors are
reported and the data is automatically processed. After processing is complete, the objects become
available for reports and updating by users.
Attention: When you import an object using FastMap, the imported object settings are determined
by the Detail view settings within the profile.
For example, you are using the Default profile and you want to import SOXControl objects. If the
Detail view for SOXControl has the Description field set to Read-only, you cannot update the
Description field after importing the object via FastMap. In addition, administrators should be
aware that field dependency rules are not evaluated for FastMap loads. This allows FastMap users
to stage data, requiring users to enter required data during subsequent updates.
This video demonstrates how to use FastMap to bulk load data:
https://youtu.be/DTwGUDBeBOY
FastMap overview
FastMap Task Flow provides an overview of the tasks using FastMap to import data into IBM OpenPages
GRC Platform.
Note: FastMap import is not supported for File and Signature objects or for the system Comment field.
The FastMap tool uses a JSP report format to:
• Import and validate data (FastMap Import)
• Display the status of the imported job, a background batch process (FastMap Import Status)
Figure 25: FastMap task flow
FastMap templates
A FastMap template is a Microsoft Excel workbook with data load worksheets that you create.
A workbook for FastMap import has the following characteristics:
• Contains one or more data load worksheets (must be in .xls or xlsx format).
• Has only one data load worksheet per object type.
• By default, is in the user’s locale.
• Optionally, includes a Definition worksheet in a workbook to configure FastMap import and, or export
behavior.
A data load worksheet within a workbook has the following characteristics:
• Is specific to an object type.
• Has a variety of columns where you specify parent and folder paths and change data for listed objects.
• Each column must have a heading name.
• Optionally, includes one or more special column headings.
• Must contain localized column names and data.
Example
You want only users who are assigned the "Upload Data" profile to import changed or new data for the
following five object types: Business Entities, Processes, Risks, Controls, and External Losses. You could
either create a workbook with multiple worksheets - one for each object type for a total of five data load
worksheets, or multiple workbooks - one for each object type.
Note:
FastMap localization
By default, FastMap uses the locale of the logged-on user to validate data in templates.
As a result, all data in FastMap templates, such as column headings, text, enumerated drop-down or
multivalued selection field values, should be localized in the locale of the end user. For example, an end
user with the Italian locale (it_IT) setting should only import FastMap templates with localized Italian
values.
You can override the locale of the end user by explicitly specifying a locale in the Definition worksheet of a
template. For example, if you specify the locale parameter as en_US and localize the template in
English, the Italian user could upload the template for validation in English, not Italian. For more
information, see “Using the FastMap Definition worksheet” on page 641.
When you export object type data from the IBM OpenPages GRC Platform application, the locale is
automatically set on the Definition worksheet.
Validation messages that are displayed by FastMap during processing can be localized through application
strings.
Procedure
1. Log on to the OpenPages GRC Platform application.
2. Do one of the following to access FastMap:
Procedure
1. Select the FastMap Import report to open it (for details, see “Accessing FastMap to import data and
view status” on page 625).
2. In the file selection box, type the name of the data import file, or click Browse to navigate to the file.
3. When finished, click Import.
4. If validation errors are detected, fix the errors in the workbook template.
For more information, see “Resolving FastMap validation errors” on page 626.
5. Resubmit the modified file for validation against the application:
a) In the Import changes and revalidate box, browse to or type the name of the modified file.
b) Click Validate Changes.
6. If validation errors are still detected, repeat Steps 4 and 5 until all the errors are resolved and no
validation errors are displayed.
7. When finished and no errors are detected, click Import Data.
8. When the FastMap Import Status report window is displayed, use the Refresh icon to view the
current status of the import (see “Understanding import status messages” on page 633 for more
details).
Description The type of error, and the name of the See “Troubleshooting FastMap
missing or invalid object field or invalid validation messages” on page 627.
value.
Sheet The name of the object type worksheet. For example, Processes or Risks.
Row The row within the Excel worksheet The index number corresponding to a
containing the error. row, for example, 2.
Column Index The column index within the Excel The index letter corresponding to a
worksheet containing the error. column, for example, N.
Column Header The name of the column within the Excel The localized label of a field name, for
worksheet containing the error. example, Domain.
For example, if the following validation message was displayed in the table on the FastMap Import
window:
You would open the data load template, and enter the missing value (such as Financial Management) in
row 2 under the Domain column (N) on the Processes worksheet.
Procedure
1. Open the FastMap template in Excel.
a) If necessary, unhide the Definition worksheet (see “Unhiding a FastMap Definition worksheet” on
page 642).
b) Remove the exportDate parameter.
c) Save the change.
2. Resubmit the template for import.
Invalid decimal A non-numeric value was entered for Make sure that decimal fields have a
format. a decimal field. numeric value.
Invalid decimal The numeric value entered is outside Make sure the specified value is
range. the minimum or maximum range within the numeric range defined for
defined for that field. that field.
Invalid Exchange Exchange rate is 0 or negative. Make sure the exchange rate value is
Rate. greater than 0 (zero).
Invalid Reader The value of the reader parameter is Ensure the reader parameter is
provided. not valid. spelled correctly and is valid. [Hidden
- for future use]
Invalid URL. An invalid URL was entered for a URL Ensure the URL is correct and fully
field. qualified.
Invalid user. An invalid value was entered for a Ensure the name of the user is spelled
User field. correctly and is valid.
Invalid user/ An invalid value was entered for a Ensure the name of the user or group
group. User/Group selector. is spelled correctly and is valid.
Invalid Writer The value of the writer parameter is Ensure the writer parameter is spelled
provided. not valid. correctly and is valid. [Hidden - for
future use]
Locale is invalid. The locale value specified is not Ensure the value of the locale is
recognized. spelled correctly and is valid.
Missing currency The local code column is missing and Make sure the local Currency code
code column. a local amount is specified. column is present in your worksheet
and has a value for this record.
Missing local The local amount column is missing Make sure the local Amount column is
amount column. and a local code is specified. present in your worksheet and has a
value for this record.
Name contains Name contains backslashes or Remove any backward slash (\) or
illegal forward slashes. forward slash (/) marks from the name
characters. of the object.
Name exceeds Name is longer than 252 characters or Make sure the name of the object is
maximum characters bytes for multicode locales. shorter than 252 characters or bytes.
(in bytes).
Object cannot be A parent-child relationship does not Either enable an association between
associated to a exist between the object types being the object types you want to associate
parent of this associated. or modify the worksheet to reflect
type. object types that have a child-parent
association already configured.
Parent not A parent is not specified for a new Ensure that all three parent fields are
specified. object and the allowOrphans setting present and populated correctly.
is not set to true.
Objects being updated do not need to
have a parent specified.
Parent Resource The object type of the resource Ensure the object type value is
content type not specified by the parentResource spelled correctly. If so, make sure the
recognized. Check parameter is not recognized. object type is present in your profile's
that it is Detail View.
viewable in your
profile.
Parent Resource A parent is specified in your Make sure that the Parent Path is
not found. spreadsheet, but FastMap cannot find pointing to the proper folder location
it in the IBM OpenPages GRC Platform and that the Parent Objects value
repository. is the proper name of the object.
Property value A text field contains more characters Modify the text field so it does not
exceeds maximum than is allowed in the OpenPages GRC exceed the character or byte limit.
characters. Platform application.
System error. Any unexpected error occurred. Contact your IBM representative.
Similar to a "Requested operation
could not be completed" system error
message.
Text field A text property value is formatted as a Change the format of the cells in Excel
formatted as number or a date in the spreadsheet. to Text.
number in
A Text field in OpenPages GRC
spreadsheet.
Platform is formatted in the
worksheet cell as Number or Date.
The field cannot be read in by
OpenPages GRC Platform in this state
and maintain all of the Excel
formatting.
The file exceeds The total number of rows in the Modify the worksheet so it does not
the maximum number workbook is greater than the value set exceed the row limit or change the
of rows allowed in the Maximum Workbook Rows value of the setting.
for import. setting (see “Limiting the rows for
import to optimize FastMap
performance” on page 653).
The value entered The value for a single select drop- Ensure the value is typed correctly
is not a valid down field is not a valid value. and is in the correct locale.
selection for this
The value must be in the proper locale
field.
of the user for it to be recognized.
The value(s) The value for a for multi-select drop- Ensure the value is typed correctly
entered are not down field is not a valid value. and is in the correct locale.
valid selections
The value must be in the proper locale
for this field.
of the user for it to be recognized.
Property is read A value was entered for a field that is Remove the columns from your
only. read-only in the Detail View of the worksheet.
profile used for import.
You can also specify the
Although FastMap will import data, ignoreReadOnlyWarnings
the read-only field will be ignored. parameter so that these messages do
not occur. However, these fields will
not be updated when importing.
Record conflicts A record's last modified date is more See “Troubleshooting FastMap
with more recent recent than the value from the conflict with recent updates warning
updates and will exportDate parameter. message” on page 627 for details.
be ignored.
The FastMap Import Status report window does not automatically update the progress of the import and
requires a manual refresh.
To understand the various status messages that may be displayed, see “Understanding import status
messages” on page 633.
Important: Regularly check the status of your FastMap jobs to know if an import has successfully
completed. Templates that have large amounts of data for import have long running processes. If
Procedure
1. If the FastMap Import Status report window is not already opened, open the window. See “Accessing
FastMap to import data and view status” on page 625.
2. To view the current status of an import, click Refresh on the report.
Percent Complete A progress meter showing the A numeric value, for example: 20%
percentage completed
Create Date The date and time the import job was A timestamp, for example:
created.
Sep 24, 2009 4:23:38 PM EDT
Date The start date and time of each A timestamp, for example:
processing task.
Sep 24, 2009 4:23:42 PM EDT
For information about using the FastMap Import Status report window, see “Viewing FastMap import
status” on page 632.
/ \ ? * : [ ]
For example, if the localized plural label of Risk object types is /Risks10*, the tab on the exported
worksheet would be Risks10.
• In the default (out-of-the-box) IBM OpenPages GRC Platform export template the special Delete
column and the three Parent columns are hidden on the object type worksheet.
See Table 203 on page 635 for details.
• The Definition worksheet is included in the workbook and populated, by default, with the
profileName, locale, exportDate, and ignoreReadOnlyWarnings parameters.
See “Using the FastMap Definition worksheet” on page 641 for details.
Procedure
1. Create a Microsoft Excel workbook by either exporting data from a Filtered List View page or creating a
template manually.
To export data from a Filtered List View, select the object type you want and click the Export icon (to
export in .xls or .xlsx format). The fields that are exported correspond to the fields that are on an
object’s Detail View page.
2. Add or modify the object data on the worksheet as needed. Unhide columns if necessary.
3. Optional: Add or modify parameters on the Definition worksheet as needed.
4. Save the file.
5. Import the workbook using the FastMap tool (see “Accessing FastMap to import data and view status”
on page 625).
Note:
• Adding a special column heading to a worksheet is optional.
• The special column headings and values must be localized.
• The values associated with special column headings are not case sensitive.
• Special column headings can be placed anywhere in a worksheet. As a best practice, we recommend
placing these columns at the beginning of a worksheet.
Table 204 on page 636 shows the values for the Delete column.
Table 205 on page 637 shows the values for the Remove Association column.
Auto-naming
FastMap can override auto-naming. If auto-naming is enabled for an object and the Name column is
excluded or left blank, the system assigns a name. If auto-naming is enabled for an object and a value
exists in the Name column, that value is imported as the name.
Note: If the following currency-related fields are included on a worksheet, these fields will be ignored
during import:
Base Amount (this is a derived value)
Base Code (this value is set globally)
Figure 29: Sample Worksheet for Process Objects (Process Security Model)
Figure 30 on page 641 shows how to specify folder and parent paths for child Risk objects in a Process-
based security model. Similarly, in this example, the Process folder is named PR-200
Notice that both the Folder Path and Parent Path columns contain the name of the Process folder,
PR-200.
Sample Business Entity worksheet for creating a new business entity structure
The sample business structure in Sample Business Entity Structure shows three levels of business
entities.
To create new Business Entity objects that map to the structure in Figure 31 on page 641, you would
create a Business Entities object worksheet in Microsoft Excel similar to the one shown in Figure 32 on
page 641.
The sample Business Entities worksheet in Figure 32 on page 641 creates new entities and shows the
following:
• Column A is an optional field that can be used to delete existing objects. Since all the objects in this
worksheet are new, none are marked for deletion (by default, the value is N for no - do not delete).
• Columns B through E define the path of the new object. Notice that Row 2 contains the top-level
Business Entity (North America), so the Parent Path and Parent Objects columns are blank.
• Columns F through Z represent object-specific fields.
Parameters that are listed in a Definition worksheet will override settings from other sources, such as JSP
report parameters.
For more information, see “FastMap parameters for importing and exporting data” on page 644.
If you do not see the Definition worksheet in a FastMap template workbook, and you want to change or
add parameters to it, then you must unhide the worksheet.
By default, the Definition worksheet is not hidden.
Procedure
1. In Microsoft Excel, select the workbook with the hidden Definition worksheet.
2. From the toolbar select Format | Sheet | Unhide.
3. In the Unhide box, select Definition and click OK.
4. Save the file.
FastMap parameters
You can use FastMap parameters to customize how data is imported (uploaded) to and exported from the
IBM OpenPages GRC Platform application.
To set FastMap parameters, you can do the following:
• List parameter names on the Definition worksheet of a FastMap template
• Pass parameters during an import through the FastMap JSP report page template
Procedure
1. From the menu bar, click Administration > Manage System Files > Files.
2. Click the View drop-down arrow, and select Folder View from the list.
3. Navigate through the folder structure to the DefaultTemplate.xls as follows:
Templates >> FastMap >> FLV
4. Modify the DefaultTemplate.xls as wanted. Available parameters are listed in Table 209 on page
644.
The IBM OpenPages GRC Platform application supports multiple export templates.
You can specify export templates based on one or more of the following criteria:
• ContentType
• Locale
• Profile
Use the following rules when specifying criteria for an export template:
1. Criteria is specified in the name of the export template.
2. Each criterion is separated in the template name by a hyphen.
3. The criterion must be specified in order: ContentType-Locale-Profile
The system selects templates based on the following precedence: ContentType -> Locale -> Profile.
For example, SOXRisk.xls will be selected before DefaultTemplate-en_US-FCM Module.xls, and
SOXRisk-All-FCM Module.xls will be selected before SOXRisk.xls
Note: If no match is found, the DefaultTemplate.xls export template is used.
The syntax for the export template name is:
<ContentType>-<Locale>-<Profile>.xls
Where:
<ContentType> is the system name of an object type (such as, SOXRisk), not the localized name. To
specify all object types, use DefaultTemplate for the <ContentType>.
<Locale> is the language and locale code (for example, en_US). To specify all locales, use All for the
<Locale>.
<Profile> is the name of a profile in the OpenPages GRC Platform application.
For purposes of illustration, the examples listed in Table 208 on page 644 for specifying criteria in export
templates use the Risk object type (SOXRisk) in the U.S. English locale (en_US) for users assigned the
FCM Module profile.
Note: Subsets must honor ordering. For example, the following template names would be invalid:
FCM Module.xls - this is an invalid template name as the profile name must be the third criterion in the
list (not the first).
en_US-FCM Module.xls - this is an invalid template name as the locale must be the second (not the
first) and profile name must be the third (not the second) criterion in the list.
ignoreEmptyFields TRUE Determines whether empty fields are blanked out during
updates.
If the value is set to:
• TRUE - empty fields are ignored and not modified during
an update. To explicitly clear a field, set its value to
*blank*.
• FALSE - empty fields will be blanked out during an
update.
ignoreReadOnlyWarnings FALSE If data is being uploaded into fields that are defined as
read-only, OpenPages GRC Platform will display a warning
message indicating that these values will be ignored.
Use this setting to hide or display warning messages for
read-only fields. Regardless of the whether warning
messages are displayed, the data will not be uploaded.
If the value is set to:
• TRUE - warning messages are hidden.
Note: This value is set to TRUE in the default template
when you export data from OpenPages GRC Platform.
• FALSE - warning messages are displayed.
parentResource null When set to the full path of an object, this parameter is
used for all parent associations. All other parent
information in the worksheet will be ignored.
reader FastMa Use to specify a custom Java class for handling the
p validation of objects in FastMap. [Hidden - for future use]
Reader
shouldDefaultNotRequiredFields TRUE Determines whether default values will be used for all non-
required fields that are missing values in a worksheet.
If the value is set to:
• TRUE - default values will be used for non-required fields
that are missing values in a worksheet.
• FALSE - no default values will be used for non-required
fields that are missing values in a worksheet.
useFirstInstance TRUE Determines whether to use and validate only the first
instance of an object when multiple instances of the same
object are in a worksheet.
If the value is set to:
• TRUE - only the first instance of the object will be used to
update the object.
• FALSE - only the last occurrence of the object will be
used to update the object.
headerRow 1 The row in the worksheet that stores the column headers.
locale null If a locale value is:
• Not specified - the locale of the user will be used during
validation.
• Specified - the locale value that is set (such as, en_US,
ja_JP, de_DE) will override the user’s locale during
validation.
profileName null The name of the profile to validate against. If null, the
profile of the currently logged-on user is used.
useSystemNames FALSE By setting this parameter to TRUE FastMap will use the
system names of the fields, not the localized labels, for
column headers. System names are in the format [FIELD
GROUP].[FIELD NAME]. For example, OPSSEnt.Domain.
When exporting, the labels will also be included on another
row as a convenience.
The useSystemNames parameter has no effect on
enumerated values or their localized labels.
This video demonstrates how to enable System Names as a header in all FastMap exports to prevent
conflicts and errors during imports:
https://youtu.be/M_CW-kXXmJY
exportBaseAmount TRUE When exporting currency field data from OpenPages GRC
Platform, this parameter determines whether to include a
column for the Base Amount.
If the value is set to:
• TRUE - the Base Amount field is included.
• FALSE - the Base Amount field is excluded.
exportBaseCode TRUE When exporting currency field data from OpenPages GRC
Platform, this parameter determines whether to include a
column for the Base Code.
If the value is set to:
• TRUE - the Base Code field is included.
• FALSE - the Base Code field is excluded.
exportExchangeRate TRUE When exporting currency field data from OpenPages GRC
Platform, this parameter determines whether to include a
column for the Exchange Rate.
If the value is set to TRUE, the Exchange Rate field is
included.
If the value is set to FALSE, the Exchange Rate field is
excluded.
includeHTMLTags FALSE Determines if HTML tags are exported for Rich Text Field
formatted data.
Rich Text Field data that is exported without HTML tags can
be more easily read in the spreadsheet. However, if this
field is updated and then imported into FastMap, the field
will be imported as plain text as it has lost its formatting.
If the value is set to:
• TRUE - HTML tags are exported with the data.
• FALSE - HTML tags are not exported with the data.
Within the IBM OpenPages GRC Platform application, the Name field for objects is a required field and
must be unique.
If you are importing data from an external system and want to use another field (other than the Name
field) to identify objects, you can use the settings described in Table 212 on page 652 to configure a
lookup key for FastMap and set the scope of the lookup. This is particularly useful when you want to
update data for existing records from an external system and synchronize it with records in OpenPages
GRC Platform.
Procedure
1. For each object type for which you want a lookup key, configure a field group and field definition (see
Chapter 9, “Fields and field groups,” on page 137).
2. Configure the key fields settings for FastMap as follows:
a) Access the Settings page (see Chapter 15, “Viewing the Configuration and Settings page,” on page
307).
b) Expand the Applications > GRCM > FastMap > Key Fields folder hierarchy.
Tip: In the user interface, the OpenPages folder is hidden in the Administration Settings
folder hierarchy. To author an XML settings path, include the OpenPages folder after the Settings
folder in the path.
c) Navigate to the object type folder that you want and then expand the folder to see its settings.
d) For each object type for which you want to define a lookup key, modify the following settings as
needed:
field_group.field_name
Where:
field_group is the name of the field group.
field_name is the name of the object field.
Example
ExternalSys_A.R_ID
If you have multiple fields, use a comma to delimit the fields. For example:
field_group.field_name,field_group.field_name
Data is typically exported from a Filtered List View page for an object type, modified, and then imported
back into FastMap.
To optimize and control the export of data from a Filtered List View page, you can configure the following
settings:
• Maximum Export Size - for details, see “Maximum number of objects to export to Microsoft Excel on
the Filtered List View” on page 338.
• Concurrent Exports - for details, see “Maximum concurrent export requests in the Filtered List View” on
page 339.
You can use the Maximum Workbook Rows setting to limit the number of rows that can be imported from
a FastMap template.
By default, the value is set to 20000 rows (recommended maximum).
Note: Setting the number of rows for import above the recommended maximum of 20000 rows may
result in slower performance and longer processing time. However, if you choose to set this value higher,
then the processing timeout value in the Transaction timeout setting should also be increased (see
“Setting a transaction timeout to optimize FastMap performance” on page 654 for details).
If the number of rows being imported exceeds the set value, then a validation error will be displayed
stating that the workbook exceeds the allowable size.
