Installation Instructions for Hot Fix M37003

Windows for x64



*** Please see the disclaimer regarding this experimental fix at the bottom of this page. ***


M37003 is a "container" hot fix that contains the following "member" hot fixes which will update the software components as indicated. See the Container Hot Fixes section in the Maintenance Install Tool (MIT) Usage Guide for more information about container hot fixes.

M36003 for SAS Enterprise GRC Administrative Tools 4.31
M09004 for SAS Enterprise GRC Mid-Tier 4.31

Before applying this hot fix, follow the instructions in SAS Note 35968 to generate a SAS Deployment Registry report, then verify that the appropriate product releases are installed on your system. The software components and release numbers should match the list of software components updated by the individual hot fix installers.


IMPORTANT NOTES

  1. You must use the -alwaysoverwrite option when installing this hot fix.

  2. Files delivered in this hot fix will be backed up during the installation process. However, it is good general practice to back up your system before applying updates to software.

  3. You must have Administrator Privileges on your CLIENT or SERVER machine.

  4. All currently active SAS sessions, daemons, spawners and servers must be terminated before applying this hot fix.

  5. This hot fix should be installed using the same userid who performed the initial software installation.

  6. After installing the hot fix if you get an exception like this when using SAS Enterprise GRC 4.31:
    an exception occurred processing JSP page /tiles/CSA/assessment/ratingsSummary/ratingsSummaryEditor.jsp
    then follow SAS Note 50525 for resolution.


INSTALLATION

Hot Fix M37003 must be installed on each machine where the updated components of the product, listed above, are installed. During the installation process you may see references to all operating systems for which updates are provided in the hot fix. The installation process will determine the operating system and which component(s) of SAS Enterprise GRC 4.31 require updating on the machine. See SAS Note 44810 for more details.

The hot fix will be applied using the SAS Deployment Manager (SDM). By default, the SDM will search in the <SASHOME>\InstallMisc\HotFixes\New directory for hot fixes to be applied, but will also prompt for a location if you have downloaded hot fixes to a different directory.

After downloading M37003pt.zip, follow the instructions for applying hot fixes in the SAS Deployment Wizard and SAS Deployment Manager 9.3: User’s Guide. Use the sashf.exe script to apply the hot fix with the -alwaysoverwrite option. Example:

sashf.exe -alwaysoverwrite


The hot fix installation process generates the log file

<!SASHOME>\InstallMisc\InstallLogs\IT_date-and-time-stamp.log
for example, IT_2011-10-31-13.18.21.log. Each attempt to apply a hot fix results in the creation of a new log file giving detailed information regarding the installation process.

Postexec log files are created after the installation is completed and identifies the files that were added, backed up, changed and removed. These log files include the ‘member’ hot fix id in the name of the file and are also written to the <!SASHOME>\InstallMisc\InstallLogs directory. There is one postexec log for each ‘member’ hot fix applied (member hot fixes are listed at the top of these instructions).


This completes the installation of M37003. You must perform any "Post-Installation Instructions" documented below to successfully complete the deployment of this hot fix.


POST-INSTALLATION INSTRUCTIONS


M09004 for SAS Enterprise GRC Mid-Tier 4.31

Filter Attachments

As part of this hot fix, we added capabilities to filter the type of attachments allowed in the system. Please follow SAS Note 49870 for details.

Apply Web Application Overrides to SAS Enterprise GRC

As part of this hot fix, we added validation for x_target field to be numeric to the kriDefinitionWizardForm section of validation.xml.

As part of earlier hot fix

  1. we added validation for x_target field to be numeric to the IndicatorWizardForm section of validation.xml.

  2. we added validation for the custom field specified in "monitor.qba.sort.customfield.name" config option to be required in assessmentWizardForm section of validation.xml.
Please update your validation.xml in <SAS_CONFIG>\Web\Applications\SASEnterpriseGRCMidTier4.31\overrides\war\sas.oprisk.monitor\WEB-INF with the changes in following directory:
<SASHOME>\SASOpRiskMonitorMidTier\4.1\Static\wars\sas.oprisk.monitor\WEB-INF


Re-build and Re-deploy Web Application

This hot fix requires that the WebApp be rebuilt and redeployed. Use the following steps to perform this post-installation task:

Step 1: Re-build Web Application

In order for this step to execute correctly, the Metadata Server must be running.