For example, if the Maximum Workbook Rows setting has a value of 2500 and a user wants to import data
into IBM OpenPages GRC Platform for Risk and Control objects, the workbook for the FastMap template
contains:
• a worksheet for Risk objects with 1,000 rows of data
Procedure
1. Access the Settings page (see Chapter 15, “Viewing the Configuration and Settings page,” on page
307).
2. Expand the Applications > GRCM > FastMap folder hierarchy.
Tip: In the user interface, the OpenPages folder is hidden in the Administration Settings folder
hierarchy. To author an XML settings path, include the OpenPages folder after the Settings folder in
the path.
3. Click the Maximum Workbook Rows setting to open its detail page.
4. In the Value field, type a number greater than zero (for example, 2500).
5. Click Save.
If you set the value in the Maximum Workbook Rows setting above the recommended maximum of
20000 rows, you can use the Transaction timeout setting to increase the maximum time a process can
run before it times out and stops.
By default, the value is set to 7200 seconds (2 hours).
Procedure
1. Access the Settings page (see Chapter 15, “Viewing the Configuration and Settings page,” on page
307).
2. Expand the Applications > GRCM > FastMap folder hierarchy.
Tip: In the user interface, the OpenPages folder is hidden in the Administration Settings folder
hierarchy. To author an XML settings path, include the OpenPages folder after the Settings folder in
the path.
3. Click the Transaction timeout setting to open its detail page.
4. In the Value field, type a number greater than 7200 (the value represents seconds).
5. Click Save.
To reduce the processing impact of FastMap data imports on a system, you can use the Process Delay
setting to set a delay in milliseconds between each record. If a value is set, the time to process the
imported data will be extended.
By default, the value is set to 0 (zero).
Procedure
1. Access the Settings page (see Chapter 15, “Viewing the Configuration and Settings page,” on page
307).
2. Expand the Applications > GRCM > FastMap folder hierarchy.
You can use the Encrypt FastMap Files setting to configure security on FastMap import templates that
are stored on the server.
By default, the value is set to true, which encrypts FastMap import templates stored on the server.
Note: Before you change the value of the Encrypt FastMap Files setting, run the My FastMap Import
Status report to verify that no FastMap import templates are pending processing (for details see
“Accessing FastMap to import data and view status” on page 625). If you change the value of this setting
while FastMap processes are pending, the import will fail even if it the templates have passed data
validation.
Procedure
1. Access the Settings page (see Chapter 15, “Viewing the Configuration and Settings page,” on page
307).
2. Expand the Applications > GRCM > FastMap folder hierarchy.
Tip: In the user interface, the OpenPages folder is hidden in the Administration Settings folder
hierarchy. To author an XML settings path, include the OpenPages folder after the Settings folder in
the path.
3. Click the Encrypt FastMap Files setting to open its detail page.
4. In the Value field, type one of the following values.
If the value is set to:
• true - FastMap import templates are encrypted when stored on the server. This is the default.
• false - FastMap import templates are not encrypted when stored on the server.
5. Click Save.
Procedure
1. Access the Settings page (see Chapter 15, “Viewing the Configuration and Settings page,” on page
307).
• Errors about the parent object if autonaming is enabled for an object type. For example,
Parent not specified. (EL_11419)
Example
A question has three possible answers: Yes, No, and N/A, without descriptions and scores:
[{"value":"Yes"},{"value":"No"},{"value":"NA"}]
A question has two answers, Yes and No, where both answers have descriptions and scores:
A question has three answers, Yes, No, and N/A, where Yes requires a comment, No requires an
attachment, and N/A requires both:
[{"value":"Yes","score":20,"requires":["comment"]},{"value":"No",
"score":30,"requires":["attachment"]},{"value":"NA","score":40,
"requires":["comment","attachment"]}]
Framework models
Framework models are based on the OpenPages object model and define subsets of objects and
relationships necessary for your reporting requirements.
Framework models include the following components:
• Metadata
• Labels
• Facts and dimensions (standard models only)
• Custom query subjects
The reporting framework contains one pre-defined framework model named
OPENPAGES_FRAMEWORK_V6, which is used for the pre-defined reports that are supplied with
OpenPages. In addition to the OPENPAGES_FRAMEWORK_V6 framework model, you can create your own
framework models. The ability to use multiple framework models allows you to target a framework model
to specific solutions, user roles, or object profiles.
There are two types of framework models that you can create:
• Standard
• Basic
Both types support profile filtering and allow you to define the package name.
More information
To configure framework models, see the following topics:
• “Configuring settings that apply to all framework models” on page 665
• “Configuring framework models ” on page 669
• “Configure reporting framework namespaces” on page 671
Namespaces
A namespace uniquely identifies a collection of query subjects, their relationships, and other objects
(such as calculations) that you can use for authoring reports.
The framework generator uses the definition of a namespace (which is defined in the IBM OpenPages GRC
Platform user interface) to create a corresponding namespace in the framework model.
If you want reporting capability in the dimensional data model of the reporting framework, you can use
recursive object types to create sets of levels that will be reflected in the reporting framework for use by
report authors. For each recursive object type, you can define multiple object levels. For the Business
Entity object type, you can also create multiple sets of recursive object levels with each set having a
different number of levels.
For more information about the dimensional data model, see the IBM OpenPages GRC Report Author's
Guide on your documentation media.
A recursive object type can repeat itself indefinitely or until some set limit is reached. The following object
types are recursive within the IBM OpenPages GRC Platform application:
• Business Entity (SOXBusEntity)
• Sub-Process (SOXSubprocess)
• Sub-Account (SOXSubaccount)
• Sub-Mandate (Submandate)
Example
A report author works for Global Financial Services (GFS), a large multinational bank, with an
organizational structure that is comprised of many business functions and groups. The report author has a
requirement to create reports so business users at GFS can assess the risks associated with various
processes that go across the company's business units. GFS has its business organized around functions,
divisions, departments, and units.
To return data about the various business processes and their associated risks for each organizational
level of the business, you might create a new set of recursive object levels for the Business Entity object
type called "Risk Assessment" with the following levels as shown in Table 213 on page 662.
In addition to defining the business levels of the organizational structure for the Business Entity object
type, you need to determine which business entity should be the starting point for scoping the data. In
this example, we want the reporting data to start at the Global Function level. In the "Starting Entity" field,
you would type:
/Global Financial Services
When the reporting framework is updated, a new Risk Assessment folder with the corresponding level
folders and query items is created in the OpenPages_Reports_V6 package under the GRC Objects >
Business Entity folder for report authors to use when they create Cognos reports.
The path between the objects forming a triangle relationship must be reflected in a namespace within the
reporting framework. For example, a namespace might have the following object type hierarchy
configured for Business Entity, Process, Sub-Process, and Risk object types as follows:
SOXBusEntity|SOXProcess,SOXProcess|SOXSubprocess,SOXSubprocess|SOXRisk
To reflect the triangle relationship shown in Figure 33 on page 663, that namespace would have to be
modified to also include the path between Process and Risk objects as follows:
SOXBusEntity|SOXProcess,SOXProcess|SOXSubprocess,SOXProcess|SOXRisk,
SOXSubprocess|SOXRisk
Without the configured triangle, the report author would have to use advanced techniques that may not
perform as well to accomplish this task.
To configure triangle object relationships, see “Setting the triangle reporting framework object
relationships” on page 667.
Example
A report author works for Global Financial Services (GFS), a large multinational bank, with an
organizational structure that is comprised of many business functions and groups. The report author has a
requirement to create a report that shows aggregate test results and their associated controls for each
division of the company.
The typical parent-child path in an object hierarchy between Business Entity and Test Result objects types
is: Business Entity - Process - Risk - Control - Test - Test Result.
To skip object types in the hierarchy and create an association between Business Entity and Control
objects, you could define an object type dimension called Entity-Control.
Since you already created a set of recursive object levels for the Business Entity object type (as shown in
Table 213 on page 662), you could use the Division recursive object type level as a filter for the starting
object type followed by the Control object type.
You can localize the name of the object type dimension for display in the reporting framework. If no
translated text is provided, the value that is typed into the Name field for the object type dimension is
automatically used.
When the Reporting Framework V6 is generated, the Entity-Control object type dimension would be
available to report authors under the OBJECT_TYPE_DIMENSIONS folder in the DEFAULT dimensional
namespace.
Procedure
1. Review the OPENPAGES_FRAMEWORK_V6 framework model and namespaces. You may need to
update the namespaces delivered with the system or create new ones to meet your requirements.
2. Review the registry settings that apply to all framework models. For information, see “Configuring
settings that apply to all framework models” on page 665.
3. Configure your own framework models and namespaces. For information, see “Configuring framework
models ” on page 669.
To enhance report authoring capability, use the Supported Triangle Relationships setting to configure
object types with triangle relationships in the Reporting Framework V6 relational data model.
For more information, see “Triangle object relationships” on page 663.
Administration > Settings > Platform > Reporting Framework V6 > Configuration > Supported
Triangle Relationships
Default: none.
Values:
Important: The spelling and case of the object type name must exactly match its system name. For
example, you would type SOXBusEntity for the Business Entity object type. Using the wrong case for
letters or using the label text will result in an error message.
In the Value box, use the following syntax to configure the three objects in a triangle relationship:
Parent1|Parent2|Child
For example:
SOXProcess|SOXSubprocess|SOXRisk
Note: To enter multiple sets of triangle relationships, separate each triangle set with a comma as in:
SOXProcess|SOXSubprocess|SOXRisk,Mandate|Submandate|Requirement
Procedure
1. Log on to a machine with SQL*Plus and access to the database server.
2. Run the following script:
begin
OP_CONTEXT_MGR.ENTER_SINGLE_USER_MODE;
OP_RPS_TRIANGLE_MGR.ADD_TRIANGLE_SUPPORT;
commit;
OP_CONTEXT_MGR.EXIT_SINGLE_USER_MODE;
end;
/
What to do next
Regenerate the framework model. For details, see “Updating the reporting framework” on page 686.
Administration > Settings > Platform > Reporting Framework V6 > Configuration > Object Prefix
Default: none
Values: Add the new object type and prefix to the end of the current setting with a comma. The prefix
must be entered as two uppercase letters, and must be unique; no other content type in the list can
have the same prefix.
In the following example, the new object type (in bold) is called CustomSurvey and the prefix is ‘ZA’.
...PROJECTACTIONITEM=PA,SOXSIGNATURE=SI,CUSTOMSURVEY=ZA
After you set these values, update the reporting framework model. For more information, see
“Updating the reporting framework” on page 686
Note: The following information applies only to systems that have been upgraded from versions of
OpenPages 5.x or earlier and are using the Legacy Reporting Framework.
If you add a new custom form (such as a survey) and want reporting capability in both Reporting
Framework V6 and Legacy Reporting Framework systems, then you must also add the new prefix to
the Object Prefix setting in the Platform > Reporting > Framework > Generation folder hierarchy for
the Legacy Reporting Framework.
Administration > Settings > Platform > Reporting Framework V6 > Configuration > Legacy > Enable
Legacy Framework
Default: true.
Values:
Administration > Settings > Platform > Reporting Framework V6 > Configuration > Legacy > Object
Types Using New Framework For Computed Fields
Default: blank.
Values: In the Value box, type the name each object type containing computed fields.
Note: If there are multiple object types, separate each object type with a comma.
For example, SOXBusEntity,SOXProcess,SOXIssue
Procedure
1. Click Administration > Settings > Platform > Reporting Framework V6 > Models.
2. Select the Template_Model folder.
3. Click Copy To.
4. Select the Models folder so that the new framework model will be positioned in the Models folder.
5. Scroll down and enter the name of the new model in New Folder Name. Follow the naming guidelines
in “Naming framework models” on page 670.
6. Click OK. The new folder is created.
7. Open the new framework model folder and change the Package Label. Review the other registry
settings and change them to meet your requirements.
8. Build the namespaces for the new framework model.
a) Select the TEMPLATE_NAMESPACE namespace folder or a namespace in another framework
model and click Copy To.
b) Select the new framework model's Namespaces folder so that the new namespace will be
positioned in the Namespaces folder.
c) Scroll down and enter the name of the new namespace in New Folder Name. Follow the naming
guidelines described in “Naming namespaces” on page 672.
Administration > Settings > Platform > Reporting Framework V6 > Models > [model name] > Is
Enabled
Default: true
Values:
• true - the framework model is available for selection when you generate the reporting framework.
Each folder under Administration > Settings > Platform > Reporting Framework V6 > Models > [model
name] > Namespaces defines one reporting framework namespace. The name of the folder is the name
of the namespace.
The names of the system-supplied namespaces in the OPENPAGES_FRAMEWORK_V6 framework model
folder cannot be changed.
Administration > Settings > Platform > Reporting Framework V6 > Models > [model name] >
Namespaces > [namespace name]
Default: none.
Values: name for the new namespace. For example, MYCOMPANY_NAMESPACE.
The newly created namespace is represented by a folder icon under the Namespaces folder.
Naming namespaces
Names of namespaces can be translated in application text. The following list contains best practices to
keep in mind when naming namespaces.
• Keep namespace names short for readability (long names will wrap to another line).
• For consistency and compatibility with the reporting framework, use only the following characters when
naming namespaces:
– Uppercase letters
– Numbers
– Underscores (_)
Examples : MY_NAMESPACE and NAMESPACE101
• Do not use spaces.
For example:
SOXBusEntity|SOXProcess,SOXProcess|SOXRisk,SOXRisk|SOXControl
• Secondary compliance objects relationships must be added to the Object Model registry entry for the
namespace, for example, SOXBusEntity|SOXIssue.
• Multiple relationships can be defined for a secondary compliance object, for example, SOXBusEntity|
SOXIssue,SOXProcess|SOXIssue.
• Relationships between secondary compliance objects must be explicitly defined, for example,
SOXIssue|SOXTask.
When the reporting framework is generated:
• Secondary compliance objects are generated like other objects but will have a hyphenated name
including their parent object, for example, Business Entity - Issue.
• A query subject is created for each relationship defined, for example, Business Entity - Issue, Process -
Issue.
• Relationships between two secondary compliance objects are generated within the context of a primary
compliance object. For example, SOXBusEntity|SOXIssue,SOXIssue|SOXTask generates as Business
Entity - Issue and Business Entity - Issue - Action Item.
Enabling a namespace
The Is Enabled setting controls whether a namespace is generated when you generate the reporting
framework.
Administration > Settings > Platform > Reporting Framework V6 > Models > [model name] >
Namespaces > [namespace name] > Entity Recursive Object Levels
Default:
Values: Multiple recursive object level sets must be separated by a comma. For example:
ROL-1,ROL-2,ROL-3
For information on defining recursive object levels, see “Recursive object levels” on page 661.
Administration > Settings > Platform > Reporting Framework V6 > Models > [model name] >
Namespaces > [namespace name] > Is Facts and Dimensions Enabled
Default: true
Values:
• true - facts and dimensions are enabled for the namespace.
• false - facts and dimensions are not enabled for the namespace.
The following table provides an overview of the configuration tasks for setting up facts and dimensions
and a reference to the related information.
If an object type includes fields with a numeric data type (such as Currency, Integer, Decimal) then these
fields are automatically listed in the Facts table for selection.
For example, fact fields for a Risk object type might include such fields as "Inherent Frequency" (a
decimal data type field) and "Inherent Severity" (a currency data type field).
When regenerating the reporting framework to apply the changes made to fact fields, you can choose the
"Dimensions and Facts" option. It regenerates and updates that portion of the reporting framework that
changed.
Note: When you disable facts that were previously enabled, any reports that used these facts will no
longer run.
Procedure
1. Complete one of the following steps to access facts and dimensions for an object type:
• Click Administration > Reporting Framework > Configuration. From the Facts and Dimensions
pane, click the name of the object type to select.
• Click Administration > Object Type. Click the object type to select. From the Facts and Dimensions
pane, click Edit.
2. Under the Facts table, do one of the following:
• To enable a fact, select the each fact to include in the reporting framework.
• To disable a fact, disable each fact you want excluded from the reporting framework.
3. Click Save.
What to do next
Update the reporting framework to effect the changes (see “Updating the reporting framework” on page
686).
Procedure
1. Complete one of the following steps to access facts and dimensions for an object type:
• Click Administration > Reporting Framework > Configuration. From the Facts and Dimensions
pane, click the name of the object type to select.
• Click Administration > Object Type. Click the object type to select. From the Facts and Dimensions
pane, click Edit.
2. Under the Enumeration and Dependent Picklist Dimensions table, complete one of the following
tasks:
3. Click Save.
4. Update the reporting framework to effect the changes (see “Updating the reporting framework” on
page 686).
When you define a date dimension type, that dimension is available for selection on all date fields for any
object type.
For more information, see Table 217 on page 678.
Complete the following steps to add a data dimension type:
Procedure
1. Click Administration > Reporting Framework > Configuration.
2. On the Date Dimensions Type table, click Add.
3. In the Name field, type a name for this date dimension.
4. Optional: Localize the text of the Name field for display in the reporting framework as follows. If no
localized display text is specified, the value in the Name field is used by default.
a) Click the Translate link.
b) In the Translate window, next to each language you want, type the localized text into the box.
c) When finished, click Apply.
5. Select a value next to each dimension you want for this date type. Only one value can be selected for
each type of date dimension.
6. Click Save.
Map the date dimension to an object type date fields. See “Mapping date dimension types to date
fields” on page 678.
Procedure
1. Complete one of the following steps to access facts and dimensions for an object type:
• Click Administration > Reporting Framework > Configuration. From the Facts and Dimensions
pane, click the name of the object type to select.
• Click Administration > Object Type. Click the object type to select. From the Facts and
Dimensions pane, click Edit.
2. On the Date Dimensions pane, select date dimension types, for each date field in a row.
3. Click Save.
What to do next
Update the reporting framework to effect the changes (see “Updating the reporting framework” on page
686).
Procedure
1. Click Administration > Reporting Framework > Configuration.
2. In the Date Dimension Types pane, navigate to the row containing the date dimension type you want
to disable or re-enable.
3. Under the Actions column in the same row for that date dimension type, click Disable, Enable or
Delete. Or, make modifications and click Save.
What to do next
Update the reporting framework to effect the changes (see “Updating the reporting framework” on page
686).
Procedure
1. Access the Object Types page. Log on to the IBM OpenPages GRC Platform as a user with the Object
Types application permission set.
a) With the Object Types application permission set, select the Administration menu and click
Object Types.
2. From the list of object types, click the SOXBusEntity (Business Entity) link to open its detail page.
3. Navigate to the Recursive Object Levels table and click Edit.
4. In the definition pane, do the following:
Procedure
1. Access the Object Types page. Log on to the IBM OpenPages GRC Platform as a user with the Object
Types application permission set.
a) With the Object Types application permission set, select the Administration menu and click Object
Types.
2. From the list of object types, click the SOXBusEntity (Business Entity) link to open its detail page.
3. Navigate to the Recursive Object Levels table and click Edit.
4. Navigate to the pane with the set you want to delete, and click the Delete link.
5. Click Save.
6. Update the reporting framework to effect the changes (see “Updating the reporting framework” on
page 686).
What to do next
Update the reporting framework to effect the changes (see “Updating the reporting framework” on page
686).
Procedure
1. Click Administration > Reporting Framework > Configuration.
2. On the Object Type Dimensions table, click Add.
3. In the Name box, type a name for this object type dimension.
4. Optional: Localize the text of the Name field for display in the reporting framework as follows.
Note: If no localized display text is specified, the value in the Name field is used by default.
a) Click the Translate link.
b) In the Translate window, next to each language you want, type the localized text into the box.
c) When finished, click Apply.
5. In the Description box, optionally type some descriptive text.
6. Click the Starting Object Type arrow and select an object type or a recursive object level (if defined for
Business Entity object types) from the list, then click Go.
7. To add another object type to this dimension, do the following:
a) In the Selected Object Types table, under the Actions column, click the Choose Object Type link.
What to do next
Update the reporting framework to effect the changes (see “Updating the reporting framework” on page
686).
Procedure
1. Click Administration > Reporting Framework > Configuration.
2. From the list in the Object Type Dimensions table, click the name of the object type dimension you
want to modify.
3. Make the changes you want (see Table 220 on page 682).
Delete a level Click the Choose Object Type link for the object type level you want to
delete and clear the selection box.
Note: When you delete a level, all levels below that level are also deleted.
Change or add Click the Translate link to open the Translate window.
translation text for the
Name field
4. Click Save.
5. Update the reporting framework to effect the changes (see “Updating the reporting framework” on
page 686).
Procedure
1. Click Administration > Reporting Framework > Configuration.
What to do next
Update the reporting framework to effect the changes (see “Updating the reporting framework” on page
686).
When you generate the Reporting Framework V6, the packages for all or selected framework models are
published to the Cognos server with relationship and dimensional subnamespaces.
Note: You should not use IBM Cognos Framework Manager to modify the packages. The packages are
dynamically created and recreated when you launch the OpenPages Reporting Framework Generator. If
you made changes using IBM Cognos Framework Manager, those changes are lost when you launch the
OpenPages Reporting Framework Generator. If you would like to create a custom Cognos package, see
your OpenPages Managing Consultant.
Table 221: Regenerating the reporting schema and the reporting framework.
This type of change... Requires this to be regenerated...
Reporting schema Reporting framework
Adding a new field to a field group. No Yes
Adding a new object type. No Yes
Adding a new association between object types. No Yes
Removing object types or attributes. Yes Yes
For information, see “Deleting a custom object
type” on page 189.
Important: When you regenerate the reporting framework, you need to revalidate reports. Failing to do so
may result in reporting errors.
Procedure
1. Log on to IBM OpenPages GRC Platform as a user with the correct application permission set.
2. Click Administration > Reporting Framework, and click one of the following:
• Generation — to update all or selected components of the reporting framework, such as metadata,
labels, dimensions and facts, and custom query subjects for all or selected framework models.
• Configuration — to configure facts and dimensions, object type dimensions, and date dimension
types.
Labels • Reporting Framework V6 Imports your object text into the reporting
framework.
• Legacy Reporting Framework
Facts and Reporting Framework V6 Generates the dimensions and facts in the
Dimensions dimensional model.
Custom Query Reporting Framework V6 Generates any custom query subjects that are
Subjects defined.
For information about custom query subjects, see
the IBM OpenPages GRC Report Author's Guide on
your documentation media.
All Models Reporting Framework V6 Generates the component you select (Framework
Model, Labels, Facts and Dimensions, or Custom
Query Subjects) for all framework models that are
enabled.
Selected Reporting Framework V6 Generates the component you select (Framework
Models Model, Labels, Facts and Dimensions, or Custom
Query Subjects) for selected framework models.
The framework models must be enabled.
After the reporting schema has been updated, the reporting framework must be updated as well to
propagate the changes to the Cognos reports. Whenever you update the reporting framework, you need to
revalidate reports. Failing to do so may result in reporting errors.
Note: This procedure assumes that you have created a new reporting schema.
Procedure
1. Access the Reporting Framework Operations page (see “Accessing the reporting framework” on page
684).
2. Disable System Administration Mode if it is enabled (for details, see “Enabling and disabling System
Administration Mode” on page 17).
3. On the Reporting Framework Operations page, click Update.
4. In the Reporting Framework Generation window, complete the following steps:
a) Under Framework Generation, select the Framework Model, Labels, All Models or Selected
Models options and any additional options for generation in the Reporting Framework V6 relational
data model.
Note: For upgraded systems that have the Legacy Reporting Framework setting enabled, if you also
want to generate the Legacy Reporting Framework relational data model, under Legacy Framework
Generation, select the Framework Model and Labels options.
b) Click Submit.
You are returned to the Reporting Framework Operations page with the new task listed in the
Reporting Framework Operations table.
5. To view the progress of the update, click Refresh. The Percent Complete column on the Reporting
Framework Operations table updates the percentage of completion.
Procedure
1. Access the Reporting Schema. Log on to the IBM OpenPages GRC Platform application user interface
as a user with the Reporting Schema application permission set.
a) From the menu bar, select Administration and click Reporting Schema.
2. On the Reporting Framework Operations tab, click the name of the operation.
3. On the Operation Detail pane, click View Log.
Procedure
1. Ensure IBM QRadar is installed. IBM QRadar is a separate enterprise-level application. It is not
included with OpenPages GRC Platform.
2. Install IBM Tivoli Directory Integrator 7.1.1, followed by the IBM Tivoli Directory Integrator 7.1.1.4 fix
pack 4, from the OpenPages GRC Platform installation media.
3. Configure Tivoli Directory Integrator to connect to QRadar.
4. Configure the property files.
5. Deploy the assembly line.
Attention: The assembly line will not run when the OpenPages GRC Platform user that is
configured to run the assembly line has left System Admin Mode enabled in OpenPages GRC
Platform. You must ensure that System Admin Mode is disabled to run the assembly line.
6. The results of running the assembly line show up as new or updated Incident objects, as viewed from
the OpenPages GRC Platform Events > Incidents menu option.
Configuring email notifications to be sent from the QRadar assembly line connector
components
Both of the QRadarOffensesToIncidents assembly line connector components are able to send email
notifications to alert people such as the IBM Tivoli Directory Integrator (TDI) administrator when errors or
exceptions occur during the execution of the QRadarOffensesToIncidents assembly line.
Procedure
1. Configure the mailTo property of the connector.properties file.
The email address to use for sending email notifications about errors and exceptions that occur in the
assembly line connectors. One or more email addresses can be specified as a comma-separated list.
For example, [email protected],[email protected].
2. Configure the smtpPort property of the connector.properties file.
The SMTP port to use for sending email notifications about errors and exceptions that occur in the
assembly line connectors. The default port to use for an SMTP server is 25.
3. Configure the smtpHost property of the connector.properties file.
The SMTP host to use for sending email notifications about errors and exceptions that occur in the
assembly line connectors. Specify either an IP name or IP address. For example,
smtpHost=mySmtpHost.acme.com or smtpHost=192.168.10.20.
Procedure
There are three ways to supply a primary parent ID to the IBM OpenPages GRC Platform connector
component, described in the order in which they are searched for:
• Provide the object resource ID of an existing suitable parent object as a string value in the
work.primary_parent_id property in the output mapping:
The following graphic shows the work.primary_parent_id property in the output mapping:
The value must be a number, enclosed in double quotes, and should be the object resource ID of a
suitable IBM OpenPages GRC Platform parent object. A null or empty value is ignored. This technique
enables the use of a different primary parent ID for each object being created.
Figure 36: Primary parent ID derived from the non-null values of the two properties work.parent_type and
work.parent_location in the output mapping
See the detailed descriptions and example values provided for the op_parentType and
op_parentLocation properties in the connector.properties file, located in the Runtime-
qradar_integration folder of the TDI qradar_integration project. If the values for these
properties do not derive to a valid parent object, then they are ignored.
The following graphic shows a detail from the connector.properties file:
This technique enables the use of a different primary parent ID for each object being created.
• If the properties in the preceding two techniques are not provided, then the IBM OpenPages GRC
Platform connector uses the default primary parent ID derived from the op_parentType and
op_parentLocation properties defined in the connector.properties file, located in the Runtime-
qradar_integration folder of the TDI qradar_integration project. The values in the
connector.properties file are processed once per assembly line execution, and the resulting
derived value serves as the default primary parent ID to use if the properties in the two preceding
sections are not provided.
If the values for these properties do not derive to a valid parent object, then there will be no default value
available for the duration of the assembly line execution. See the detailed descriptions and example
values provided for each of these properties in the connector.properties file, located in the
Runtime-qradar_integration folder of the TDI qradar_integration project.
Procedure
Supply the currency values in the IBM OpenPages GRC Platform connector output mapping as strings,
that is, enclosed with quotation marks, by using the following format: "<amount>|<isoCode>"
• Examples of valid currency values in the output mapping: "123.45|AUD" or "321 | USD"
• Example of an invalid currency value in the output mapping because the enclosing quotation marks are
missing: 123.45|AUD
• Example of an incomplete currency value in the output mapping because the ISO code is missing; when
this situation occurs, the default currency that is configured in IBM OpenPages GRC Platform is used:
"123 | "
Specifying date values to the IBM OpenPages GRC Platform connector via the output
mapping
Date values should be specified as java.util.Date objects in the IBM OpenPages GRC Platform connector
output mapping.
IBM OpenPages GRC SDI Connector for UCF Common Controls Hub
integration
IBM OpenPages GRC Platform includes IBM OpenPages GRC SDI Connector for UCF Common Controls
Hub. UCF Common Controls Hub is a separate stand-alone web application. It is not included with IBM
OpenPages GRC Platform.
UCF is a database of regulatory compliance documents. The regulatory documents are divided into parts,
which can then be used by APIs. UCF Common Controls Hub is the web portal to the UCF data.
Data can be pulled from UCF (initiated by IBM Tivoli Directory Integrator), then mapped one-to-one to
object types in IBM OpenPages GRC Platform.
Note: IBM Security Directory Integrator is the latest name for IBM Tivoli Directory Integrator. You might
see TDI and SDI used interchangeably in the documentation.
A mandate can have one or submandates. A submandate can have zero or more requirements. A
requirement can be related to multiple submandates from different mandates.
Procedure
1. From the Tivoli Directory Integrator Configuration Editor, open the ucf_integration project.
2. In the Navigator pane, expand Runtime-ucf_integration.
3. Right-click the op_client.properties file and click Text Editor.
4. Set or change the property values.
op_user The OpenPages user name that the UCF connector uses
to log in to OpenPages
Use an account with administrative privileges. The user
account must have security permissions to create and
update the mandate, submandate, and requirements
object types.
For example:
op_api_root=/grc/api
op_url=https://op_server:10111
op_user=ucf
Procedure
1. Check for any program that is using port 1099 already by using the following commands:
• Windows: netstat -an | findstr 1099
• UNIX: netstat -an | grep 1099
2. If the output of this command is not empty, determine which process is already using port 1099 and
stop that process. If the process is already stopped, reenter the command after a minute or two to
ensure that the ports are no longer in use. You might need to repeat the netstat command a few
times before the output is empty.
Procedure
1. Configure the email server that is used to route mails to lifecycle assignees. For information see “Set
the mail server address” on page 322.
2. Verify that users who create and launch programs have the following permissions:
• Read/write/associate access to Questionnaire Template objects.
• Read/write access to the objects used by Questionnaire Templates: Section Templates, SubSection
Templates, and Question Templates.
• Read/write/associate access to Program objects.
• Read/write/associate access to Questionnaire Assessment objects.
• Read/associate access to assets.
3. Verify that users who complete and review questionnaire assessments have the following permissions:
• Read access to the objects used by questionnaire templates: Questionnaire Templates, Section
Templates, SubSection Templates, and Question Templates.
• Read access to Program objects. Required for four-stage lifecycle because the program owner is at
one point the lifecycle assignee for questionnaire assessments.
• Read/write/associate access to Questionnaire Assessment objects. You can do this with Record
Level Security (RLS), where the current lifecycle assignee has the questionnaire assessment, or with
the role template.
• Read/write/associate/delete access to SOXDocument for attachments.
• Read access to assets.
4. Customize the logo on the questionnaire assessment to be your company logo. File specifications are
as follows:
• Size: 133 pixels wide by 40 pixels high
• Type: png
• Name: logo.png
• Folder location: ../sosa.war/image/questionnaire/
Changes to the logo file can be overwritten in subsequent upgrades.
Copy the file to the folder location. No further setup is necessary. If you do not customize the logo, the
system displays the product name in the header rather than a logo.
5. Customize the introduction text that is displayed on the landing page when a respondent opens a
questionnaire assessment. Write the text and save it in the
questionnaire.intro.label.informationDetails token under Administration > Application
Text > Labels.
{
"profile": "Deck",
"objectTypes" : ["SOXControl","SOXIssue","LossEvent","Incident"],
"objects" : [
{
"type" : "SOXControl",
"fieldTitle" : "Name",
"fieldDesc" : "Description",
"lifecycle" : {
"enabled" : true,
"stageMap" : {
"Attestation" : {
"showInList": true,
"questionFieldLists" : [
{
"rule" : "default",
"fields" : [{
"systemName":"OPSS-Ctl-Cert:DesEff",
"displayType":"Radio Button/Checkbox"
},
{
"systemName":"OPSS-Ctl-Cert:DesEffExplain",
"displayType":"Text Area"
},
{
"systemName":"OPSS-Ctl-Cert:DocAccurate",
"displayType":"Radio Button/Checkbox"
},
{
"systemName":"OPSS-Ctl-Cert:DocAccurateExplain",
"displayType":"Text Area"
},
{
"systemName":"OPSS-Ctl-Cert:OpEff",
"displayType":"Radio Button/Checkbox"
},
{
"systemName":"OPSS-Ctl-Cert:OpEffExplain",
"displayType":"Text Area"
},
{
"systemName":"OPSS-Ctl-Cert:Change",
"displayType":"Radio Button/Checkbox"
},
{
"systemName":"OPSS-Ctl-Cert:ChangeExplain",
"displayType":"Text Area"
}]
}
]
}
}
},
"widgetList" : [
{
"name" : "details",
"type" : "activityView",
"activityView" : "OP-Deck-Control",
"parentViews" : [
{
"type" : "SOXRisk",
"activityView" : "OP-Deck-Control-Risk"
}
]
}
]
},
{
"type" : "SOXIssue",
"fieldTitle" : "Name",
"fieldDesc" : "Description",
Attention:
• Certification questions display the field guidance as the Question in the approval app—not as the
field label, as the field guidance does in OpenPages.
• For the approval app, if a field-level security (FLS) rule is applied on a question, the question is
still displayed on the card page for the lifecycle stage that is configured in the
deck_config.json file, even if the user does not meet the FLS rule to view the question. When
the user submits the question, the user sees the following message: You do not have
permission to write on the field <field name>.
The following list shows some example certification questions.
Certification Language without values
Use a single-select Enumerated String field. This causes the question to appear without any values to
select.
Single select checkbox
Use a single-select Enumerated String field with a single value. This causes the question to appear
with a single check box.
Make a follow up question required
Use Requiredness field dependencies in OpenPages.
Note: The approval app does not support both Requiredness and Visibility dependencies at the same
time.
Hide a follow up question unless a specific Enum value is selected
Use Visibility field dependencies in OpenPages.
Note: The approval app does not support both Requiredness and Visibility dependencies at the same
time.
For a transition, make the lifecycle comment or other Simple/Long string required
"<SOME_STAGE>" : {
"transitionMap" : {
"<SOME_TRANSITION>" : {
"requiresValidation" : true
}
},
"questionFieldLists" : [
{
"rule" : "default",
"fields" : [{
"systemName":"<COMMENT/OTHER FIELD NAME>",
"displayType":"Text Area",
"requiredValue" : "NON_EMPTY"
}]
}
]
}
"<SOME_STAGE>" : {
"questionFieldLists" : [
{
"rule" : "default",
"<SOME_STAGE>" : {
"questionFieldLists" : [
{
"rule" : "default",
"fields" : [{
"systemName":"<FIELD NAME>",
"displayType":"Text Area"
}]
}
"parentViews" : [
{
"type" : "SOXBusEntity",
"activityView" : "OP-Deck-Control-BE"
},
{
"type" : "SOXRisk",
"activityView" : "OP-Deck-Control-Risk"
}
]
The following examples show various cases of properties that are supported but might not be enabled by
default.
Example: Grouping a To Do list for 5 and 30 days
"dueDateGroup" : {
"group" : [{"number": 5, "unit": "day"},{"number": 30, "unit": "day"}]
}
Example: Making the comment field a required field for specified transitions
The comments field is not required in the standard configuration, and users can transition in a detail page
without adding a comment.
You might submit an action in the approval app and see a message similar to the following: Success!
Your <action> and comments have been submitted to <recipient>, even though there are
no comments.
You can configure the comment field to be a required field for specified transitions in the
deck_config.json file. In the following case, the comment field is required for the Review De-escalate
transition of the Escalation Review lifecycle stage.
"Escalation Review" : {
"transitionMap" : {
"Review De-escalate" : {
"requiresValidation" : true
}
"stageMap" : {
"Attestation" : {
"showInList": true,
"questionFieldLists" : [
{
"rule" : "default",
"fields" : [{
"systemName":"OPSS-Ctl-Cert:DesEff",
"displayType":"Radio Button/Checkbox"
},
{
"systemName":"OPSS-Ctl-Cert:DesEffExplain",
"displayType":"Text Area"
}]
}
]
}
}
– To change the text that displays when users click the icon for the Information box in the header,
change the text associated with the Application Text key, loss.event.entry.overall.help, in
the Application Messages folder.
– To change the information that is displayed at the top of the tab for each object type, change the text
for the keys, loss.event.entry.file.intro, loss.event.entry.loss.event.intro,
loss.event.entry.loss.impact.intro, and loss.event.entry.loss.recovery.intro
in the Application Messages folder.
– Customize the logo on the loss event form to be your company logo. File specifications are as follows:
- Size: 1130 pixels wide by 36 pixels high
- Name: Logo.png
- Folder location: ../sosa.war/image/lossevent/
Changes to the logo file can be overwritten in subsequent upgrades.
• Design and configure the email confirmation that is sent to users when a loss event is created. For
information, see “How confirmation emails are configured” on page 715.
OpenPages Loss Event Entry displays a red X and an explanation next to dates that fail the validation
rules. Users must resolve errors before they can submit a loss event.
OpenPages Loss Event Entry includes date validation rules that you can keep or modify. The date
validation rules are effective only in OpenPages Loss Event Entry and not in OpenPages. If you want the
same rules to apply in OpenPages, they can be implemented with triggers.
$;user1$;
$;user1$;user2$;user3$;
• For text fields that pass email addresses, for example, Submitter Email Field Name, you can pre-fill the
field with only one value.
The following examples illustrate how you can construct URLs.
Example 1: Set the locale.
http://<server>:<port>/openpages/app/jspview/appLoader/lossevent?locale=en_GB
Example 2: Pre-fill the primary caused entity to /Global Services/North America Banking. The display type
of OPSS-LE-BE:Primary Caused Entity is business entity selector.
http://<server>:<port>/openpages/app/jspview/appLoader/lossevent
?OPSS-LE-BE:Primary Caused Entity=/Global Services/North America Banking
Example 3: Pre-fill the triage team to Risk Team New York and two users:
http://<server>:<port>/openpages/app/jspview/appLoader/lossevent
?ABC-LE:UsersToNotify=$;Risk Team New York$;user1$;user2$;
http://<server>:<port>/openpages/app/jspview/appLoader/lossevent
?OPSS-LE-Contact:Your Name=User One&OPSS-LE-Contact:Your [email protected]
Example 5: Pre-fill user information, primary caused business entity, and locale:
http://<server>:<port>/openpages/app/jspview/appLoader/lossevent
?OPSS-LE-Contact:Your Name=User One&OPSS-LE-Contact:Your [email protected]
&OPSS-LE-Contact:Your Phone=555-111-2222&OPSS-LE-BE:Primary Caused Entity=
/Global Services/North America Banking&locale=en_GB
Example 6: Pre-fill information if you have multiple primary caused business entities and multiple triage
teams in your organization. Assume that you have two divisions, /Global Services/North America/Division/
East and /Global Services/North America/Division/West. You want to prefill the parent business entity
with the division's Primary Caused Entity and the triage teams from ABC-LE:UsersToNotify.
You create two URLs. This URL is for users in the East division.
http://<server>:<port>/openpages/app/jspview/appLoader/lossevent
?OPSS-LE-BE:Primary Caused Entity=/Global Services/North America/Division/East
&ABC-LE:UsersToNotify=DivisionEastTriage
http://<server>:<port>/openpages/app/jspview/appLoader/lossevent
?OPSS-LE-BE:Primary Caused Entity=/Global Services/North America/Division/West
&ABC-LE:UsersToNotify=DivisionWestTriage
Example 7: Pre-fill no information for a URL that you use for loss events that are created anonymously. Do
not pass user information. You might want to send the email confirmation to a person designated to
handle these situations.
http://<server>:<port>/openpages/app/jspview/appLoader/lossevent
{1}, \nThe following $title was entered by you. \n{2}: {3} \n{4}: {5} \n{6}: {7}\n \n
User One,
The following Loss Event was entered by you.
Owner: $;user1$;OpenPagesAdministrator$;
Name: Library_LE_0022
Description: This is a description
Primary Caused Entity: /Global Services/North America
The value for OPSS-LE-Contact:Your Name is substituted into parameter {1} followed by a line
break, text, and another line break.
The label and value for OPSS-LossEv:Owner is substituted into parameters n{2}: {3} followed by a
line break.
The label and value for System Fields:Name is substituted into parameters n{4}: {5} followed by a
line break.
The label and value for System Fields:Description is substituted into parameters n{6}: {7}
followed by a line break.
The label and value OPSS-LE-BE:Primary Caused Entity is substituted into parameters n{8}:
{9} followed by a line break.
The ending text is included.
Procedure
1. Open the Loss Event Entry Configuration tool with the following URL.
http://<server>:<port>/openpages/app/jspview/lossevent#/editconfig
Log in with your OpenPages user account. You must be a member of the OPAdministrators user
group to access the tool. You can have it open and simultaneously be logged in to OpenPages to work
on other administration tasks. Click Save in the tool to refresh it with the most recent changes you
make in OpenPages. For example, if you change information text in OpenPages and return to the Loss
Event Entry Configuration tool, you do not see the changes until you click Save.
When you provide fields in the format, <Field Group>:<Field Name>, ensure that no spaces exist
before and after the colon.
2. Complete the fields in the tool. Hover over a field to see a description.
3. Complete the fields in the Object Types section.
a) In Loss Event View Name, enter the name of a loss event creation view that is used to determine
the information on the Loss Event tab. The default is LE Entry - LE.
Procedure
1. Configure the IBM BPM server URL in the Administration > Settings > Platform > Workflow
Implementations > IBM BPM > Server URL registry settings. For more information, see “Workflow
implementations settings” on page 353.
2. Customize the portal page in Administration > Settings > Platform > Workflow Implementations >
IBM BPM > Portal Page Path (optional). The system is delivered with a default portal page but you
can choose a different one. For more information, see “Workflow implementations settings” on page
353.
3. Update user and user group definitions for administrators who work with IBM Business Process
Manager. They need to have the application permission, IBM BPM. It controls whether the new menu
items on the Administration menu are displayed. It is located in SOX > Administration.