1.1 Invoke the SAS Deployment Manager 9.3

From the SASDeploymentManager directory launch sashf.exe.
SAS Deployment Manager is installed in the following default location:

<SASHOME>\SASDeploymentManager\9.3

1.2 Select a language in the Choose Language box

1.3 Select Rebuild Web Applications

1.4 Select Configuration Directory or Enter the Configuration Directory and Level that needs to be updated

1.5 Specify Connection Information, including the sasadm User ID and Password

1.6 Select Enterprise GRC MidTier 4.31 as the Web Application to Rebuild

1.7 Verify the information on the Summary screen and select Start

1.8 Select Finish when the deployment is complete

This process will update the Enterprise GRC MidTier 4.31 ear in <SASCONFIGDIR>\Web\Staging.
A backup of the original ear file will be placed in the directory below:

<SASCONFIGDIR>\Web\Staging\Backup

Step 2: Re-deploy Web Applications

Re-deploy the web applications based on the instructions for the web application server you are using.

Step 3: Clear the AppServer cache.

For details, contact your administrator.

Notes

A fix has been added to display the ID of the assessable along with the name in the error message which shows up during sign-off when an assessable is not rated.

To see that change user needs to override the error message in customMessages.properties and pass in the additional placeholder for the id as follows:

Originally the error messages are as follows:

   #{0}Summary object display name {1} summary object name
   answerSheet.assessableIncompleteForSignOff.fmt.txt=Ratings and/or justifications must be filled out for the following object before sign-off can occur: {0} "{1}"

   #{0}ControlInstance name {1} RiskInstance name
   answerSheet.controlIncompleteForSignOff.fmt.txt=Ratings and/or justifications must be filled out for control "{0}" (mapped to risk "{1}") before sign-off can occur.
To override the above messages, add these lines in customMessages.properties:
   #{0}Summary object display name {1} summary object name {2}summary object ID
   answerSheet.assessableIncompleteForSignOff.fmt.txt=Ratings and/or justifications must be filled out for the following object before sign-off can occur: {0} "{1}" - id: "{2}"

   #{0}ControlInstance name {1} RiskInstance name {2}ControlInstance ID {3}RiskInstance ID
   answerSheet.controlIncompleteForSignOff.fmt.txt=Ratings and/or justifications must be filled out for control "{0}" - id: "{2}" (mapped to risk "{1}" - id: "{3}") before sign-off can occur.

Two new parameters as follows are now available to be used to control if user can see the close or delete actions for these components.

CPB components:
RiskRatingsSummaryTable
ControlRatingsSummaryTable
New parameters are:
showCloseAction
showDeleteAction
The default value for these 2 parameters is "true" i.e. the close and delete actions will show. If users don't want to show the close and delete actions, then pass these parameters as "false".

Example: In RatingsSummary.xml

<field name="TEMP.populatedRisks" type="component"
component-name="RiskRatingsSummaryTable"
..........
<param name="showCloseAction" value="false" />
<param name="showDeleteAction" value="false" />
...........
</field>

With this hot fix, if the config option is set to monitor.validation.return.returnToOriginator=false, and the Kri Observation validator returns an observation, then it will go to the preceding stage instead of to the originator. However, the message shown during this observation return will still be something like :

Observation for "KRI name" returned to originator.

If user wants to set a different message for this case, then they need to set the key "KriObservationEditor.returnToPrecedingStage.fmt.txt" in customMessages.properties.

For example:

KriObservationEditor.returnToPrecedingStage.fmt.txt=Observation returned to preceding stage
If the above key is set, then it will display that message when returning observation. Otherwise, it will show the original message of observation returned to originator.

As part of the new feature for allowing multiple recommendations during Accept / Responsd phase of Assessment:

  1. Two new config options are introduced. Please add them to your configdata.properties file.
    For reference, check this file in the location:
    <SASHOME>\SASOpRiskMonitorMidTier\4.1\Config\Deployment\Content\Preload\Config

    monitor.risk.allowMultipleRecommendations=false
    monitor.risk.businessOwnerRecommendation.required=true
    Note: setting the above values i.e “monitor.risk.allowMultipleRecommendations=false” and “monitor.risk.businessOwnerRecommendation.required=true” will keep the out-of-box behavior as in the past, i.e., Business Owner can select only one recommendation or add only one recommendation during accept / respond phase of assessment.