4. Check whether you have an OpenPages administrator with the user name admin. If you keep it, it
creates conflicts in both the federated repository and the default user registry that is provided by
WebSphere. Websphere contains an admin user account for the WAS admin console. It also causes
an authentication issue with the OpenPages REST API security. You must remove the Websphere
admin user from the default user registry and create a new administrator with a different name. For
information, see http://www.ibm.com/support/knowledgecenter/SS7K4U_8.5.5/
com.ibm.websphere.wim.doc/MultipleEntitiesWithSamePrincipalName.html (http://www.ibm.com/
support/knowledgecenter/SS7K4U_8.5.5/com.ibm.websphere.wim.doc/
MultipleEntitiesWithSamePrincipalName.html).
5. Update profiles for OpenPages users who work with business processes. The profiles need to have
Process Portal in the Home Page Tab Configuration set to Visible. The Process Portal tab is then
displayed on the Home Page. The profile also determines where the tab is displayed relative to other
tabs.
6. Determine whether to use auto-login. If it is enabled, OpenPages users can access the IBM BPM
menu items in OpenPages without having to log in to IBM BPM. They can move seamlessly between
the two systems. When users log in and out of OpenPages, the system also automatically logs them in
and out of IBM BPM. When users log in directly to the IBM BPM applications, such as BPM Process
Portal or BPM Process Center, without accessing them through OpenPages, the auto-login feature is
not used. They must log in with their OpenPages credentials.
a) Set the Enable Login SSO registry setting. For more information, see “Workflow implementations
settings” on page 353.
b) Edit the /<OP_HOME>/aurora/conf/aurora.properties file on the application server.
c) Look for a property that is named logout.url.ibmbpm. If it does not exist, create it.
d) Set logout.url.ibmbpm to the URL of your BPM server hostname/FQDN. Use the same
hostname/FDQN that you used for the Server URL registry setting.
Use the https protocol rather than http in the URL.
For example, if you used https://bpm.server.com:9443/ for the Server URL, type:
https\://bpm.server.com\:9443/ProcessPortal/logout.jsp
What to do next
After IBM BPM is operational, complete the maintenance tasks that are described in “Maintaining
Business Process Manager” on page 720.
After IBM Business Process Manager is operational, you must complete maintenance tasks on an as-
needed basis.
After IBM BPM is operational, complete the following maintenance tasks on an as-needed basis:
Terms to understand
Natural Language Classifier
A Natural Language Classifier is a Watson service in IBM Bluemix that uses machine learning
algorithms to return the top-matching predefined classes for short text inputs. You configure, train,
and connect to a Natural Language Classifier service from OpenPages. A Natural Language Classifier
service learns from your data and then can return information for texts that it is not trained on.
Classifier Configuration
A classifier configuration in OpenPages defines connection information to an instance of the Natural
Language Classifier on IBM Bluemix. For taxonomy classifications, it specifies the classifier target
fields for the instance. For object associations, it specifies the object type to associate, whether it is a
child or parent relationship, and other attributes. You define a classifier configuration in
Administration > Cognitive Services > Natural Language Classifiers.
Classifier Field
A classifier field is a field group in OpenPages that contains the name of a classifier configuration and
a classifier input field. The View Suggestions button is displayed next to a classifier field.
Classifier Input Field
A classifier input field is a field in OpenPages that contains the short text input that a Natural
Language Classifier interprets and classifies. It is typically a Description field.
Classifier Target Fields
For taxonomy classifications, classifier target fields are fields in OpenPages that are set when a user
chooses suggestions for a classifier field.
This video demonstrate how to use a Natural Language Classifier to make object association suggestions:
https://youtu.be/VFUxni9tsrc
This video demonstrates how to use a Natural Language Classifier to make taxonomy suggestions:
https://youtu.be/ZysbwttRpwA
Procedure
1. Configure and train the Natural Language Classifier service on IBM Bluemix. For information, see
“Configuring a Natural Language Classifier in Bluemix” on page 725.
2. Import the Watson certificate into the Websphere trust store. Do this only one time, not for every
service you configure. For information, see “Importing a Watson certificate to the local trust store ”
on page 727.
3. Define a classifier configuration. For information, see “Defining a Classifier Configuration” on page
728.
4. Define a classifier field. For information, see “Defining a classifier field” on page 729.
5. Add the field group that the classifier field is in to the object type, if it is not already there.
6. Add the classifier field to the profile.
7. Add the classifier field to views where you want it to display. You can add it to Detail, Activity, and Add
New views. You can also add it to Loss Event Entry. On these views, ensure that Read-Only is cleared
What to do next
After the service is in use, you can download data and monitor performance. For information, see
“Monitoring and downloading classifier data usage ” on page 730.
A Natural Language Classifier service is in one language. IBM supports a fixed set of languages. You can
use multiple Natural Language Classifier services simultaneously, either for different purposes or to
support multiple languages for the same purpose.
If you use multiple services for taxonomy suggestions, each Natural Language Classifier service requires a
unique classifier configuration, classifier field, and classifier output fields. A classifier input field can be
used in more than one classifier field. However, ensure that each classifier configuration updates different
classifier target fields. Do not define multiple classifier configurations that update the same classifier
target fields.
For object associations, you must configure a Natural Language Classifier service for each object type and
relationship that you want to support. For example, if you want to provide parent association suggestions
to Control objects and child association suggestions to Risk objects, you need two Natural Language
Classifier services. You can have multiple services per object type. Each service requires a unique
classifier configuration and classifier field. A classifier input field can be used in more than one classifier
field.
Procedure
1. Create a IBM Bluemix account.
External party stole assets External Fraud Theft and Fraud Theft/Robbery
If the classifier is for object associations, define the short text inputs and map them to object types.
The training data must be in a CSV file. The first column in the file is the short text. The second column
is the system name of the object that applies to that text.
Clear desk policy 11.2.9 Clear desk and clear screen policy
Clear screen policy 11.2.9 Clear desk and clear screen policy
4. Load the CSV file into the Natural Language Classifier service you created on IBM Bluemix.
5. Train the classifier. After it is trained, IBM Bluemix assigns it a classifier ID. You need the classifier ID
later when you define a classifier configuration in OpenPages. Every time that you train the classifier,
you get a new classifier ID.
6. Ensure that the service is running.
What to do next
Complete the remaining tasks that are described in “Configuring cognitive services” on page 724.
Training the classifier is an iterative process. As users work with it, you can improve and expand the short
text inputs. You might need to change or expand the categorizations as they change over time. You can
also download classifier usage and improve it. For information, see “Monitoring and downloading
classifier data usage ” on page 730.
Optionally, set up more security, for example, use a firewall to restrict access to Bluemix. For information,
see https://console.ng.bluemix.net/docs/security/index.html#security .
Procedure
1. Log on to the IBM WebSphere administrative console.
2. Expand Security and click SSL certificate and key management.
3. Under Related Items, click Key stores and certificates and click the CellDefaultTrustStore keystore.
gateway.watsonplatform.net
• Port: Enter the port number of the secure target server application, for example, 443.
• Alias: Enter a descriptive name for the certificate, for example, watson-nls.
6. Click Retrieve signer information.
7. Verify that the certificate information is for a certificate that you trust.
8. Click Apply and then click Save.
9. Restart the OpenPages GRC Platform services.
What to do next
Complete the remaining tasks that are described in “Configuring cognitive services” on page 724.
Procedure
1. Click Administration > Cognitive Services > Natural Language Classifiers
2. Click New.
3. Complete the fields in the Classifier Information section.
a) In Name, enter a name.
b) In Description, enter descriptive information.
c) In Link, enter a link to the training page in IBM Bluemix where you can add training data. The link is
optional and for information purposes only. The default is http://www.bluemix.net.
d) In Type, select Enumeration (taxonomy suggestions) or Association (object association
suggestions).
4. Complete the fields in the IBM Watson Natural Language Classifier Service section.
a) Retain the default value in URL for Request. It is the URL to the Natural Language Classifier on IBM
Bluemix:
https://gateway.watsonplatform.net/natural-language-classifier/api/v1/classifiers/
b) In User name, enter the user from the service credentials of the Natural Language Classifier
instance you created.
c) In Password, enter the password from the service credentials of the Natural Language Classifier
instance you created.
d) In ID, enter the identifier of the Natural Language Classifier instance that you created and trained.
5. In the Usage Information section, in Confidence Threshold enter the lowest confidence score that a
suggestion must meet.
Results
The system saves the classifier configuration as a JSON file. To make changes, use the Administration >
Cognitive Services > Natural Language Classifiers task. Do not edit the JSON files directly.
What to do next
Complete the remaining tasks that are described in “Configuring cognitive services” on page 724.
Procedure
1. Click Administration > Field Group and create a field group or select a field group for the classifier
field.
2. Click Add to create a new field.
a) In Data Type, select Classifier.
b) In Classifier Configuration Name, enter the name of the classifier configuration that you created in
“Defining a Classifier Configuration” on page 728.
c) In Classifier Input Field, enter the field that contains text to be interpreted by a Natural Language
Classifier service, for example, System Fields.Description. Format is <Field
Group>.<Field Name>.
3. Save the field.
Procedure
1. Click Reporting > Team content > OPENPAGES_REPORTS_V6 > General Reporting > General
Reporting (Relational) > Audit Trail > Classifier Audit Trail.
2. Click Insert.
The results show all requests that were sent to a classifier. Analyze the following columns:
• Text sent to Classifier are the descriptions users entered.
• Selected Suggestion are the suggestions that users chose.
• Confidence is the confidence score that the classifier returned for the selected suggestion.
• Classifier Results are the suggestions that the classifier issued for a description.
What to do next
Use the results to improve the classifier. You can download the usage data as a CSV file and use it as a
basis for new training data for the Natural Language Classifier service.
Procedure
1. Log on to the admin application server as a user with administrative privileges.
2. Go to the <OP_HOME>/installer/migration/upgrade/Module/loaderdata/RCM directory.
3. Edit the Environment_Variables.bat|.sh file.
Set the following parameters for your environment at the beginning of the file. This file is used by all
loading scripts.
openpages_domain_folder=<OP_HOME>/bin
login_username=<OP_Admin_Username>
login_password=<OP_Admin_Password>
loader_data_folder=<OP_HOME>/installer/migration/upgrade/Module/loaderdata/RCM
configuration.manager.force.update.application.strings=true
configuration.manager.force.update.application.strings=false
Procedure
1. Log in to OpenPages as a user with administrative privileges.
2. Go to Administration > Profiles.
3. Click OpenPages RCM 7.3.0 Master.
4. Update the CompliancePlan object.
a) Click the CompliancePlan object type.
b) Under Object Fields, click Include and add the field RCM-ComPlan:Theme Deployer as Display
Type URL.
c) Click Object Views.
d) Click Detail.
e) Click Choose Fields and add the RCM-ComPlan:Theme Deployer field to the Detail view. Set the
field to read-only.
5. Update the ComplianceTheme object.
a) Click the ComplianceTheme object type.
b) Click Include and add the field RCM-Theme:Theme Deployer as Display Type URL.
c) Click Include and add the field RCM-Theme:Theme Type as Display Type List.
d) Click Detail under Object Views.
e) Click Choose Fields and add the RCM-Theme:Theme Deployer field to the Detail view. Set the
field to read only.
6. Enable the libraries.
a) Click the CompliancePlan object type.
b) Click Detail under Object Views.
c) Clear Read only on the Library ID field.
d) Click the ComplianceTheme object type.
e) Click Detail under Object Views.
f) Clear Read only on the Library ID field.
g) Click the Requirement object type.
h) Click Detail under Object Views.
i) Clear Read only on the Library ID field.
j) Click the ReqEval object type.
k) Click Detail under Object Views.
l) Clear Read only on the Library ID field.
Procedure
1. Log in to OpenPages as an administrator.
2. Open the RCM configuration tool in a new browser tab or window.
The URL is:
http://<hostname>:<port>/openpages/app/solutions/rcm/config/showConfig
3. Log in with your OpenPages user account. You must be a member of the OPAdministrators group
to access the tool. You can have the tool open and simultaneously be logged in to OpenPages to work
on other administration tasks.
4. Expand the Common Properties section.
5. Enter the following information.
RCM uses these paths to locate the libraries. Use a forward slash (/) as a separator. For example,
enter /Library/Control.
a) Enter the path for the Control Library Folder.
b) Enter the path for the Requirement Library Folder.
c) Enter the path for the Theme Library Folder.
d) Enter the path for the Root Entity Folder.
The Root Entity Folder is used to locate the business unit hierarchy.
6. Expand the Theme Deployer Properties section.
For each object type, you map RCA fields to OpenPages fields. When you import RCA data into
OpenPages, new OpenPages objects are created and fields are populated with values from RCA.
Associations between RCA objects are also imported into OpenPages. Each system allows the following
associations:
• In RCA:
– An obligation can have a document as a parent object.
– A control can have an obligation as a parent object.
– A control can have a document as a parent object.
• In OpenPages:
– A Requirement can have a Mandate as a parent object.
– A SOXControl can have a Requirement as a parent object.
– A SOXControl cannot have a Mandate as a parent object.
The associations in RCA are imported into OpenPages, except for the associations of RCA controls to
documents, which are not imported.
You can partner the RCA data with the capability in OpenPages to use an IBM Watson Natural Language
Classifier service when you associate parent and child objects. For example, you can import RCA
obligations into OpenPages and then use a Natural Language Classifier service to link them to the most
appropriate controls in your library. For information, see Chapter 31, “Configuring cognitive services,” on
page 723.
Categorizations and tags in RCA are also imported into OpenPages. They provide meaning and context for
an obligation. In OpenPages you can use this information as search criteria, to group requirements
together, or to organize requirements by themes. This valuable content is available for you to use as you
require.
If the RCA data changes after it is imported into OpenPages, you can reimport the data to pick up the
changes in OpenPages. If you change object associations or de-associate objects in RCA and reimport the
objects into OpenPages, the object association changes are also made to objects in OpenPages.
After the RCA data is in OpenPages, you can use it to assess the impact of new, changed, and deprecated
requirements on your GRC policies and procedures, training and awareness, monitoring and testing, and
risk assessments.
Procedure
1. Verify that the RCA post-installation steps in the IBM OpenPages GRC Installation and Deployment
Guide are completed. The steps contain object schema changes to the Mandate, Requirement, and
SOXControl objects.
2. Verify that OPSS-Mand:Type has the enumerated string value Guideline.
a) Click Administration > Field Groups.
b) Click OPSS-Mand, and then click Type.
c) Verify that Guideline is in the list. If not, add it.
3. In OpenPages, update user and user group definitions for administrators who work with RCA data.
They need to have the RCA Integration application permission. It controls whether the new menu
items on the Administration menu are displayed. It is located in SOX > Administration.
They need to have the application permission, RCA Integration. It controls whether the new menu
items on the Administration menu are displayed. It is located in SOX > Administration.
For more information, see “Types of application permissions” on page 32.
4. Update user and user group definitions for administrators who work with RCA data. They must have
read/write permissions to edit the RCA import configuration and to import RCA data.
a) From the menu bar, click Administration > Manage System Files > Files.
b) Click the View drop-down arrow, and select Folder View from the list.
c) Click the End User Applications Config folder.
d) In the Access Controls pane, select Actions > Add.
e) In the Select User or Group to add Access Controls pop-up, select the user or group that you want
to grant access. Grant Read and Write permission.
f) Click Add.
What to do next
You are ready to configure the RCA import. For information, see “Configuring the IBM Regulatory
Compliance Analytics data import ” on page 738.
Procedure
1. Click Administration > RCA Integration > Configure Import from RCA.
2. Complete the fields in the Regulatory Compliance Analytics Information section. You can get this
information from RCA.
a) In URL, enter the URL for RCA, for example https://rca.ibmcloud.com.
b) In API Key, enter the API key for RCA.
For information about generating API keys in RCA, see the RCA Knowledge Center (https://
www.ibm.com/support/knowledgecenter/SS9KS2/using_rca/t_api_key.html).
c) In Organization ID, enter the organization ID for RCA.
For information about organization IDs in RCA, see the RCA Knowledge Center (http://
www.ibm.com/support/knowledgecenter/SS9KS2/using_rca/t_export_to_op.html).
3. Complete the fields in the OpenPages Information section.
a) In Parent Business Entity Path, enter the path where the parent business entity is located. Use a
forward slash (/) as a separator, for example, /Library/RCA.
4. Retain the default values for the Mandate object fields in the RCA Document field mapping to
OpenPages Mandate object fields section or change them to meet your requirements.
Table 230: RCA Document field mapping to OpenPages Mandate object fields section
RCA Document field OpenPages Mandate field (default values)
Name OPSS-RCA-Base.RCA Name
Description System Fields.Description
ID OPSS-RCA-Base.RCA Id
Identifier RCM-Mand.Library Id
Content source OPSS-Mand.Content Source
Owner OPSS-RCA-Base.RCA Owner
Assignee(s) OPSS-RCA-Base.RCA Assignees
5. Retain the default values for the Requirement object fields in the RCA Obligation field mapping to
OpenPages Requirement object fields section or change them to meet your requirements.
Table 231: RCA Obligation field mapping to OpenPages Requirement object fields section
RCA Obligation field OpenPages Requirement field (default values)
Description System Fields.Description
ID OPSS-RCA-Base.RCA Id
Content source OPSS-Req.Content Source
External ID and External System ID RCM-Req.Library Id
Owner OPSS-RCA-Base.RCA Owner
Assignee(s) OPSS-RCA-Base.RCA Assignees
Approval State OPSS-RCA-Req.Obligation Status
Interpretation OPSS-RCA-Req.Interpretation
Fragments Requirement=UCF-Req.Supporting
Requirements
Guidance=UCF-Req.Guidance
6. Retain the default values for the SOXControl object fields in the RCA Control field mapping to
OpenPages Control object fields section or change them to meet your requirements.
Table 232: RCA Control field mapping to OpenPages Control object fields section
RCA Control field OpenPages SOXControl field (default values)
Name OPSS-RCA-Base.RCA Name
Description System Fields.Description
ID OPSS-RCA-Base.RCA Id
External ID and External System ID OPSS-Shared-Lib.Library ID
Owner OPSS-RCA-Base.RCA Owner
Assignee(s) OPSS-RCA-Base.RCA Assignees
Policy ID OPSS-RCA-Ctl.Policy ID
Next Review Date OPSS-RCA-Ctl.Next Review Date
Last Review Date OPSS-RCA-Ctl.Last Review Date
Last Updated Date OPSS-RCA-Ctl.Last Updated Date
Status OPSS-RCA-Ctl.External Status
Comments OPSS-Ctl.Additional Description
What to do next
You can begin importing RCA data into OpenPages. For information, see “Reimporting IBM Regulatory
Compliance Analytics data ” on page 743.
Procedure
1. Click Administration > RCA Integration > Import from RCA.
2. Click Import Data.
The system starts a long running process that calls the RCA APIs and loads the objects.
3. When the process finishes, click View Log or go to My OpenPages > Background Processes > My
Background Processes to see the results.
4. Verify that the data loaded correctly in the library that is specified in the import configuration:
• Verify that new RCA objects were added as new objects in OpenPages.
• Check that the fields were mapped correctly and that OpenPages fields are now populated with the
RCA data.
• Verify that parent and child associations were correctly imported.
Procedure
1. Follow the steps that are described in “Importing IBM Regulatory Compliance Analytics data ” on page
742. The import process loads both new and changed data.
2. Verify that the data loaded correctly in the library that is specified in the import configuration:
• Verify that changes to existing OpenPages objects were made.
• Verify that parent and child associations were updated.
• Verify that new data was imported.
Setting up a notification
Three procedures are required to set up and execute a notification.
• “Task 1: Preparing your data” on page 746
• “Task 2: Creating the notification” on page 747
• “Task 3: Triggering the notification” on page 756
After each task is completed, you can run the notification manually or schedule it to run automatically.
• Test Reviewer (the person responsible for verifying that the tests are completed)
• Test Performer (the person responsible for executing the tests)
• Frequency (whether the test is performed Annually, Quarterly, or Monthly)
• Relative Due Date (when the test should be completed, measured in days after the beginning of the
Frequency period)
Note: If you are viewing existing Tests that were created before version 3.0.1, the new properties will not
be visible on the detail page of the Test. To display the new properties on an existing Test, click the Edit
icon. The new properties will be included on the Edit page. When you Save your changes, the new
properties and values will now be displayed on the detail page. You will need to enter values for each pre-
existing Test in order to use the Notification Manager.
Reports created with the Test Notification template are targeted at Tests and are used to notify Test
Performers and Reviewers that incomplete Tests exist. It also contains special logic to deal with setting
relative due dates and gathering information from both Tests and Test Results.
The General IBM OpenPages FCM Notifications template allows users to set up to three properties and
property values to evaluate. You can only evaluate properties for a single object type.
The steps in the following procedure apply to creating either a Test Notification or a General IBM
OpenPages FCM Notifications report.
Procedure
1. Log on to the OpenPages GRC Platform server (typically /opx) as a user with Publishing privileges set.
2. Click the Browse Channels link under the Publishing heading on the Action menu to display the
Channels page.
3. In the list on the Channels tab, click the Reporting link.
4. On the Publishing tab, navigate to the SOX/Notifications folder.
5. From the folder list, click the Add Page icon. The Add a Page screen is displayed.
6. Do the following:
a) Enter a name and description for the notification report.
b) Choose one of the following page templates:
• Test Notification - use to create a notification based on test completion.
• General IBM OpenPages FCM Notifications - use to create notifications of required work via e-
mail and action items.
c) Click Next to continue.
d) Enter the information for your notification type.
For detailed information about the various template fields, refer to the following tables:
• For Test Notification, see “The Test Notification fields” on page 747
• For General IBM OpenPages FCM Notifications, see “The general IBM OpenPages GRC Platform
FCM notifications fields” on page 751
e) Click Apply to save your changes.
7. Click Finish to save the new report.
Sender Name This is the name that will appear as the sender of the
notification e-mail.
Sender Address The e-mail address that appears as the sender e-mail
address on the notification e-mail.
Subject The subject of the notification e-mail.
Note: This parameter can also contain a key defined under
Application Text in the Configuration section of the Action
menu in the IBM OpenPages GRC Platform application. This is
required if you wish the notification e-mails to be sent in each
recipient's selected locale.
Select a Test Frequency Selecting a Test Frequency limits the notification report to
only send out notifications for incomplete Tests that match
the chosen frequency.
Possible values are: Annually, Half-Yearly, Quarterly, Monthly,
Weekly, Daily.
Notify Test Reviewer ___ days before The number of days before the test due date that the
due date notification e-mail will be sent to the user listed as the Test
Reviewer.
The Due Date for a Test is set in the Relative Due Date field on
the Test object. The Relative Due Date is the number of days
after the beginning of the test period (which is set in the
‘Select a Test Frequency’ field).
For example, a Relative Due Date of 60 and a Frequency of
Quarterly means that the Test must be completed 60 days
after the beginning of the most recent quarter. If you set this
field (Notify Test Reviewer...) to 14, then 14 days before the
Relative Due Date the notification will alert the Test Reviewer.
Note: The OpenPages GRC Platform application considers
financial quarters to begin on January 1st, April 1st, July 1st,
and October 1st. If your financial quarter begins on a different
date, you may want to adjust the Relative Due Date.
Also examine past ___ days when The number of previous days to check when looking for
evaluating completeness incomplete Tests.
By default, the notification report only checks for the exact
value of the "Notify Test Reviewer/Performer X days before
due date fields", so if the report is not run for a few days,
some incomplete Tests with due dates that do not exactly
match the values may not create notifications.
This setting provides some overlap in case the report is not
run every day. If an Action Item already exists for the Test, a
new one will not be created.
Send repeat notifications If this field is set to true, an e-mail will be sent to the Test
Reviewer/Performer every time the notification report is run
and the Test continues to be incomplete. If set to false, the
Performer/Reviewer will receive a single e-mail the first time
the incomplete Test is included in the report results.
General Message This text will appear as the introductory text in the body of
the e-mail for both Test Performers and Test Reviewers.
Note: This parameter can also contain a key defined under
Application Text in the Configuration section of the Action
menu in the OpenPages GRC Platform application. This is
required if you wish the notification e-mails to be sent in each
recipient's selected locale.
Send mail to Test Reviewers If set to true, an e-mail message will be generated that
contains the incomplete tests belonging to the Test Reviewer.
Send mail to Test Performers If set to true, an e-mail message will be generated that
contains the incomplete tests belonging to the Test
Performer.
Message to Test Performers This text will appear underneath the General Message on e-
mails to Test Performers.
Note:
• The message text has a 200 character limit.
• If you are entering a plain-text message, any escaped
characters (such as new lines, etc.) must be preceded with
two backslashes instead of one (e.g. \\n). If you are using
HTML for your e-mail message, this is not necessary.
• This parameter can also contain a key defined under
Application Text in the Configuration section of the Action
menu in the OpenPages GRC Platform application. This is
required if you wish the notification e-mails to be sent in
each recipient's selected locale.
Group notifications by This setting is used to group the tests that meet the criteria
for notification within the notification e-mail.
Test Reviewer property Defines the property that contains the Test Reviewer user.
Must be a property of the Test object that takes a group or
user name as a value.
Should only be modified if you are using a custom property.
Test Performer property Defines the property that contains the Test Performer user.
Must be a property of the Test object that takes a group or
user name as a value. Should only be modified if you are using
a custom property.
Test Due Date property Defines the property that contains the Test Due Date. Should
only be modified if you are using a custom property.
Test Frequency property Defines the property that contains the Test frequency. Should
only be modified if you are using a custom property.
SOX Server The full URL of the OpenPages GRC Platform server machine.
This address is used to create the links contained in the
notification e-mail, and should NOT be set to localhost.
If omitted, the server URL will be determined automatically.
Report Title The text displayed as the title of the notification report.
Scope The scope parameter is used to limit the range of the
notification report. If you do not want to limit the scope of the
notification report, leave it set to /_op_sox/Project/Default.
If you wish to change the scope, click the Browse icon and
select the folder hierarchy you want to include in the
notification report. Only the objects under that folder will be
evaluated when the report is run.
Library Filter When you are running a notification report, you do not usually
want to include the Master Library in the report results, since
they are not considered active.
If the path contains the value of the Library Filter parameter,
it will not be included in the report results.
Sender Name This is the name that will appear as the sender of the notification e-
mail.
Sender E-mail The e-mail address that appears as the sender e-mail address on the
notification e-mail.
E-mail Subject The subject of the notification e-mail.
Note: This parameter can also contain a key defined under
Application Text in the Configuration section of the Action menu in
the OpenPages GRC Platform application. This is required if you wish
the notification e-mails to be sent in each recipient's selected locale.
General Message This text will appear as the introductory text in the body of the e-mail
for both Executive Owners and Primary Owners.
Note:
• The message text has a 200 character limit.
• If you are entering a plain-text message, any escaped characters
(such as new lines, etc.) must be preceded with two backslashes
instead of one (e.g. \\n). If you are using HTML for your e-mail
message, this is not necessary.
• This parameter can also contain a key defined under Application
Text in the Configuration section of the Action menu in the
OpenPages GRC Platform application. This is required if you wish
the notification e-mails to be sent in each recipient's selected
locale.
Send mail to Executive Owners If set to true, an e-mail message will be generated and sent to the
Executive Owner of the object that generated the notification.
If no Executive Owner is set on the object, the Notification Manager
will look up the hierarchy until a valid Executive Owner is found.
If no Executive Owner is found, no notification will be generated.
Send mail to Primary Owners If set to true, an e-mail message will be generated and sent to the
Primary Owner of the object that generated the notification.
If no Primary Owner is set on the object, the Notification Manager will
look up the hierarchy until a valid Primary Owner is found.
If no Primary Owner is found, no notification will be generated.
Message to Primary Owners This text will appear underneath the General Message on e-mails to
Primary Owners.
Note:
• The message text has a 200 character limit.
• If you are entering a plain-text message, any escaped characters
(such as new lines, etc.) must be preceded with two backslashes
instead of one (e.g. \\n). If you are using HTML for your e-mail
message, this is not necessary.
• This parameter can also contain a key defined under Application
Text in the Configuration section of the Action menu in the
OpenPages GRC Platform application. This is required if you wish
the notification e-mails to be sent in each recipient's selected
locale.
Send repeat notifications If this field is set to true, an e-mail will be sent to the Executive
and/or Primary owners every time the report is run and the object
continues to meet the notification criteria. If set to false, the
Executive and/or Primary owners will receive a single e-mail the first
time the object is included in the report results.
Note: If "Create Action Items" is set to false, then notification e-
mails will be sent each time the report is run, regardless of the value
of "Send repeat notifications".
Content type to send Determines which objects will be evaluated when the report is run.
notifications for
Notification reports can only be run against a single object type. If
you want to run the same report against multiple object types, you
will have to create multiple reports, or provide different parameter
values in the command line.
Action Item Description An optional description for the created Action Items.
Action Item should be If set, the Action Item’s Due Date will be set to the number of days
completed in after the creation of the action item.
For example, a value of 14 would give the created Action Item a due
date two weeks after the creation of the Action Item.
SOX Server The full URL of the OpenPages GRC Platform server machine. This
address is used to create the links contained in the notification e-
mail, and should NOT be set to localhost.
If omitted, the server URL will be determined automatically.
Report Title The text displayed as the title of the notification report.
Executive Owner Property The property containing the Executive Owner value. Should not be
changed unless you are using a custom Owner field.
Valid values can be obtained by looking at the profile for the object
selected in "Group Notifications by". In the Object Fields table on
that page, concatenate the value under "Field Group" with the value
under "Name". For example, "SOXBusEntity.Executive Owner" or
"System Fields.Last Modified By". You should only use properties
that can take a user name or group as a value.
Primary Owner Property The property containing the Primary Owner value. Should not be
changed unless you are using a custom Owner field.
Valid values can be obtained by looking at the profile for the object
selected in "Group Notifications by". In the Object Fields table on
that page, concatenate the value under "Field Group" with the value
under "Name". For example, "SOXBusEntity.Executive Owner" or
"System Fields.Last Modified By". You should only use properties
that can take a user name or group as a value.
Library Filter When you are running a notification report, you do not usually want
to include the Master Library in the report results, since they are not
considered "active".
If the path contains the value of the Library Filter parameter, it will
not be included in the report results.
Scope The scope parameter is used to limit the range of the notification
report. If you do not want to limit the scope of the notification report,
leave it set to /_op_sox/Project/Default.
If you wish to change the scope, click the Browse icon and select the
folder hierarchy you want to include in the notification report. Only
the objects under that folder will be evaluated when the report is run.
Procedure
1. Log on to the OpenPages GRC Platform application and click the Reporting menu on the menu bar.
2. Click the Notifications sub-menu to display the notification reports.
3. Choose the notification report you want to run and click the name of the report.
The results of the report are displayed in a new browser window.
Parameters
All parameters are in the syntax -parameter "value or string". If the value of any parameter
contains spaces, that value must be contained within quotation marks.
-NotificationProgram "Reporting\SOX\Notifications\
Test Notifications Report"
-ProgramFolder "Reporting\SOX\Notifications"
-SaveOutput (Optional) Can be true or false. If set to true, the output of the report will be
saved to an output file in the output_files directory under the |bin|
NotificationManager directory. If the parameter is not present, no output
file will be created.
The file name is the name of the notification report (or folder) with an "html"
extension. If an output file with that name already exists, a timestamp
extension will be added to the end of the existing file’s name and the older file
will be moved to the output_files|archive folder.
Example
Undetermined Controls.html.200406060103
-<parameter_name> (Optional) If you want to pass a value for a specific notification report
<parameter_value> parameter, you can include the parameter and value directly in the command
line. The parameter name must match the report parameter name exactly.
Where:
The parameter names can be viewed by logging on to the OpenPages GRC
<parameter_name> is
Platform server interface (typically opx) and navigating to the channel folder
the name of a specific
containing the report page. The parameter names are shown in the detail
parameter
page for the report, which can be viewed by clicking on the name of the report
<parameter_value> in the channel folder view.
is the value of that
Examples
parameter
• -mailServer mail.openpages.com
• -generalMessage "Please do not ignore this e-mail."
-ParameterFile Specifies a text file containing a list of parameter value pairs (equivalent to
entering individual -parameter "value or string" entries into the
command line directly). Each parameter value pair should be on a single line.
Value is the full path to the file, including the file name.
Example - for Windows:
-ParameterFile "c:\OpenPages\bin\NotificationManager
\notification_parameters.txt"
Database properties
database.type
Type of database (Oracle or DB2).
database.URL
Java Database Connectivity (JDBC) URL.
database.DRIVER
Java Database Connectivity (JDBC) driver.
database.USERID
Database user name.
database.PASSWORD
Database password (encrypted).
Domain property
appserver.weblogic.domain
Non-configurable system parameter.
Cache properties
cache.synchronizer.classname
Non-configurable system parameter.
cache.listener.enabled
Non-configurable system parameter.
cache.notifier.enabled
Non-configurable system parameter.
jms.providerurl
If you change the OpenPages bootstrap port number (default: 10101), update the bootstrap port
value in this parameter.
jms.topic.CacheTopic
Non-configurable system parameter.
Transaction properties
jta.providerurl
If you change the OpenPages bootstrap port number (default: 10101), update the bootstrap port
value in this parameter.
periodic.thread.dump.enabled
Possible values: true or false.
Procedure
1. On the Cognos server:
a) Click the Windows Start menu and point to Administrative Tools.
b) Select Server Manager.
2. In the Server Manager hierarchy pane:
a) Expand Roles.
b) Click Web Server (IIS).
3. In the Web Server (IIS) pane, verify if compression is installed:
a) Scroll to the Role Services section.
b) Under Performance, verify whether Static Content Compression and/or Dynamic Content
Compression are installed.
c) If these are installed, skip the remaining steps in this procedure and go to “Configuring HTTP
compression” on page 767. Otherwise, proceed to the next step.
4. To add static or dynamic content compression, click the Add Role Services link.
5. On the Select Role Services page of the Add Role Services Wizard:
a) To install:
• Dynamic compression, select Dynamic Content Compression.
• Static compression, select Static Content Compression.
b) Click Next to continue.
6. On the Confirm Installation Selections page, click Install.
7. On the Results page, click Close.
Procedure
1. On the Cognos server, click the Windows Start menu and select Control Panel.
2. Open Administrative Tools as follows:
a) Do one of the following:
c) In a text editor (such as Notepad), open the applicationHost.config file and find the
httpCompression tag.
d) Use the sample code that follows to verify the static and dynamic mime types, and add any
missing mime types to the file (such as xml, xml-dtd, vnd.ms-excel, and octet-stream).
<httpCompression directory="%SystemDrive%\inetpub\temp\IIS
Temporary Compressed Files" maxDiskSpaceUsage="1000"
minFileSizeForComp="0">
<scheme name="gzip" dll="%Windir%\system32\inetsrv\gzip.dll" />
<staticTypes>
<add mimeType="text/*" enabled="true" />
<add mimeType="message/*" enabled="true" />
<add mimeType="application/x-javascript" enabled="true" />
<add mimeType="application/atom+xml" enabled="true" />
<add mimeType="application/xaml+xml" enabled="true" />
<add mimeType="application/xml" enabled="true" />
<add mimeType="application/xml-dtd" enabled="true" />
<add mimeType="*/*" enabled="false" />
</staticTypes>
<dynamicTypes>
<add mimeType="text/*" enabled="true" />
<add mimeType="message/*" enabled="true" />
<add mimeType="application/x-javascript" enabled="true" />
If the Legacy Framework is enabled, a relational data model is generated under the
OPENPAGES_DEFAULT legacy namespace.
The folder path to the OPENPAGES_DEFAULT legacy namespace is:
OpenPages|Platform|Reporting|Framework|Generation|Namespaces
Folders This folder contains a Reporting Periods subfolder with entries for Items
and Name. These entries are used by the framework generator and
should not be changed.
Is Default In the supplied framework model, the value of the DEFAULT namespace
is set to true and should not be changed. All other IBM OpenPages GRC
Platform supplied namespaces are defined as non-default namespaces.
All new namespaces that are added should also be defined as non-default
(value is set to false) namespaces.
The framework generator uses the definition of a namespace (from ObjectModel 1 and ObjectModel 2) to
create corresponding namespaces in the framework model. The following table lists the relationship
between objects when a namespace is generated.
Table 237: Namespaces and object relationships
If a relationship defined in a and the Then the framework generator...
namespace does this... namespace is a...
matches a relationship that is defined in default namespace automatically creates a direct
the object model relationship between these objects
non-default
namespace
excludes a relationship that is defined in default namespace automatically creates an associative
the object model "BY" relationship between these objects
non-default creates an associative "BY" relationship
namespace between these objects only if the
BY_RELATIONSHIPS entry contains
value pairs. If the BY_RELATIONSHIPS
entry is blank, then no 'BY' relationships
are created.
For more information about namespaces and the framework model, see the OpenPages GRC Platform
documentation located on your installation kit.
When you create a new non-default namespace, you initially create a container (folder) that must be
populated with the required namespace entries.
You can use the copy operation to copy these entries from an existing non-default namespace into the
new namespace.
Procedure
1. Access the Settings page (see Chapter 15, “Viewing the Configuration and Settings page,” on page
307).
2. Set the value in the Show Hidden Settings setting to true. For details, see “Show hidden settings”
on page 311).
3. Expand the OpenPages | Platform | Reporting | Framework | Generation | Namespaces folder
hierarchy.
4. Select the Namespaces folder, and then click Add Folder.
Example
The following example shows the values you could use if you wanted parent-child BY relationship
between Application and Control objects, Personnel and Control objects, and Infrastructure and
Control objects:
Application|SOXControl,Personnel|SOXControl,Infrastructure|SOXControl
When the framework model is generated, the framework generator will create BY relationship query
subjects from the values in this entry.
10. Reset the value in the Show Hidden Settings setting to false.
11. When you are finished, regenerate the framework model. For more information, see “Updating the
reporting framework” on page 686.
After the framework generation is complete, the new namespace is available in Cognos to report
authors.
Procedure
1. Access the Settings page (see Chapter 15, “Viewing the Configuration and Settings page,” on page
307).
2. Expand the OpenPages | Platform | Reporting | Framework | Generation | Namespaces folder
hierarchy.
3. Expand the namespaces folder you want to modify.
4. Change the following entries as required: BY_RELATIONSHIPS, ObjectModel 1, and ObjectModel 2.
5. When you are finished, regenerate the framework model. For details, see “Updating the reporting
framework” on page 686.
Results
After the framework generation is complete, the modified namespace is available in Cognos to report
authors.
Default
BusinessEntity
ICDocumentation
Issue
IssueActionItems
Plan
Files and Forms
Breaking inheritance
Using the IBM OpenPages GRC Platform application user interface, you can break the inheritance
property on any folder.
When you break inheritance, access is limited to ONLY the groups and users who have an ACL for that
business entity. All other groups and users (besides the creator of the object) are automatically set to
Denied/Denied/Denied/Denied.
For large teams and projects who wish to restrict which areas of the project can be seen or modified,
breaking the inheritance "chain" is very helpful, since it automatically denies all groups and users access
to the particular business entity structure. Only the groups and users specifically included in an ACL have
access to the business entity children.
Instead of denying a group access to 49 sites, as in the previous example, now you only have to grant
access to the desired site, and the other 49 are denied by default.
Note: Breaking inheritance is not without its drawbacks. Because all groups (except
OpenPagesAdministrators and OPAdministrators) are denied access to the business entity, groups that do
not have an ACL entry cannot see the business entity or any object underneath the business entity. This is
true even if an ACL entry for a specific group is added to a sub-entity. Because the group (or user) is
denied Read access at the parent business entity, they cannot browse the tree to view the sub-entity
where they have access. The following sections will explain how to circumvent this restriction using
nested groups.
Procedure
1. Log on to the OpenPages GRC Platform application as a Super Administrator user with the Access
Control Lists application permission set.
2. Click Administration > Custom Security.
3. Navigate to the business entity folder where you want to break inheritance (under the Default
directory).
4. When you have found the desired folder, click the name of the folder to display the detail page.
Results
After you break the inheritance on a folder, the new permissions (or lack thereof) go into effect
immediately. Only members of the OpenPagesAdministrators and OPAdministrators groups will be able to
access the object, unless a specific ACL for a user or group is created.
Remember, no one except the groups (and sub-groups of those groups) listed in the Access Controls table
will be able to see the folder or its contents.
Note:
• The OpenPagesAdministrators group and the creator of a folder or object is exempt from ACL
restrictions. The creator always has Delete access to files and folders he or she has created, while the
OpenPagesAdministrators group has total access to all files and folders.
• If you have broken inheritance for a folder, there will be entries for the OpenPagesAdministrators and
OPAdministrators groups. These ACLs cannot be edited or deleted.
Procedure
1. Log on to the IBM OpenPages GRC Platform application as a Super Administrator user with the Access
Control Lists application permission set.
2. Click Administration > Custom Security.
3. Navigate to the folder in which you want to create a new ACL. Click the folder name to display the
detail page of the folder.
4. Click Add to add a new access control to the list.
5. In the Create an Access Control Setting page, choose the desired group or user from the drop-down
list.
6. Select the desired permissions by highlighting the appropriate choices and clicking OK when finished.
The dialog closes, and the new ACL appears in the list area of the folder detail page.
Read permission is required for Write and Associate access, and Write access is required in order for
Delete access to be granted. You can select any combination of permissions, but when you save the
ACL, it will be modified to be a valid combination of permissions.
For example, if you set Read/Write/Delete/Associate to Denied/Granted/Granted/Granted, when you
click OK, the displayed permissions will be Granted/Granted/Granted/Granted. Because users must
have Read permissions in order to have Delete permissions, the Read permission is changed to
"Granted".
In order to set Read to Denied, Write, Delete, and Associate must also be set to Denied.
7. Once you have finished setting the permissions, click the Access Control link in the Action menu to
return to the Access Control list.
Procedure
1. Log on to the IBM OpenPages GRC Platform application as a Super Administrator user with the Access
Control Lists application permission set.
2. Click Administration > Custom Security.
3. Click the folder name to display the detail page with the list of existing ACLs.
4. Click the check box next to the existing ACL you wish to modify and click the Edit icon to display the
Edit an Access Control Setting page.