  2. There are changes made to the RiskInstance screen definition. Please merge and upload the screen definition with these updates.

    Changes in RiskInstance.xml:

    Use the new SelectedRecommendationTableComponent by changing this line:
    From:   <field name="TEMP.selectedRecommendations" type="component" component-name="SelectedRecommendationTable" required="true">
    To:   <field name="TEMP.selectedRecommendations" type="component" component-name="SelectedRecommendationTableComponent" required="true">

    Make selected recommendation optional based on config option "monitor.risk.businessOwnerRecommendation.required", ie:
    Remove the required flag from the SelectedRecommendationTableComponent as in this line:

    <field name="TEMP.selectedRecommendations" type="component" component-name="SelectedRecommendationTableComponent">
    Add the line to require selectedRecommendation based on config option in the populatedAssessable.riskResponseTypeCd field as follows:
    <field name="populatedAssessable.riskResponseTypeCd" type="dropdown" required="true">
       <label><message key="populatedAssessable.field.riskResponseTypeCd.displayName.txt" /<>/label>
          <on-change>
             <set-visible name="populatedAssessable.acceptanceExpiryDt" test="populatedAssessable.riskResponseTypeCd = 'ACC'" />
             <set-visible name="TEMP.selectedRecommendations" test="populatedAssessable.riskResponseTypeCd = 'MIT'" />
             <set-required name="TEMP.selectedRecommendations" test="populatedAssessable.riskResponseTypeCd = 'MIT'
               and getConfigValue('monitor.risk.businessOwnerRecommendation.required') = 'true'"/>

          </on-change>
    </field>

  3. There are changes made to RiskRecommendation screen definition to allow users to flag which recommendation is *selected* out of the multiple recommendations (when monitor.risk.allowMultipleRecommendations=true). Please merge the changes from:
    In RiskRecommendation.xml
    In the initialize block, added:
    <if test="assessment.assessmentStageCd = 'ARD'">
    <set name="selectedFlg" value="true" />
    </if>
    <if test="assessment.assessmentStageCd = 'ASE'">
    <set name="selectedFlg" value="false" />
    </if>
    At the end of the screen, added a field for selectedFlg:
    <field name="selectedFlg" type="boolean" visible="false" >
    <label><message key="recommendation.useToCreateIAP" /></label>
    </field>

  4. Add the new customization file “RiskInstanceTableRecommendationEntryCustomizations.xml” that is added for the Selected Recommendation table to your content server from:
    <SASHOME>\SASOpRiskMonitorMidTier\4.1\Config\Deployment\Content\Preload\Config\Customizations\ RiskInstanceTableRecommendationEntryCustomizations.xml

  5. Add the following new message in customMessages.properties:
    recommendation.useToCreateIAP=Use this Recommendation to Create Issue and Action Plans

  6. These are some optional Customizations information that user can use for certain optional behaviors:
    1. If user wants to have an option to mark one of the recommendations created by Business owner as selected, then they can add the following update to RiskRecommendation.xml screen definition: Change the "selectedFlg" field
      from:
      <field name="selectedFlg" type="boolean" visible="false" >
      <label><message key="recommendation.useToCreateIAP" /></label>
      </field>
      to:
      <field name="selectedFlg" type="boolean" visible="assessment.assessmentStageCd = 'ARD'" >
      <label><message key="recommendation.useToCreateIAP" /></label>
      </field>

      and remove this from initialize block:

      <if test="assessment.assessmentStageCd = 'ARD'">
      <set name="selectedFlg" value="true" />
      </if>
      <if test="assessment.assessmentStageCd = 'ASE'">
      <set name="selectedFlg" value="false" />
      </if>

    2. If user wants to restrict to one selected recommendation, then they can add a validation in RiskInstance.xml screen definition similar to this:
      <if test="assessment.assessmentStageCd = 'ARD' and populatedAssessable.riskResponseTypeCd = 'MIT' and (getConfigValue('monitor.risk.businessOwnerRecommendation.required') EQ 'true')">
      <validation test="(size(filterRecommendations(populatedAssessable.recommendations, true, false, ratingsSummary.frozenDttm))) EQ 1">
      <errmsg><message key="one.recommendation.needed" /></errmsg>
      </validation>
      </if>
      And add the custom message in customMessages.properties:
      one.recommendation.needed= Only one Recommendation must be selected by the business owner during Accept/Respond phase
  7. New configuration options:

    This hot fix introduces new configuration options in the configdata.properties file:

    monitor.nameTxt.maxLength
    monitor.descTxt.maxLength
    monitor.helpTxt.maxLength

    For example, if user sets:

    monitor.nameTxt.maxLength=100
    monitor.descTxt.maxLength=1000
    monitor.helpTxt.maxLength=1000
    then it will give error during data load for KriTemplates and Kris if the name text has more than 100 chars and if description text and help texts have more than 1000 chars.

    monitor.change.reason.required
    monitor.change.reason.key.default

    If monitor.change.reason.required is set to false, GRC will not prompt for change reason. It will use default change reasons that are predefined in GRC or Workflow, and if none available, use the key value of monitor.change.reason.key.default found in customMessages.properties

    For example,

    monitor.change.reason.key.default=com.sas.egrc.sample.defaultChangeReason

    in customMessages.properties
    com.sas.egrc.sample.defaultChangeReason=This is my sample default change reason

    By default, monitor.change.reason.required is set to true.

    monitor.recovery.totalsUseBookedAmounts

    This option will limit recovery totals to use booked amounts, similar to financial effects. The default is set to false.

    - Set to 'true' to use only booked statuses in recovery totals
    - Set to 'false' to include all recovery statuses in recovery totals

    If the option is reset, the application server hosting GRC will need to be restarted.

    monitor.nonRevalidationFields.issue.enabled

    When this option is set to false, all changes in Issue would not cause revalidation.

    By default, or if not specified, this option is set to true.

    monitor.nonRevalidationFields.actionPlan.enabled

    When this option is set to false, all changes in Action Plan would not cause revalidation.

    By default, or if not specified, this option is set to true.

    monitor.validation.nearMissEvent.estimatedAmount

    When the monitor.validation.nearMissEvent.estimatedAmount is set to true, all "near miss" incidents validation stage calculation will based on Estimated Amount of the Incident. Other Incidents will continue to calculate based on total financial amounts.

    By default, or if not specified, this option is set to false.

    monitor.qba.sort.customfield.name

    This config option specifies the custom field name to store user's selection for sort order in Questionnaire Based Assessment (QBA). In this fix we provided changes in SAS code to add a custom field named "x_assessment_sort_order" for Assessment, but user can specify to another custom field with different name if needed. This custom field has to be mapped to the new named list "x_assessment_sort_order_option". If "x_assessment_sort_order" is not a custom field of Assessment, or whatever the custom field name specified by this config option does not exist, QBA will behave the same as before this fix.
    monitor.custfield.sort.riskEventTypes

    When this option is set to false, sorting of custom fields for Risk Event Types tables are disabled, which would improve UI performance in adding Risk Event Types to Questionnaire Templates in certain scenarios.

    By default, or if not specified, this option is set to true.

    monitor.custfield.sort.controlTypes

    When this option is set to false, sorting of custom fields for Control Types tables are disabled, which would improve UI performance in adding Control Types to Questionnaire Templates in certain scenarios.

    By default, or if not specified, this option is set to true.

    If any of the options are reset, the application server hosting GRC will need to be restarted.

    New KRI Functionality: NOTE: If you have completed these steps as part of a previous hot fix application, the steps below can be skipped:

    This hot fix introduces new KRI functionality. To enable the added KRI scale type functionality, Scale Type (4), you must add the following custom fields, named lists, and named list mappings to your system, and remove references to the ‘com.sas.oprisk.monitor.view.kri’ keyword in SAS Management Console.