5. Select the desired permissions by highlighting the appropriate choices and clicking Save when
finished. The dialog closes, and the updated ACL appears in the list area of the Access Control page.
Read permission is required for Write and Associate access, and Write access is required in order for
Delete access to be granted. You can select any combination of permissions, but when you save the
ACL, it will be modified to be a valid combination of permissions.
For example, if you set Read/Write/Delete/Associate to Denied/Granted/Granted/Granted, when you
click Ok, the displayed permissions will be Granted/Granted/Granted/Granted. Because users must
have Read permissions in order to have Delete permissions, the Read permission is changed to
"Granted".
In order to set Read to Denied, Write, Delete, and Associate must also be set to Denied.
For example, if you set a folder ACL for a group to Granted for Read, and leave Write and Delete blank,
they will be shown in the UI as Granted/Inherited/Inherited. However, if you set the permissions to
Granted for Delete, and left Read and Write blank, the ACL is displayed as Granted/Granted/Granted,
since Delete requires Read and Write permissions.
Procedure
1. Log on to the IBM OpenPages GRC Platform application as a Super Administrator user with the Access
Control Lists application permission set.
2. Click Administration > Custom Security.
3. Navigate the folder tree to display the folder containing the ACL you want to delete.
4. Click the folder name to display the detail page with the list of existing ACLs.
5. Click the check box next to the existing ACL you wish to remove and click the Delete icon to remove
the ACL.
Procedure
1. Log on to IBM OpenPages GRC Platform as a Super Administrator user with the Access Control Lists
application permission set.
2. Click Administration > Custom Security.
3. Navigate to the business entity folder where you wish to break inheritance (under the Default
directory).
4. When you have found the folder, click the name of the folder to display the detail page.
5. Click Add in the Access Controls table and choose the desired group or user.
6. Highlight the desired permissions for the group or user and click OK to add the ACL to the folder.
7. Now that a valid ACL exists for the folder, click the Disable Inheritance icon under the Folder heading.
The value of the "Inherit ACL" field is changed to "false" and the Disable Inheritance icon changes to
Enable Inheritance.
8. Click Access Controls in the breadcrumb trail to return to the Access Controls folder list.
9. Repeat this procedure for each business entity folder.
Note: Do not forget to modify the business entity folders under each object type in the
ICDocumentation tree.
Let’s follow one use case shown in the preceding diagram. The SystemWriters group becomes a sub-
group to the Region01Writers group (and the Region02Writers group, and so on). Then, the
Region01Writers group becomes a sub-group of the R01Site01Writers group (and the R01Site02Writers
group, etc.). The sub-groups of Region01Writers also become sub-groups of R01Site01Writers through
group inheritance. The effective members list of R01Site01Writers is now:
R01Site01Writers
<writer1>
<writer2>
...
Region01Writers
(SystemWriters)
In the previous example, SystemWriters is in parenthesis, because it isn’t explicitly added to the group -
it’s included as a sub-group of the RegionalXXWriters groups. The same goes for the ExecutiveTeam
group; it is added to each of the RegionXXReviewers groups. Executives only need Read access, so we
don’t need to add them to any other ACL classification.
Note: If you are using the Library paradigm, you do not want to add the ExecutiveTeam group to the
Library group. You don’t want empty Library data included into the executive level reports.
Now identify how to use the nested groups to set ACLs.
It is not necessary to specify the Region01Reviewers, Writers, or Directors. They are included as members
of the R01Site01 groups!
Specify ACLs for different access control levels (Read, Write, Delete, Associate) for business entity folders
that contain non-business entity objects. For example, in our hierarchy, Regions only contain the sub-
entity Sites - there are no accounts, processes, etc. directly associated with a Region. Therefore, we don’t
have to create ACLs for Region01Reviewers and the other ACL-specific groups at the Region level. In our
current example, here’s the ACL list for Region01:
The following guidelines identify whether to create an ACL for a user group on a business entity:
• If the business entity has accounts or processes associated with it, create an ACL for each entity-
specific group (such as R01Site01Writers, etc.) with the correct permissions.
• When you create ACLs for a business entity, replicate the ACL for each business entity folder underneath
the ICDocumentation folder structure. For example, you must create the same ACL list for the
ICDocumentation/Accounts/Region01/R01Site01 folder that you created for the BusinessEntities/
Region01/R01Site01 folder, and so on through each sub-folder structure under ICDocumentation
(Accounts, Processes, Risks, Controls, etc.).
Note: If no folder with the correct name exists, either no object of that type currently exists in the
business entity hierarchy, or parent folder ACLs do not include a group that contains the current user,
preventing you from seeing the folder.
• If a business entity only has sub-entities associated with it, you should not create individual ACLs for
the business entity’s Reviewer, Writer, and Director groups. We will deal with this in the next section,
Only one step remains - we’ve created the ACLs for our business entities, but when you log in, you can
only see the first level of your business entities. We now need to establish read permissions in the
business entities above our Site user groups, so that we can browse to the Site level and view our objects.
Procedure
To search knowledge bases for information that you need, use one or more of the following approaches:
• Find the content that you need by using the IBM Support Community.
The IBM Support Community is a unified, centralized view of all technical support tools and
information for all IBM systems, software, and services. Use the IBM Support Community to access the
IBM electronic support portfolio from one place. You can tailor the pages to focus on the information
and resources that you need for problem prevention and faster problem resolution.
• Search for content by using the IBM masthead search.
You can use the IBM masthead search by typing your search string into the Search field at the
beginning of any ibm.com® page.
• Search for content by using any external search engine, such as Google, Yahoo, or Bing.
If you use an external search engine, your results are more likely to include information that is outside
the ibm.com domain. However, sometimes you can find useful problem-solving information about IBM
products in newsgroups, forums, and blogs that are not on ibm.com.
Tip: Include "IBM" and the name of the product in your search if you are looking for information about
an IBM product.
Getting fixes
A product fix might be available to resolve your problem.
Procedure
To find and install fixes:
1. Determine which fix you need. Go to http://www-933.ibm.com/support/fixcentral/
2. Download the fix. Open the download document and follow the link in Download the package.
3. Apply the fix. Follow the instructions in Installation Instructions of the download document.
4. Subscribe to receive weekly email notifications about fixes and other IBM Support information.
Procedure
To contact IBM Support about a problem:
1. Define the problem, gather background information, and determine the severity of the problem.
For more information, see the Getting IBM support topic in the Software Support Handbook.
2. Gather the following diagnostic information:
Results
If the problem that you submit is for a software defect or for missing or inaccurate documentation, IBM
Support creates an Authorized Program Analysis Report (APAR). The APAR describes the problem in
detail. Whenever possible, IBM Support provides a workaround that you can implement until the APAR is
resolved and a fix is delivered. IBM publishes resolved APARs on the IBM Support website daily, so that
other users who experience the same problem can benefit from the same resolution.
“Contacting IBM Support” on page 787
“Exchanging information with IBM” on page 788
Procedure
To submit diagnostic information to IBM Support:
1. Open a problem management record (PMR). You can use the IBM Support Assistant or The Service
Request tool.
2. Collect the diagnostic data that you need. Diagnostic data helps reduce the time that it takes to resolve
your PMR. You can collect the diagnostic data manually or automatically.
3. Compress the files by using the .zip or .tar file format.
4. Transfer the files to IBM.
You can use one of the following methods to transfer the files to IBM:
Procedure
To download files from IBM Support:
1. Use FTP to connect to the site that your IBM technical-support representative provided and log in as
anonymous. Use your email address as the password.
2. Change to the appropriate directory:
a) Change to the /fromibm directory.
cd fromibm
cd nameofdirectory
binary
4. Use the get command to download the file that your IBM technical-support representative specified.
get filename.extension
quit
Procedure
1. Go to the IBM Support Portal and click Other > My Notifications.
2. Sign in using your IBM ID and password, and click Submit.
3. Select the updates that you want to receive..
a) Type OpenPages in the Product lookup box.
b) Click Subscribe.
c) Select the types of notifications that you want to receive; for example, new information about
product downloads and discussion group comments.
d) Click Submit.
4. Click Delivery options. Choose how you want to receive notifications, and then click Submit.
Results
Until you modify My Notifications preferences, you receive notifications of updates that you requested.
You can modify your preferences when needed (for example, if you stop using one product and begin
using another product).
Visualizations require the reporting schema from which to derive their data and to load properly. Because
Active Reporting Periods are being closed or finalized, the reporting schema is populated only with the
data from the current reporting period. Therefore, when the active reporting period is selected, the
Procedure
1. Log on to the search server as a user with administrative privileges.
2. Open a command line on the search server.
3. Go to the <SEARCH_HOME>/opsearchtools/ directory and run the following commands.
On Microsoft Windows operating systems, run:
Procedure
1. Investigate and resolve the root cause of the failure.
2. Log on to OpenPages as a user with administrative privileges.
3. Click Administration > Global Search.
Procedure
1. Log on to the search server as a user with administrative privileges.
2. Open a command line on the search server.
3. Go to the <SEARCH_HOME>/opsearchtools/ directory to run the commands in the following steps.
opsearchtool.cmd startSolr
UNIX:
./opsearchtool.sh startSolr
UNIX:
UNIX:
What to do next
Resetting the global search component does not change your global search settings, such as object types,
fields that are enabled for search, registry settings, or property settings. The reset disables the global
search component. You must enable it again to make it available to users.
Procedure
1. Log on to OpenPages as a user with administrative privileges.
2. Go to the directory <SEARCH_HOME>/opsearchtools/logs_error/ .
3. Examine this directory for new error files.
mkdir diag
opsearchtool.cmd collectDiagData -diagpath diag
• UNIX:
mkdir diag
./opsearchtool.sh collectDiagData -diagpath diag
Attention: The collectDiagData command might report warning messages that look as if
the command failed. This warning can happen due to a number of reasons, such as the data
that is being collected cannot be accessed or is not yet available. If you see any such warnings,
capture them and include them as part of the diagnostic data to IBM OpenPages Support.
4. Add the contents of the new folder that is created under the diag folder to a compressed file.
5. Send the compressed file and complete details about your issue to IBM OpenPages Support.
These warnings can be safely ignored. In general, a Tivoli Directory Integrator project typically has an
associated properties file named after the enclosing project to hold any project-specific properties, but
this file is not strictly required.
the product user interface, security domain groups are represented by this icon , and user groups are
Procedure
1. Log on to the OpenPages admin application server as a user with administrative privileges.
2. Stop all OpenPages services.
3. If you are using Microsoft Windows, start the DB2 command line processor by typing db2cmd.
4. Log in to CLPPLUS as the OpenPages database user, for example openpages.
5. Run the following command:
call OP_RPS_MGR.DROP_AND_REORG_OBSOLETE_RT_COLS;
The length of time that it takes for the command to run varies depending on the number of tables with
obsolete columns that need to be dropped and the size of those tables.
When the command completes, the following message is displayed:
Be aware that Java applets are not supported by the Chrome browser
Some functionality that depends on Java applets, such as the File Upload and OPX, may not work as
expected when you use the Chrome browser.
Because the Chrome browser does not support Java applets, the Optimized File Upload button on the
detail page does not show on browsers that don't support it. For more information, see “Optimize file
uploads” on page 323.
For OPX, publishing and reporting functionality such as Assign Files, Assign Folder, Add Page, and so on,
do not work with the Chrome browser. You must use Microsoft Internet Explorer in OPX to use the applets
that control these features.
Procedure
1. Open a supported browser.
2. Go to the IBM OpenPages GRC Platform URL.
3. Log in with an administrator ID.
4. On the navigation menu bar, click Administration > Profiles.
5. Click a profile.
6. In the Object Types section, click the object type.
7. Scroll to the Navigational Views section.
8. Click on the Overview link.
9. In the Included Object Types section, modify the list accordingly.
Best practices for configuring the IBM OpenPages GRC Platform 799
Procedure
1. Log on to SQL*Plus as the OPENPAGES oracle id.
2. Type the following command to allow the output to occur: SET SERVEROUTPUT ON;.
3. Type the following to spool the contents to a log: SPOOL AnalyzeRelationships.txt;.
4. Run the script by typing @Analyze-Object-Type-Relations.sql.
5. Run the following to stop the spooling of the log: SPOOL OFF; .
The log file will identify any relationships that are enabled in the system but there are no instances of
data utilizing those relationships.
Procedure
1. Open a supported browser.
2. Go to the OpenPages GRC Platform URL.
3. Log in with an administrator ID.
4. On the navigation menu bar, click Administration > Profiles.
5. Click a profile.
6. In the Object Types section, click the name of the object type using the display.
7. In the Object Fields table for the selected object type, click the name of the reporting fragment to
open its details page.
8. In the Object Field Information section, click Edit.
9. Update the Display Type dropdown.
Procedure
1. Open a supported browser.
2. Go to the OpenPages GRC Platform URL.
3. Log in with an administrator ID.
4. On the navigation menu bar, click Administration > Profiles.
5. Click a profile.
6. Use the Home Page Tab Configuration section to display reports on various tabs or the My Work Tab
Configuration area to display reports on the My Work home page.
Procedure
1. Open a supported browser.
2. Go to the OpenPages GRC Platform URL.
3. Log in with an administrator ID.
4. On the navigation menu bar, click Administration > Profiles.
5. Click a profile.
6. In the Object Types section, click the name of the object type using the display.
7. In the Object Fields table for the selected object type, click the name of the field using one of the
display types to open its details page.
8. In the Display Type Information section, click Edit.
9. Update the Starting Group value.
Task-oriented hyperlinking
You can add hyperlinks that are directly oriented to user tasks, from internal or external locations to IBM
OpenPages GRC Platform views. These hyperlinks can also include filters.
For example, in a notification email to a risk owner, you can include a hyperlink to the Filtered List View for
Risks with the Risks Awaiting Assessment filter added to the link.
You can create hyperlinks that include the following target views:
• The Detail View for a specific object instance, in read-only mode.
• A specific activity view for an object instance.
• The Filtered List View for a specific object type with a public filter applied.
• A specific grid view for an object type with a public filter applied.
Best practices for configuring the IBM OpenPages GRC Platform 801
• Add New wizard within the OpenPages application. The wizard opens in its own browser tab instead of a
pop-up, even if the user was logged in to OpenPages when they clicked the link.
You can add hyperlinks to the following locations:
• OpenPages Reports.
• Notification emails.
• OpenPages Java Server Page (.jsp) file type helper applications.
• Within the OpenPages application, using computed fields or URL link fields.
The following sample URLs can help you create task-oriented hyperlinks:
• In the samples the URLs are created by using either the name value, or the resource ID value for views,
objects, and filters.
• If you use a name for a value, replace any spaces in the name with the characters %20. URLs cannot
contain spaces.
• If you use a fileId, viewId, or filterId to create a URL, the values for the Ids are the resource IDs of
specific object instances, views, or filters.
• There is one Filtered List View, but many possible Grid Views. There is one Detail View, but many
possible Activity Views.
• For the Add New wizard hyperlinks you can combine the parameters in more ways than are described in
the samples. For example, you can specify a parent without specifying a view.
To Filtered List View with the object type, grid view, and filter specified
Syntax:
/openpages/app/jspview/flv?prmt=<name of the object type>&view=<name of the grid
view>&filter=<name of the public filter>
Example:
/openpages/app/jspview/flv?prmt=SOXProcess&view=PRSA%20Update&filter=My%20Processes
To Filtered List View with the object type, Filtered List View, and filter specified
Syntax:
/openpages/app/jspview/flv?prmt=<name of the object type>&view=Filtered%20List&filter=<name of
the public filter>
Example:
/openpages/app/jspview/flv?prmt=SOXProcess &view=Filtered%20List&filter=My%20Processes
To Filtered List View or Grid View with the object type, view, and filter specified
Syntax:
In this example, the values are resource IDs instead of names.
Example:
/openpages/app/jspview/flv?prmtId=97&viewId=205&filterId=101
To Filtered List View with the object type and view specified (previous filter is applied)
Syntax:
When a filter is not specified, the most recent, previously used filter is applied. The view, and filter
parameters are optional.
Examples:
/openpages/app/jspview/flv?prmt=SOXProcess&view=PRSA%20Update
/openpages/app/jspview/flv?prmtId=97&viewId=205
To Filtered List View or Grid View, object type specified (previous view and filter are applied)
Example:
Best practices for configuring the IBM OpenPages GRC Platform 803
or
/openpages/app/jspview/addNew?objectType= <name of the object type>&viewName=<name of the
view>&parentObjTypeId=<id of the parent object type>
Example:
/openpages/app/jspview/addNew?
objectType=SOXControl&viewName=ShortViewForControl&parentObjTypeId=11
Parent object type or parent object type ID is optional. If multiple object types are suitable as parents
for this object type, the default is the one specified in the setting Applications/GRCM/Add New
Wizard/Parent Object Type Preferences. If the specified parent object type is invalid, it is ignored.
It is likely that you would use parent type ID only if the URL is generated and the object type id is
conveniently available.
To Add New wizard with object type, view, and parent specified
Syntax:
/openpages/app/jspview/addNew?objectType=<name of the object type>&viewName=<name of the
view>&parentObjType=<name of the parent object type>&parentObjId=<id of the parent object >
Example:
/openpages/app/jspview/addNew?
objectType=SOXControl&viewName=ShortViewForControl&parentObjType=SOXRisk&parentObjId=12
34
Parent object ID is optional. Use this parameter to pre-select the parent on the Parents page of the
wizard. If specified, the parent object type is required. If you are not creating the URL
programmatically, you can find the parentObjId by navigating to the object in the Detail page and
using the prmId parameter. If the specified parent object is invalid, it is ignored.
This information was developed for products and services offered in the U.S.A.
IBM may not offer the products, services, or features discussed in this document in other countries.
Consult your local IBM representative for information on the products and services currently available in
your area. Any reference to an IBM product, program, or service is not intended to state or imply that only
that IBM product, program, or service may be used. Any functionally equivalent product, program, or
service that does not infringe any IBM intellectual property right may be used instead. However, it is the
user's responsibility to evaluate and verify the operation of any non-IBM product, program, or service.
This document may describe products, services, or features that are not included in the Program or
license entitlement that you have purchased.
IBM may have patents or pending patent applications covering subject matter described in this document.
The furnishing of this document does not grant you any license to these patents. You can send license
inquiries, in writing, to:
For license inquiries regarding double-byte (DBCS) information, contact the IBM Intellectual Property
Department in your country or send inquiries, in writing, to:
The following paragraph does not apply to the United Kingdom or any other country where such
provisions are inconsistent with local law: INTERNATIONAL BUSINESS MACHINES CORPORATION
PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR
IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT,
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of
express or implied warranties in certain transactions, therefore, this statement may not apply to you.
This information could include technical inaccuracies or typographical errors. Changes are periodically
made to the information herein; these changes will be incorporated in new editions of the publication.
IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this
publication at any time without notice.
Any references in this information to non-IBM Web sites are provided for convenience only and do not in
any manner serve as an endorsement of those Web sites. The materials at those Web sites are not part of
the materials for this IBM product and use of those Web sites is at your own risk.
IBM may use or distribute any of the information you supply in any way it believes appropriate without
incurring any obligation to you.
Licensees of this program who wish to have information about it for the purpose of enabling: (i) the
exchange of information between independently created programs and other programs (including this
one) and (ii) the mutual use of the information which has been exchanged, should contact:
IBM Corporation
Location Code FT0
550 King Street
Littleton, MA
01460-1250
U.S.A.
Such information may be available, subject to appropriate terms and conditions, including in some cases,
payment of a fee.
The licensed program described in this document and all licensed material available for it are provided by
IBM under terms of the IBM Customer Agreement, IBM International Program License Agreement or any
equivalent agreement between us.
Any performance data contained herein was determined in a controlled environment. Therefore, the
results obtained in other operating environments may vary significantly. Some measurements may have
been made on development-level systems and there is no guarantee that these measurements will be the
same on generally available systems. Furthermore, some measurements may have been estimated
through extrapolation. Actual results may vary. Users of this document should verify the applicable data
for their specific environment.
Information concerning non-IBM products was obtained from the suppliers of those products, their
published announcements or other publicly available sources. IBM has not tested those products and
cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM
products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of
those products.
All statements regarding IBM's future direction or intent are subject to change or withdrawal without
notice, and represent goals and objectives only.
This information contains examples of data and reports used in daily business operations. To illustrate
them as completely as possible, the examples include the names of individuals, companies, brands, and
products. All of these names are fictitious and any similarity to the names and addresses used by an
actual business enterprise is entirely coincidental.
If you are viewing this information softcopy, the photographs and color illustrations may not appear.
This Software Offering does not use cookies or other technologies to collect personally identifiable
information.
Copyright
Licensed Materials - Property of IBM Corporation.
© Copyright IBM Corporation, 2003, 2018.
US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule
Contract with IBM Corp.
This information contains sample application programs in source language, which illustrate programming
techniques on various operating platforms. You may copy, modify, and distribute these sample programs
in any form without payment to IBM, for the purposes of developing, using, marketing or distributing
application programs conforming to the application programming interface for the operating platform for
which the sample programs are written.
These examples have not been thoroughly tested under all conditions. IBM, therefore, cannot guarantee
or imply reliability, serviceability, or function of these programs. You may copy, modify, and distribute
these sample programs in any form without payment to IBM for the purposes of developing, using,
marketing, or distributing application programs conforming to IBM's application programming interfaces.
Trademarks
IBM, the IBM logo and ibm.com are trademarks or registered trademarks of International Business
Machines Corp., registered in many jurisdictions worldwide.
806 Notices
The following terms are trademarks or registered trademarks of other companies:
• Adobe, the Adobe logo, PostScript, and the PostScript logo are either registered trademarks or
trademarks of Adobe Systems Incorporated in the United States, and/or other countries.
• Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the
United States, other countries, or both.
• Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both.
• UNIX is a registered trademark of The Open Group in the United States and other countries.
• Java and all Java-based trademarks and logos are trademarks or registered trademarks of Oracle and/or
its affiliates.
Other product and service names might be trademarks of IBM or other companies. A current list of IBM
trademarks is available on the Web at " Copyright and trademark information " at www.ibm.com/legal/
copytrade.shtml.
Notices 807
808 IBM OpenPages GRC Version 7.4.0 : Administrator's Guide
Glossary
In this glossary, you can find terms and definitions for IBM OpenPages GRC Platform
access control list (ACL)
A concept in computer security used to determine the permissions (Read, Write, Delete, and
Associate) a user or group can have on the folder structure of an object type (such as, an Entity, Risk,
or Test). ACLs provide a means to control who has access to what and with which permissions. ACLs
can be assigned to groups and users via a Role Template.
Action Menu
The menu bar that is always displayed at the beginning of a page. To reveal menu items, hover your
mouse pointer over a menu name. Your permissions determine which menus and items are available.
Actor ACLs
These are a set of administrator access rights (Manage, Lock, Unlock, Reset Passwords, Assign Roles,
Browse) defined on users and groups. These access rights control the operations an administrator can
perform on a particular user or group.
administrator
A user that is granted special permission to manage a Business Entity, including the assignment of
Roles to users and groups.
application permissions
A list of permissions that allow groups and users to access certain activities, including administration,
within the application (such as the ability to view, lock, or unlock objects, or create and delete
reporting periods).
associations
Relationships that exist among objects, or between objects and attached files. Example: A sub-entity
may be directly associated with a process or business function.
audit universe
The aggregate of all areas within an organization that can be audited.
business unit
One or more Entities, Processes or Sub-Processes.
CSV
Comma separated values. A type of file that uses a comma-delimited format.
group
A generic term that encompasses both organizational and security domain groups.
listing pane
The pane on an object's Detail View page that is displayed when you click the name of an associated
object type. It lists all the names of objects for that type that are associated with the current object,
and has an Actions Menu for adding new objects, or associating and copying existing objects of the
same type.
object
Any item that contains or receives information, such as Business Entities, Processes, Risks, Controls,
Issues, Tests and so forth. In a security context, an object is the piece of data to which access control
is applied (such as, Business Entity, Process, Sub Process, Risk Assessment). Also called "resource".
object type
A category or type of object, such as a Risks, Controls, Issues and so forth. In a hierarchy of objects,
each object type has a set of allowed relationships with other object types.
organizational group
A group that is created by an administrator to organize users within an organization. Organizational
groups are typically associated with security domain groups and other organizational groups.
pane
A section or component of an object view. For example, a Detail View page typically consists of several
panes, such as a Details pane, Context pane, Associations pane, Listing pane, and an Attachments
pane.
resource
See "object".
Resource ACLs
These are a set of access rights (Read, Write, Delete and Associate) defined on the parent folder of an
object. These access rights control the operations a user can perform on the folder and any objects
under that folder.
role
An instance of a Role Template that is applied to a set of Users/Groups for a specific security context.
Roles are granted to Users/Groups which allows them access to objects with certain permissions.
Some examples of roles are: Process Owner, Control Owner, and Tester.
Role Template
A security object that you can use to define all aspects of application security for various groups and
users within a business unit. It contains access control definitions on folder structures for object types
and application permissions. Role Templates generally reflect the usual or expected function that a
user or group plays within an organization. Some examples or Role Templates that can be defined are
Process Owner, Control Owner, and Tester. The template can then be applied to different Users/
Groups for a specific security context.
security context point
A point defined in the OpenPages security model that you can use to assign roles to users and groups
for controlling access and application permissions to objects under that security point.
security domain group
A group that is automatically created by the system when a business entity or subentity is created.
Business entity security domain groups are located under the top level (root) Security Domains folder
on the Users, Groups and Domains page.
811
approval app (continued) best practices (continued)
customizing the JSON file 707 deleting unused object types 799
Asian characters 277 dependent picklists 798
assigning display reporting fragments on demand 800
permissions 24 field dependencies 798
roles to user or group 54 field groups 797
associating field names 797
group 31 limit complexity of security rules 799
profiles to users and groups 217 limit number of objects 797
association limit number of portlets on home page 798
relationship 180, 182 limit number of security rules 799
association heuristic (reassigning primary parents) 346 limit number of SOXBusEntity objects in system 799
asynchronous background jobs 385, 386, 421, 422 limiting associations in the overview 798
audit minimizing starting groups 801
Audit Change Report 110 OPX functionality 797
audit change values 111 security rules 78
event 110 shared field groups 799
Primary association 111 using activity views 798
audit configuration changes 479 Boolean
Audit Report 479 data type 143
aurora log file browser
backing up 543 best practices 547
maximum size 543 display issues 546
Aurora properties and parameters 759 locale settings 546
aurora.properties file security 545
preparing passwords 39 setting time out 543
auroralogging.properties 543 browser back and forward icons 307
automatic restart 551 browsers
troubleshooting
known problems and solutions 543
B bucket heading 283
back icon 307 Business Entity organization chart
background jobs 385, 386, 421, 422 visualizing 97
background processes 385, 421 Business Entity organizational chart 96
backing up Business Process Manager
aurora log file 543 configuring 719
backup utility maintaining 720
OpenPages application server 387, 424
overview 387, 424 C
Backup utility
refreshing a test environment 399 CAF setting 545
Backup Utility cardinality settingsmodifying 184
.zip file 389, 392, 428, 433 cascading signature settings 329
about 383, 394, 419 certificate authority 513
CommandCenter 391 certificate authority approval
custom files 387, 425 Apache load balancer server 510
large files 388, 392, 427, 432 IBM HTTP 508, 512
log files 389, 392, 428, 432 web server 503, 505
manifest file 387, 425 WebSphere application server 497
OPBackup file formats 389, 428 Certificate Authority certificates 499
OPCCBackup file formats 393, 433 certificates
OpenPages CommandCenter 430 importing into Java 498
password encryption 423 certification
refreshing a test environment 397, 441 approval app 705
running 425 change database references 485
running background jobs 385, 421 changed features
running live backups 388, 427 7.1.0 13
running OPCCBackup 392, 398, 432 changing IP address for Oracle server 484
storage 389, 428 check-out 310
bandwidth, improve 530 child objects
batch processing 623 access controls 63
best practices more than the maximum number of associations 179
Chrome 797 security rules 71
configuring Cognos reports 800 ClassNotFoundException error message 502
812
cluster Configuring loss event entry, how users are handled 711
configure thread-dump logs 537 Configuring loss event entry, where loss events get created
Codes 711
Locale 277 Configuring questionnaire assessments 699
cognitive services Configuring the reporting framework 659
configuring 724, 725, 728–730 Configuring the reporting framework, how to plan 664
Cognos Connection Refused error message
services 560 troubleshooting 698
Cognos Application Firewall 545 connector currency values
Cognos dashboards and stories specifying 694
creating instances of 121 connector date values
Cognos SSL certificate renewal on Apache 517 specifying 694
Cognos SSL certificate renewal on IIS 516 connectors 694
command line tips for the Tivoli Directory Integrator 698 context panes 241
CommandCenter controller conditions
Backup Utility 391 copying 200
restore utility 433 Copy Access From Inactive setting 312
commands copy operation settings 324
Windows 549 Copy User Info Attributes setting 312
common folder settings 341 Copy User Info Choice setting 312
Compare Environments tool copy views to profile 244
Export Max Rows setting 345 copying access from one user to another 30
Max Memory setting 345 creating
compressing files for upload 323 computed fields 153
compression long string index 452
see HTTP compression 530 long string index in DB2 408
computed field definitions non-default namespace 772
exporting 614 organizational group 30
computed fields scheduled jobs to synchronize long string index 410,
creating 153 454
creating with multiple namespaces 156 user accounts 27
defining 155 creating a profile 214
expression 154 creating process flow 99
importing 153 creating public filters
model an equation 153 object types 175–178, 186, 188–191, 220, 236, 799
nesting 157 creation views
report specification 153 defining 256
configuration changes cross-context sharing 347
migrating 575 cross-site scripting
configure filter setting 351
embedded reports 231 Safe Tags setting 352
My Reports 231 csv file
password requirements 36 formatting 149
reports on a Home page 230 uploading 149
configuring cultures 278
password encryption 37 currency
password policies 37 data type 143
security provider 39 currency display type
SSL 500 editing 148
Configuring Business Process Manager 719 viewing 148
Configuring cognitive services 723 currency exchange rates
configuring data import adding 149
RCA 738 disabling 150
configuring email notifications 690 editing 148
configuring global search 363 enabling 150
configuring global search properties 377 currency field definitions
configuring global search registry settings 367 exporting 613
configuring Loss Event Entry 716 importing 612
Configuring loss event entry 709 currency field values
Configuring loss event entry, how to configure the editing 148
confirmation email 715 Custom folder
Configuring loss event entry, how to dates are validated 712 adding new keys 286
Configuring loss event entry, how to launch 712 using 286
Configuring loss event entry, how to plan 709 custom forms
813
custom forms (continued) DB2 database
adding 188 tuning 535
associating to an object 189 DB2 Text Search
setting up 187 enabling for long string filtering 407
custom settings install and configure 405
create 340 decimal
delete 340 data type 143
customizing global search after initial enablement 365 decrypting
customizing global search on initial enablement 364 OpenPages repository 83
cyclic relationships 180 Default Allowed Profiles setting 313
default Filtered List View 310
default folder view 310
D default object in parent picker 206
dashboard and story templates Default User Change Password setting 313
modifying existing 123 Default User Password Expiration setting 313
dashboard or story default value
deleting 124 enumerated string values 160
Dashboard tab defining
troubleshooting JSON export 795 application permissions 31
data import defining a new namespace 772
RCA 738 Definition worksheet
data load template 634 parameters 642
data source 485 unhide 642
data types delegate activities
Boolean 143 administrator 21, 22
currency 143 deleting
date 143 dependent fields 198, 200, 202
decimal 143 dependent picklists 210
enumerated string 143 filters 190, 191, 196, 197, 404, 405, 407, 408, 410,
fragment 143 411, 451–456
integer 143 object field definitions 174
long string 143 profiles 216
security rules 72 rules 78
selecting 143 deletion interval for reporting period 311
simple string 143 dependent field
single file 143 adding 198
database modifying controllers 200
about online backups 434 dependent fields
changing references 485 copying controller fields 200
crash recovery 441 deleting 78, 174, 197, 202, 210, 216
DB2 back up and restore 394 dependent picklists
disable online backup 441 adding 208
online backup 434 as dimensions 675
Oracle 10g 483 best practices 798
RMAN 434 configure 207
Database passwords deleting 210
Changing 480 enabling or disabling 209
IBM WebSphere 483 modifying 209
Oracle 480 deployments 575
database references, change 485 development deployment 575
database server dimensions
default port 469 about 661
date date 677
data type 143 enumerated strings 675
date data types 72 picklists 675
date type dimension Disable the Files of OPX 327
add 677 disabling
delete 678 field level encryption keystore 83
disable or enable 678 profiles 213–217
modify 678 disabling associations between
date type dimensions object types 175–178, 186, 188–191, 220, 236, 799
using 677 disassociating
DB2 group 31
back up and restore database 394 profiles from users 218
814
display columns in selectors 314 encryption key
display of tabs with no fields 205 algorithm 81
display order changing AES 42
of object types 220 encryption keystore
display types editing 84
enumerated strings 274 Entity Move/Rename Utility
long strings 271 about 412, 463
reporting fragments 261 input file 414, 464
simple strings 262 run as a scheduled task 416, 466
domains 19 run interactively 415
Draft (diagram status) 104 enumerated string
dropping data type 143
long string index 411, 455 enumerated string values
dynamic fields 198 adding 160
dynamic tables as dimensions 675
about 228 changing the order of 160
configure 228 default value 160
edit 230 deleting 162
hiding 161
unhiding 161
E environment
e-mail verifying 38
configure OPBackup notification 383, 420 environment files
editing password encryption 423
profiles 213–217 environment migration
editing Apache configuration file best practices 581
Apache load balancer server 510 dependent items migrated 578
editing properties exporting items 583
object types 175–178, 186, 188–191, 220, 236, 799 importing items 584
email items migrated 577
configure Notification Manager 745 items not migrated 579
email notifications process of 582
configuring 690 settings 320, 575
embedded reports validating the import 584
configure 231 validation and 579
performance considerations 232 environments
working with 231 comparing 563
enable associations of child objects 331 equation editor
enable icons on locked objects 331 about 344
enable login sso 354 equations
enabling modeling 153
currency exchange 612 Excel worksheet. See FastMap. 627
field level encryption keystore 83 exchange rates
OpenPages repository 83 editing for existing currency code 149
profiles 213–217 excluding
enabling a view 241 object types from an overview page 247
enabling and disabling excluding fields
field dependency behavior 201 object type 177, 219, 220, 247
enabling associations between excluding from a profile
object types 175–178, 186, 188–191, 220, 236, 799 object type 177, 219, 220, 247
enabling file attachment search 362 excluding object types
enabling file types for search 362 profile 217–219, 236, 244
enabling global search 361 excluding settings from migrating 617
enabling or disabling Export Max Rows 345, 565
dependent picklists 207–210, 675, 798 exported XML files
enabling or disabling object types or fields for global search comparing 563
363 exporting
encryption computed field definitions 614
field level 81 configuration data 575
password 37 currency field definitions 613
encryption algorithm data 589
change AES key 42 exporting configuration changes 619
legacy systems 41 exporting data 619
UPEA tool 38 exporting metadata changes
815
exporting metadata changes (continued) fields (continued)
ObjectManager 589, 593, 616 decrypting (continued)
EXTEND rule 58 fields 152
external system, import data 651 encrypting
field values 151
encrypting values for 151
F excluded 211
facts including in an object type 219
about 661, 683 long string
disabling 675 encrypting 151
enabling 675 simple string
facts and dimensions encrypting 151
process for configuring 674 fields from an object type
facts and dimensions, configuring 674 excluding 219, 220, 247
FAQs file
global search 380 check-out 310
FastMap checked in 310
access 625 file attachment search
define the path of an object 635 enabling 362
Definition worksheet 641 enabling file types 362
errors and warnings 626 file type information
export data into template 634 configuring 186
export template 642, 643 file types
Filtered List View page export settings 337 adding 186
import jobs 626 associating with object types 186
import process 635 removing 187
import status 632, 633 file upload, setting 323
JSP 623, 642 filtered list view
locale 625 about 237
optimize performance 653, 654 grid view pages
overview 623 configuring 237
parameters 642, 644 Filtered List view
securing import templates 655 add object fields 246, 257
template 624 disabling 242
user profile 625 remove object fields 246
validation 625 Filtered List View
validation messages 627 displaying initial results 337
worksheet 624 FastMap export 337
field dependencies remove object fields 258
best practices 798 filtered list view settings 337
field dependency behavior filters
enabling and disabling 201 adding to object types 191
field groups associating views 196
adding 142 configuring DB2 Text Search for long strings 405
adding fields to 142 considerations before you begin 190
best practices 797 copying 196
best practices for shared 799 creating DB2 long string index 408
deleting 173 creating long string index 452
including in an object type 177 creating scheduled jobs to synchronize long string
field guidance 308 indexes 410, 454
field level encryption currently logged on user 196
disabling the keystore 83 deleting 78, 174, 197, 202, 210, 216
enabling the keystore 83 dropping long string indexes 411, 455
key 81 enabling DB2 Text Search for long strings 407
keystore 81, 82 enabling Oracle Text for long strings 453
field level security modifying 197
redaction stop words for long string indexes 456
field level security 70 utilities for long strings 404, 451
security folder view
field level 70 about 237
field names Folder view
best practices 797 disabling 242
fields folder view pages
decrypting configuring 237
816
fragment Hierarchy diagram 96
data type 143 home page
framework generator port 476 best practices for limiting portlets 798
Framework Model Generator Cognos reports 800
starting and stopping on Windows 561 Home page
Framework Model Generator service configure reports 230
starting and stopping on AIX 561 configure the Dashboard tab 233
starting and stopping on Linux 561 configure the My Work tab 227
configuring tabs 225
considerations 224
G creating content on the Dashboard tab 234
generating a CSR display order of tabs 226
iKeyman tool 507, 511 dynamic tables 228
generating a CSR file editing content on the Dashboard tab 235
IBM WebSphere Integrated Solutions Console 497 exporting configuration of the Dashboard tab 236
generating a key pair and request hide or unhide tabs 226
Apache load balancer server 509 JSON download 236
Apache web server 504 layout of tabs 224
generating a keystore and key pair My Work
IBM HTTP server 507, 511 Dashboard 223
global search overview 223
add a custom field 366 pre-defined tables 228
administering 357 Tab Configuration table 225
configuring 363 tabs 223
customizing after initial enablement 365 host setting 347
customizing on initial enablement 364 HTTP
enabling 361 security 351
enabling or disabling object types or fields 363 HTTP compression
OPBackup and OPRestore 360 about 530
properties 377 disabling 530
registry settings 367 httpd.conf file
starting services 553 editing 509
stopping services 554 hyperlinking
unhiding registry settings 367 to object instances, views, filters 801
global search FAQs 380
global search properties I
error handling parameters for the indexer 377
maximum heap size 377 IBM Cognos service
maximum opsearchtool.jar heap size during indexing starting and stopping 560
378 starting and stopping on AIX 561
maximum Solr heap size 378 starting and stopping on Linux 561
maximum text extraction heap size during indexing 379 starting and stopping on Windows 561
root path location for file attachment search 379 IBM HTTP
setting the text extractor timeout limit 379 certificate authority approval 508, 512
globalization 278 IBM HTTP server
grid view generating a keystore and key pair 507, 511
defining 248 SSL configuration 511
grid views IBM OpenPages
disabling 242 restore 383
Group Selector 271 IBM OpenPages application and database
groups backup 383, 419
associating 31 DB2 back up and restore 394
associating profiles 217 restore 383, 419
creating 30 IBM OpenPages CommandCenter
disassociating 31 backup 383
Groups DB2 back up and restore 394
Nested 781 IBM OpenPages GRC SDI Connector for UCF Common
Using to limit user activities 779 Controls Hub 694
gzip format 389, 393, 428, 433 IBM WebSphere Application server
session cookies 501
IBM WebSphere Integrated Solutions Console
H generating a CSR file 497
hidden settings 311 importing certificates 497
IIS 531
817
iKeyman tool keywords (continued)
generating a CSR 507, 511 security rules (continued)
importing certificates 508, 512, 513 record level 72
import data
external system 651
see also FastMap 623
L
importing languages 278
configuration data 575 LDAP
currency field definitions 612 authentication module, configuring 84
data 589 configuring for user accounts 26
importing certificates mixed-mode authentication 87
IBM WebSphere Integrated Solutions Console 497 user authentication 84
iKeyman tool 508, 512, 513 legacy move behavior 346
importing changes 621 Legacy Reporting Framework Generation settings
importing configurations 621 defining a new namespace 772
importing RCA data namespaces 774
RCA 742 Linux
Importing RCA data 737 scripts 550
importing root certificate Linux load balancer server
Microsoft Internet Information Services 503 SSL configuration 507
importing the root certificate list view pages 240
Apache load balancer 510 live backup 388, 427
Apache web server 505 loading
importing the server certificate data 589
Apache web server 506 locale browser settings 546
indexes Locale codes 277
adding 349 localizing
example 349, 350 system fields 280
installation lock and signature settings 328
default ports 469 lock menu for display settings 330
integer lock menu settings 330
data type 143 locked
interactive task parent object 331
Entity Move/Rename Utility 415 locked objects
IP address enabling associated object icons 331
static 483 locking a user account 351
locks
J enabling and disabling 329
objects 330
Java log files
importing certificates into 498 OPBackup 389, 428
Java Commands OPCCBackup 392, 432
Workflow 767 OPCCRestore 394, 434
java.security file 39 OPRestore 391, 430
JDBC data source 485 Logs
JSON export periodic thread dump 537
troubleshooting 795 long string
JSON file data type 143