    First, execute the program <SASCONFIGDIR>\Applications\SASEnterpriseGRCServerCfg\4.31\Source\sasstp\orm_job_autoexec.sas

    Custom Fields

     

    Business Object Type Name

    Custom Field Name

    Custom Field Type

    Description

    kri

    x_target

    NUM

    Enables KRI’s to display and store the target value associated with them.

    kriTemplate

    x_target

    NUM

    Enables KRI Definitions to display and store the target value associated with them.

    kri

    x_targeted

    OPS

    Allows saving of new options for KRI scale interpretations when Scale Type of “Scale (4)” is selected. The new options are “Improving Moving toward the center of the scale” and “Improving moving away from the center of the scale”.

    kriTemplate

    x_targeted

    OPS

    Allows saving of new options for KRI definition scale interpretations when Scale Type of “Scale (4)” is selected. The new options are “Improving Moving toward the center of the scale” and “Improving moving away from the center of the scale”.

    kriObservation

    x_normalized_score

    NUM

    Provides the ability for an observation's normalized score to be passed to the operand of ‘X_NORMALIZED_SCORE’ in KRI notification workflows.

     

    Add the following lines to <SASCONFIGDIR>\Applications\SASEnterpriseGRCServerCfg\4.31\Source\sasmisc\sample\config\load_custom_field_defs.sas (after "proc sql noprint;" and before "quit"), then execute the program:
    /* Kri Template and Indicator */
    %orm_insert('kri', 'x_target', 'NUM', null, 'Target Value for a targeted KRI.');
    %orm_insert('kriTemplate', 'x_target', 'NUM', null, 'Target Value for a targeted KRI.');
    %orm_insert('kri', 'x_targeted', 'OPS', 400, 'Determines if the Scale is targeted toward the center or outer bounds.');
    %orm_insert('kriTemplate', 'x_targeted', 'OPS', 400, 'Determines if the Scale is targeted toward the center or outer bounds.');
    %orm_insert('kriObservation', 'x_normalized_score', 'NUM', null, 'Calculated Score Normalization.');
    Named Lists

     

    Named List

    Named List Value

    Named List Value Row Number

    Description

    x_targeted_template

    biggerBetter

    1

    As values increase, the indicator is improving.

    x_targeted_template

    smallerBetter

    2

    As values decrease, the indicator is improving.

    x_targeted_template

    targetedOutter

    3

    As values move away from the target from either direction, the indicator is improving.

    x_targeted_template

    targetedCenter

    4

    As values move toward the target from either direction, the indicator is improving.

    x_targeted_kri

    biggerBetter

    1

    As values increase, the indicator is improving.

    x_targeted_kri

    smallerBetter

    2

    As values decrease, the indicator is improving.

    x_targeted_kri

    targetedOutter

    3

    As values move away from the target from either direction, the indicator is improving.

    x_targeted_kri

    targetedCenter

    4

    As values move toward the target from either direction, the indicator is improving.

     

     

    Add the following lines to <SASCONFIGDIR>\Applications\SASEnterpriseGRCServerCfg\4.31\Source\sasmisc\sample\config\load_named_lists.sas (after "%orm_load_translatable_options();" and before "%orm_post_load_processing();"), then execute the program:

    /* Kri Template and Indicator */
    %orm_insert('x_targeted_template', 'biggerBetter', 1);
    %orm_insert('x_targeted_template', 'smallerBetter', 2);
    %orm_insert('x_targeted_template', 'targetedOutter', 3);
    %orm_insert('x_targeted_template', 'targetedCenter', 4);

    %orm_insert('x_targeted_kri', 'biggerBetter', 1);
    %orm_insert('x_targeted_kri', 'smallerBetter', 2);
    %orm_insert('x_targeted_kri', 'targetedOutter', 3);
    %orm_insert('x_targeted_kri', 'targetedCenter', 4);

    Named List Mappings

     

    Business Object Type Name

    Custom Field Name

    Named List

    kri

    x_targeted

    x_targeted_kri

    kriTemplate

    x_targeted

    x_targeted_template

     

    Add the following lines to <SASCONFIGDIR>\Applications\SASEnterpriseGRCServerCfg\4.31\Source\sasmisc\sample\config\load_named_list_mappings.sas (after "proc sql noprint" and before "quit;") and execute it:

    /* Load named list mappings */

    %orm_insert('kri', 'x_targeted', 'x_targeted_kri');
    %orm_insert('kriTemplate', 'x_targeted', 'x_targeted_template');

    Updating KRI Report Keyword in SAS Management Console (SMC)

    To enable the updated report display of new Scale Types for KRI’s, references to the keyword ‘com.sas.oprisk.monitor.view.kri’ must be removed. These steps will detail removing from the default location in SMC, if you have customized your system to include the report in alternate locations you will need to address those as well.