configuring for approval app 701 long string fields
customizing for approval app 707 running string concatenation 457
JSP files 176 string concatenation SQL file 458
String Concatenation Utility 457
long string indexes
K creating 452
key pair and request creating in DB2 408
Microsoft Internet Information Services 503 creating scheduled jobs to synchronize 410, 454
keys 286 dropping 411, 455
keystore enabling DB2 Text Search 405, 407
field level encryption 82 enabling Oracle Text 453
generating 496 stop words 456
keywords utilities 404, 451
security rules loops 180
field level 72
818
M navigation bar (continued)
modify menu items 316
mail server address modify menu order 316
setting 322 navigational view
managing for object types remove view page 242
filters 190, 191, 196, 197, 404, 405, 407, 408, 410, Navigational View
411, 451–456 configuring 237
managing object types 175 new features in version 7.1.0 11
map to date fields 678 new features in version 7.2.0 8, 9
Max File Upload Size 565 new features in version 7.3.0 6
Max Memory 345, 565 new features in version 7.3.0.1 5
menus new features in version 7.3.0.2 4
modifying submenu items 316 new features in version 7.4.0
modifying the order of 316 administration and serviceability 2
messaging information 537 platform enhancements 1
Microsoft Internet Information Services New User Default Locale setting 313
adding certificate snap-in 502 numeric data types 72
adding SSL binding 504
importing root certificate 503
key pair and request 503
O
migrating object aspect 110
configuration changes 575 object field definitions
data 589 deleting 174
migrating configuration changes 615 modifying 150
migrating environments, See environment migration object fields
mode setting 329 Business Entity Selector types for simple strings 263
models, adding using the template model 669 display types for enumerated strings 274
models, reporting framework 659 display types for long string fields 271
modify identifying new 139
role template 52 modifying the phonebook 271
modify text displayed in the application 282 on demand display types for long string fields 272
modifying rich text area display types for simple strings 262
controllers for dependent field 200 rich text display types for medium long string fields 273
stop words for long string indexes 456 Schema Analysis report 141
user accounts 28 setting a default value for 152
modifying field properties setting the display order of 243
process diagrams 98, 99, 103–105 text and URL display types for simple strings 264
modifyinng text area display types for simple strings 266
picklist dependency behaviord 209 text display types for medium long string fields 273
move entities threshold limit 141
Entity Move/Rename Utility 412, 463 user and group selector display types for simple strings
Entity Move/Rename Utility input file 414, 464 266
multi-deployment environments 615 using a rich text display type to configure a URL field
Multi-Valued Group Selector 271 265
Multi-Valued User Selector 271 Object fields
Multi-Valued User/Group Selector 271 display types for simple string fields 262
multiple security context points 47 Modifying user and group selectors 271
read-only 260
N object icons 331
Object Manager tool 616
namespace object reset
definition 660 performing 302
dimensional 683 ruleset parameters 302
overview 660 session details 303
relational 683 session log 304
namespaces starting 302
add new 772 status 303
BY_RELATIONSHIPS 771 object resets
define 772 currency fields 293
Folders 771 overview 289
Is Default 771 preparing data 293
ObjectModel 2 771 system fields 293
Namespaces and models, configuring 669 object text 279
navigation bar object type
819
object type (continued) OPCCBackup (continued)
including field groups 177 log files 392, 432
including fields 219 running 392, 398, 432
including in a profile 219 OPCCRestore
including on an overview page 247 log files 394, 434
object type dimensions OpenPages CommandCenter
adding 681 Backup Utility 430
object type dimensions, configuring 681 restore utility 393
object type profiles running the Backup Utility 392, 398, 432
editing 177, 216 OpenPages properties file
object types HTTPS address 506
adding filters 191 SSL port 506
adding for a custom form 188 OpenPages properties files
associating with file types 186 editing for WebSphere 500
deleting 189 OpenPages repository
deleting unused 799 decrypting 83
managing 175 enabling 83
platform 175 encrypting 83
rendering JSP files 176 OpenPages server properties and parameters 763
setting the display order 220 OpenPages solutions
view pages 236 FCM xxviii
object types from a profile GCM xxviii
excluding 219, 220, 247 IAM xxviii
object types list page ITG xxviii
accessing 176 ORM xxviii
object views OpenPages SSL certificate renewal 516
customizing 236 OpenPages SSL certificate renewal on WebSphere 517
ObjectManager OpenPages, connectors, and QRadar
batch loader sample 593 overview 689
batch loader syntax 593 operators
loader files 589 security rules 72
ObjectManager examples OPRestore
assigning or revoking role assignments 597 log files 391, 430
creating or loading users 599 OPX functionality
moving objects 594 best practices 797
renaming objects 596 Oracle
ObjectManager tool backing up databases 426
process diagrams 105 Oracle Admin Client 419
ObjectManager.properties file Oracle Data Pump
importing and exporting process diagrams 105, 106 overview 419
objects Oracle Enterprise Manager 483
auto-naming settings 317 Oracle server
best practices for limiting in views 797 IP address 484
locking and unlocking 330 Oracle Text
path expressions 71 enabling for long string filtering 453
SOXDocument auto-naming settings 320 organizational group 30
Obsolete (diagram status) 104 Overview
online backup best practices for limiting associations 798
database 434 overview of OpenPages, connectors, and QRadar 689
op-backup-restore.env file overview page
preparing passwords 39 adding a view page 241
op-config.xml file 105 including object types 247
OP-CUSTOM 41 removing object types 247
op-file-content.zip file 105 Overview page
OPBackup about 237
backup utility 387, 424 overview pages
configuring e-mail 384, 420 hiding an object from 247
configuring gzip 389, 393, 428, 433 setting cache capacity 307
log files 389, 428 Overview pages
refreshing a test environment 397, 399, 441 configuring 237
running 425
running live backups 388, 427
OPCCBackup
P
about 430 page size setting 314
820
parent object 331 process diagram (continued)
parent objects importing 106
access controls 63 modifying process flows 102
security rules 71 refreshing 101
password status 104
change IBM WebSphere 480 process diagrams
change Oracle Native Driver password 449 copying 103
change Oracle password 481, 485 deleting 104
configure 36 viewing 98
configuring encryption 37 process flow diagram 99
encryption algorithm 37 production deployment 575
modify encryption 38 profile
policies 37 associating users and groups 217
rules 27 configuring view pages 236
password encryption 38 copy views 244
passwords disassociating users 218
changing encryption algorithms 41 including object types 219
changing in user tables 40 view pages 236
preparing for reencryption 39 profiles
path expressions creating 214
objects 71 default 215
paths deleting 216
children 71 disabling 83, 217
parents 71 editing 177, 216
permissions enabling 83, 217, 612
application 32 fallback 215
assigning 24 guidelines 213
Browse Files 34 setting default or fallback 215
Change History 34 properties and parameters
CommandCenter Studios 34 OpenPages server properties 763
define 31 Properties and parameters
Folders 34 sosa properties 765
Issues 35 Properties files
modifying 25 Aurora properties 759
non-SOX 35 property bundles
other application 35 creating 142
Project Management 35 provisioning users 27
revoking 25 publish reports
setting for a group 31 application user interface 115
View Locks 35 Published (diagram status) 104
phonebook 271, 283 publishing reports
phonebook bucket size 314 limitations 115
picklists server user interface 117, 121
dependent 208
dependent as dimensions 675
modifying dependency behavior 209
Q
Platform folder settings 344 QRadar integration package
platform object types 175 troubleshooting
Platform Reporting Framework folder settings 348 known problems and solutions 794
Platform Reporting Schema folder settings 349 QRadar integration project
Platform Security folder settings 350 using 690
Platform Workflow Implementations folder settings 353 Questionnaire assessments
portal page path 354 configuring 699
ports
default 469
fixed 469 R
position of tabs on a Home page 226
RCA
pre-defined tables 228
completing prerequisites 738
primary parent ID
configuring data import 738
specifying 691
importing data 742
problem determination
reimporting data 743
exchanging information with IBM Support 788, 789
RCM 731, 733
process diagram
RCM Theme Deployer 731
exporting 105
821
record level security Report (continued)
security embed on Home page 231
record level 57, 61 embedded reports performance considerations 232
recursive object types modify on Home page 232
defining levels 661 report fragments
rules 662 settings 321
Redirect Template 113 report templates
redirect the security log off link 351 modifying existing 120
reencrypting reporting fragment fields
passwords 39 configuring display types 261
reference defining 164
relationship 180, 182 field group for 165
reference relationships 180 fields requiring parameter information 164
regenerate limitations 163
reporting framework 683 name 166
reporting schema 89 object ID prompt 167
registry settings planning considerations 163
additional field in the search result set 374 report path 165
default number of search results to return per page 376 reporting period ID prompt 167
internal page size for search results 372 size 168
language analyzer that is used by search 370 tasks to configure 163
number of attempts to fill the search results 372 reporting fragments
number of records inserted per batch 371 displaying on demand 800
number of records to cache 369 reporting framework
number of search results records that are cached per accessing 684
user session 372 generating 683
path to global search administration server 368 regenerate 683
path to server that handles search indexing 368 update 686
progress refresh interval 368 viewing details of 686
query path to the Apache Solr server 370 Reporting framework
query path to the Apache Solr server that handles Folder permissions 684
ACL indexing 370 Reporting Framework 660
query path to the Apache Solr server that handles Folder reporting framework, models 659
ACL search requests 371 reporting framework, understanding 659
Setting the Apache Solr password 376 reporting period
setting the Apache Solr user ID 376 ACLs 290
Setting the network connection request timeout 374 application behavior 289
Setting the number of allowed connections 375 application permissions 290
Setting the number of allowed connections per host 375 change history 290
Setting the number of times a request is reattempted create 291
375 delete 293
setting the polling interval 369 deletion period setting 290
Setting the socket timeout for indexing 375 finalize 290–292
Setting the socket timeout for searching 376 overview 289
Setting whether to allow compression 374 reapplying 292
setting whether to allow URL redirects 374 reporting schema 290
time to search before timing out 373 system administration mode 290
URL path to the Apache Solr server handles OpenPages Reporting period
search requests 372 active reporting period 291
URL to the Apache Solr server that handles Folder ACL see also active reporting period 291
indexing 371 reporting schema
URL to the Apache Solr server that handles search adding indexes 349
requests 373 Reporting schema
Registry settings, apply to all models 665 accessing 89
reimporting RCA data Administering 89
RCA 743 Enabling and disabling 92
relationship index example 349, 350
setting 182 permissions 89
remove all tree locks 332 Populating past reporting periods 91
rename entities relation to reporting period 91
Entity Move/Rename Utility 412, 463 Viewing operation details of 92
Entity Move/Rename Utility input file 414, 464 reporting server
Report default port 469
add links to My Reports 231 Tomcat heap size 536
822
reporting service S
tuning 536
reports SAM 17
Administrative Reports folder 109 save as draft 182–184
as Home page tabs 226 scenarios
Audit Reports folder 110 access to issue action items 67
creating instances of 117 all users can view objects, some users can update
creating interactive 124 objects 69
deleting 121 exception management 69
Issue Reports folder 112 lifecycle security 66
managing 109 objects shared across GRC domains 64
running interactive 125 privacy incidents 69
Schema Analysis report 141 security by function 68
supplied 109 scheduled task
top-level 109 Entity Move/Rename Utility 416, 466
understanding 116 scheduling the Tivoli Directory Integrator 697
V6 Folder reports 109 scripts
viewing 113 AIX and Linux 550
Reports SDI 694
Issue 112 search filter
Security 112 using complex logic 195
Reports Access Page Size setting 313 section headings 258–260
required fields security
setting in a profile 221 advanced XSS filter setting 351
setting in the field definition 151 context point 44, 45
troubleshooting 795 cross-site scripting filter setting 351
resets, See object resets domain groups 48
restore IBM OpenPages database 390 extending security context 46
restore OpenPages database 429 field level 69
restore utilities model 43
CommandCenter 433 model with multiple points 47
OpenPages CommandCenter 393 Safe Tags setting 352
Restore Utility triangle relationship 47
about 383, 394, 419 Security Directory Integrator 694
IBM OpenPages 429 security domains 48
log files 391, 394, 430, 434 security model
running 390, 429 Security Domains folder 48
RESTRICT rule 58 security provider
revoking configuring 39
role from user or group 55, 56 security rules
RMAN 434 access controls 63, 69
role best practices for 78
assigning to user or group 54 best practices for limiting 799
revoking from user or group 55, 56 child objects 71
role template data types 72
create 52 deleting 78
delete 53 disabling 78
disabling 53 enabling 78
enabling 53 exporting 575, 589
modify 52 field level 71
view or modify 51 grammar 74
role-based security model 43 importing 575, 589
root server certificate 513 keywords 72
rules, See security rules operators 72
ruleset parent objects 71
creating 294 paths 71
exporting XML file 304 record level 71
file, creating 294 reporting periods 289
loading 301 rulesets 289, 294
overview 289 scenarios 64, 66–69
parameters 302 validating 78
sample 295 security, browser 545
tag library 296–301 selectors to use for search 315
self-contained object type
823
self-contained object type (continued) settings (continued)
about 343 filtered list view (continued)
server certificate 513 object types to exclude in export 339
server url 354 format of object names 318
services global unlock 332
Cognos 560 home page 333
starting and stopping Framework Model Generator home page filtered lists 334, 336, 337
service 561 home page number of embedded reports 335
starting and stopping IBM Cognos service 560, 561 home page number of objects in a table 336
session cookies home page number of reports 336
IBM WebSphere Application server 501 home page order of predefined tables 334
session timeout 543 host setting 347
set illegal characters 341
application permissions on a group 31 legacy move behavior 346
setting a default view 242 legacy reporting framework
setting the relationship type 182 computed fields 669
setting up custom forms 187 localization 345
settings localization settings 345
access control on Role groups 342 lock 328
access the Settings page 307 lock and unlock objects 330
accessibility 308 lock menu 330
administration menus 315 lock menu for display 330
alert notification behavior 355 locking a user account 351
allow users to personalize my work home page 335 mail server address 322
applications folder 307 modify menu order 316
association heuristic (reassigning primary parents) 346 New User Default Locale 313
auto-naming objects 317 object reset ACL restrictions 333
browser cache 307 object reset locking restrictions 333
cache capacity 307 object reset logging level 332
cascading signatures 329 object reset on error behaviour 333
child and parent 331 object resets 332
common folder 341 objects in listing pane 323
Copy Access From Inactive 312 optimizing file uploads 323
copy operations 324 page size 314
Copy User Info Attributes 312 phonebook bucket size 314
Copy User Info Choice 312 Platform folder 344
copying folders 341 Platform Reporting Framework folder 348
create custom 340 Platform Reporting Schema folder 349
cross-context sharing 347 Platform Security folder 350
cross-site scripting filter 351 Platform Workflow Implementations folder 353
date field display format 326 portal page path 354
Default Allowed Profiles 313 report fragments 321
default object view 310 reporting framework
Default User Change Password 313 adding namespaces 672
Default User Password Expiration 313 custom forms 667
delete custom 340 reporting framework namespaces 671
deletion interval for reporting period 311 reporting schema
disable Add New wizard 309 add indexes 349
Disable the Files of OPX 327 Reports Access Page Size 313
display columns for selectors 314 security log off link 351
enable associations of child objects 331 security safe tags 352
enable create and delete custom settings 340 selectors to use for search 315
enable file checkout 310 server url 354
enable icons on locked objects 331 show field guidance 308
enable login sso 354 show hidden 311
environment migration 320, 575 show system generated field guidance 309
filtered list view signature 328
concurrent exports 339 signature locks 329
displaying initial results 337 signatures 328
editable fields 340 sort list views by modification date 311
enable object type and field export choices 338 SOXDocument auto-naming objects 320
export to Excel 338 submenus 316
fields for advanced filters 338 system security model 342
number of levels to export 339 triangle object relationships 663, 667
824
settings (continued) system fields
use legacy associate 341 localizing 280
User Preferences folder 355 system file management
user provisioning 312 checking in files 136
Users Can Copy Access From 313 checking out files 136
signature and lock settings 328 copying files 134
signature links for sign off 328 creating folders 133
signature settings 328 deleting files 135
signer certificate 513 download files 135
simple string moving files 134
data type 143 overview 131
single file renaming files 135
data type 143 tasks 133
Sosa properties and parameters 765 uploading files 134
SOXBusEntity objects uploading modified files 136
best practices for limiting 799 system generated field guidance 309
specifying a primary parent ID 691
specifying connector currency values 694
specifying connector date values 694
T
SSL tab
accessing the OpenPages application 494 Dashboard tab 233–235
AIX load balancer server configuration 507 My Work tab 227
Apache load balancer server configuration 509, 510 tabbed interface, Home page 223
Apache Web Server configuration 504–506 tabs
ClassNotFoundException error message 502 add reports 226
Cognos certificate renewal on Apache Web Server 517 hide 226
Cognos certificate renewal on IIS 516 unhide 226
creating keystore 496 task-oriented hyperlinking 801
deploying new non-administrative servers 495 TDI error messages
generating keystore 496 troubleshooting 794
IBM HTTP server 511 techniques for Tivoli Directory Integrator 697
IBM HTTP server configuration 507–509, 511–513 template models, using in the reporting framework 669
LDAP configuration 25 templates 96
Linux load balancer server configuration 507 test deployment 575
Microsoft IIS configuration 502–505 test environment
OpenPages certificate renewal 516 refreshing from production data 397, 399, 441
OpenPages properties files configuration 506 text
update java.security file 502 application 281
Update SSL socket factory providers 502 object 279
WebSphere certificate renewal 517 Theme Deployer 731
WebSphere configuration 494–498, 500, 513, 727 themes 733
SSL ports thread dump logs 537
virtual hosts 495 time-out period, browser 543
starting an OpenPages application 549 Tivoli Directory Integrator
starting and stopping command line tips 698
Framework Model Generator service 561 scheduling 697
IBM Cognos service 560, 561 techniques 697
starting groups Tomcat heap size
best practices 801 reporting server 536
static IP address 483 track configuration changes 479
storage backup triangle relationships 47
enable and disable 389, 428 troubleshooting
storage location contacting IBM Support 787
OPBackup 424 exchanging information with IBM Support 788, 789
String Concatenation Utility Export JSON 795
about 457 fixes
running 457 installing 787
SQL file 458 getting fixes 787
string data types 72 identifying problems and techniques 785
sub-groups known problems for browsers 543
removing 31 known problems for the QRadar integration package
Super Administrator 21 794
System Administration Mode known problems for visualizations 790
enabling and disabling 17 required fields 795
825
troubleshooting (continued) using OPBackup and Op Restore with global search 360
searching knowledge bases 786 using the QRadar integration project 690
security domains included in search 794 utilities
starting visualizations 790 about back up and restore 394
subscribing to Support notifications 789 about backup and restore 383, 419
TDI error messages 794 CommandCenter Backup 391
unable to read labels on a visualization 790 CommandCenter Restore 433
troubleshooting the Connection Refused error message 698 Entity Move/Rename 412, 463
tuning Entity Move/Rename input file 414, 464
DB2 database 535 filtering on long string indexes 404, 451
reporting service 536 OPBackup 387, 424
OpenPages CommandCenter Backup 430
OpenPages CommandCenter Restore 393
U OPRestore 390, 429
UAT deployment 575 running OPBackup 425
UCF 694 running OPBackup live 388, 427
unlock all icon 332 running OPCCBackup 392, 398, 432
unlocking business entities 332 running OPCCRestore 393, 433
update data using FastMap 623 running OPRestore 390, 429
update java.security file 502 running string concatenation 457
Update SSL socket factory providers 502 String Concatenation 457
UPEA string concatenation SQL file 458
syntax 40
Syntax 40 V
UPEA tool 38
uploading large files 323, 327 validating
URL for application rules 78
shortening verify
IBM WebSphere application server procedure 527 encryption algorithm 38
user accounts verifying
configuring LDAP access for 26 environment 38
copying access 30 verifying SSL
creating 27 WebSphere application server 494
modifying 28 views
user administration 19 copy to profile 244
user name format 283 setting default 242
user names visualizations
exclude characters from 341 Business Entities 97
rules 27 creating process flow diagrams 99
user names in a phonebook 271 process diagrams 98
User Preferences folder settings 355 refreshing 101
user provisioning troubleshooting
Copy Access From Inactive 312 known problems and solutions 790
Copy User Info Attributes 312
Copy User Info Choice 312
Default Allowed Profiles 313
W
Default User Change Password 313 Watson certificate 727
Default User Password Expiration 313 web browser configuration
New User Default Locale 313 Certificate Authority certificates 499
Reports Access Page Size 313 web server
Users Can Copy Access From 313 certificate authority approval 503, 505
user provisioning settings 312 WebSphere application server
User Roles configuring certificates 513, 727
Using groups to establish 778 creating keystore 496
User Selector 271 generating the CSR file 497
user-defined keys 286 IBM console 500
User/Group Selector 271 importing certificate into Java 498
users importing certificates 497
associating profiles 217 SSL configuration 500
disassociating profiles 218 verifying SSL 494
Users Can Copy Access From setting 313 Verifying SSL ports on virtual hosts 495
users table WebSphere Application Server
updating to change passwords 40 certificate authority approval 497
using complex logic in a search filter 195
826
what's new 1
Windows
commands 549
Windows services
starting automatically 551
stopping manually 557
workbook. See FastMap. 624
Workflow Java commands 767
X
XML files
op-config.xml 105
XSS
cross-site scripting filter setting 351
Safe Tags setting 352
Z
ZIP files
op-file-content.zip 105
op-file-content.zip file 105
827
828
IBM®