    1. Login to SMC.
    2. Click on the "Folders" tab.
    3. Expand the following folder path "System -> Applications -> SAS Enterprise GRC Server -> Enterprise GRC Server 4.31"
    4. Click on the "EnterpriseGRC" folder.
    5. Right click on the "Key Risk Indicators" displayed on the right hand panel and select "Properties" from the displayed drop down.
    6. In the "Keywords:" section of the displayed popup click on ‘com.sas.oprisk.monitor.view.kri’.
    7. Click the "Delete" button.
    8. Click "Yes" in the Confirm Delete window.
    9. Click "Ok" at the bottom of the window.
    10. Exit SMC


M36003 for SAS Enterprise GRC Administrative Tools 4.31

  1. As part of this hot fix, we moved the logic to validate Financial Effect Amount’s "Date of Booking", and Recovery’s "Accounting Date" to CPB. Please update your Screen Definitions for Financial Effect Amount, Direct Recovery Amount, and Insurance Recovery Amount with validation changes in following CPB XML files:
    <SASHome>\SASOpRiskMonitorAdministrativeTools\4.1\dbscripts\data\screenDefs\EffectAmount.xml
    <SASHome>\SASOpRiskMonitorAdministrativeTools\4.1\dbscripts\data\screenDefs\DirectRecoveryAmount.xml
    <SASHome>\SASOpRiskMonitorAdministrativeTools\4.1\dbscripts\data\screenDefs\InsuranceRecoveryAmount.xml
    For example, in EffectAmount.xml, we added this block of code to validate Financial Effect Amount’s "Date of Booking" field:
    <finalize>
    <validation test="dateOnOrAfterEventDiscoveryDate(financialEffect.businessObject)">
    <errmsg><message key="impactDetailFormEx.error.lossDateBeforeEventDiscoveryDate.txt" /></errmsg>
    </validation>
    </finalize>
    The new function "dateOnOrAfterEventDiscoveryDate" will validate if the Financial Effect Amount’s "Date of Booking" is on or after its corresponding Event’s Discovery Date.


  2. This hot fix updates files used to customize the application's environment and functionality with new options. To use these new options, copy the picklist from the installed location to the configuration directory.

    Copy

    <SASHOME>\SASOpRiskMonitorAdministrativeToosl\4.1\picklist
    to
    <SASCONFIGDIR>\Applications\SASEnterpriseGRCAdminTools\4.31\dbscripts\picklist


This completes the installation of hot fix M37003 on Windows for x64.

SAS Institute Inc.

License Agreement for Corrective Code or Additional Functionality

SAS INSTITUTE INC. IS PROVIDING YOU WITH THE COMPUTER SOFTWARE CODE INCLUDED WITH THIS AGREEMENT ("CODE") ON AN "AS IS" BASIS, AND AUTHORIZES YOU TO USE THE CODE SUBJECT TO THE TERMS HEREOF. BY USING THE CODE, YOU AGREE TO THESE TERMS. YOUR USE OF THE CODE IS AT YOUR OWN RISK. SAS INSTITUTE INC. MAKES NO REPRESENTATION OR WARRANTY, EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NONINFRINGEMENT AND TITLE, WITH RESPECT TO THE CODE.

The Code is intended to be used solely as part of a product ("Software") you currently have licensed from SAS Institute Inc. or one of its subsidiaries or authorized agents ("SAS"). The Code is designed to either correct an error in the Software or to add functionality to the Software, but has not necessarily been tested. Accordingly, SAS makes no representation or warranty that the Code will operate error-free. SAS is under no obligation to maintain or support the Code.

Neither SAS nor its licensors shall be liable to you or any third party for any general, special, direct, indirect, consequential, incidental or other damages whatsoever arising out of or related to your use or inability to use the Code, even if SAS has been advised of the possibility of such damages.

Except as otherwise provided above, the Code is governed by the same agreement that governs the Software. If you do not have an existing agreement with SAS governing the Software, you may not use the Code.

SAS and all other SAS Institute Inc. product or service names are registered trademarks or trademarks of SAS Institute Inc. in the USA and other countries. (r) indicates USA registration. Other brand and product names are registered trademarks or trademarks of their respective companies.