*** Please see the disclaimer regarding this experimental fix at the bottom of this page. ***
M37004 is a "container" hot fix that contains the following "member" hot fixes which will update the software components
as indicated. See the Container Hot Fixes section in the
Maintenance Install Tool (MIT) Usage Guide
for more information about container hot fixes.
M36004 for SAS Enterprise GRC Administrative Tools 4.31
M09005 for SAS Enterprise GRC Mid-Tier 4.31
an exception occurred processing JSP page /tiles/CSA/assessment/ratingsSummary/ratingsSummaryEditor.jspthen follow SAS Note 50525 for resolution.
The hot fix will be applied using the SAS Deployment Manager. By default, the SAS Deployment Manager will search in the <SASHOME>\InstallMisc\HotFixes\New directory for hot fixes to be applied, but will also prompt for a location if you have downloaded hot fixes to a different directory.
After downloading M37004pt.zip, follow the instructions for applying hot fixes in the SAS Deployment Wizard and SAS Deployment Manager 9.3: User’s Guide. Use the sashf.exe script to apply the hot fix with the -alwaysoverwrite option. Example:
sashf.exe -alwaysoverwrite
The hot fix installation process generates the log file
<!SASHOME>\InstallMisc\InstallLogs\IT_date-and-time-stamp.logfor example, IT_2011-10-31-13.18.21.log. Each attempt to apply a hot fix results in the creation of a new log file giving detailed information regarding the installation process.
Postexec log files are created after the installation is completed and identifies the files that were added, backed up, changed and removed. These log files include the ‘member’ hot fix id in the name of the file and are also written to the <!SASHOME>\InstallMisc\InstallLogs directory. There is one postexec log for each ‘member’ hot fix applied (member hot fixes are listed at the top of these instructions).
This completes the installation of M37004. You must perform any "Post-Installation Instructions" documented below
to successfully complete the deployment of this hot fix.
M09005 for SAS Enterprise
GRC Mid-Tier 4.31
Filter Attachments
As part of this hot fix, we added capabilities to filter the type of attachments allowed in the system. Please follow SAS Note 49870 for details.
Apply Web Application Overrides to SAS Enterprise GRC
As part of this hot fix, we added validation for x_target field to be numeric to the kriDefinitionWizardForm section of validation.xml.
As part of earlier hot fix
Please update your validation.xml in <SAS_CONFIG>\Web\Applications\SASEnterpriseGRCMidTier4.31\overrides\war\sas.oprisk.monitor\WEB-INF with the changes in following directory:
- we added validation for x_target field to be numeric to the IndicatorWizardForm section of validation.xml.
- we added validation for the custom field specified in "monitor.qba.sort.customfield.name" config option to be required in assessmentWizardForm section of validation.xml.
<SASHOME>\SASOpRiskMonitorMidTier\4.1\Static\wars\sas.oprisk.monitor\WEB-INF
Re-build and Re-deploy Web Application
This hot fix requires that the WebApp be rebuilt and redeployed. Use the following steps to perform this post-installation task:
Step 1: Re-build Web ApplicationNotesIn order for this step to execute correctly, the Metadata Server must be running.
1.1 Invoke the SAS Deployment Manager 9.3
From the SASDeploymentManager directory launch sashf.exe.
SAS Deployment Manager is installed in the following default location:<SASHOME>\SASDeploymentManager\9.31.2 Select a language in the Choose Language box
1.3 Select Rebuild Web Applications
1.4 Select Configuration Directory or Enter the Configuration Directory and Level that needs to be updated
1.5 Specify Connection Information, including the sasadm User ID and Password
1.6 Select Enterprise GRC MidTier 4.31 as the Web Application to Rebuild
1.7 Verify the information on the Summary screen and select Start
1.8 Select Finish when the deployment is complete
This process will update the Enterprise GRC MidTier 4.31 ear in <SASCONFIGDIR>\Web\Staging.
A backup of the original ear file will be placed in the directory below:
<SASCONFIGDIR>\Web\Staging\Backup
Step 2: Re-deploy Web ApplicationsRe-deploy the web applications based on the instructions for the web application server you are using.
Step 3: Clear the AppServer cache.
For details, contact your administrator.
A fix has been added to display the ID of the assessable along with the name in the error message which shows up during sign-off when an assessable is not rated.
To see that change user needs to override the error message in customMessages.properties and pass in the additional placeholder for the id as follows:Originally the error messages are as follows:
#{0}Summary object display name {1} summary object name answerSheet.assessableIncompleteForSignOff.fmt.txt=Ratings and/or justifications must be filled out for the following object before sign-off can occur: {0} "{1}" #{0}ControlInstance name {1} RiskInstance name answerSheet.controlIncompleteForSignOff.fmt.txt=Ratings and/or justifications must be filled out for control "{0}" (mapped to risk "{1}") before sign-off can occur.To override the above messages, add these lines in customMessages.properties:#{0}Summary object display name {1} summary object name {2}summary object ID answerSheet.assessableIncompleteForSignOff.fmt.txt=Ratings and/or justifications must be filled out for the following object before sign-off can occur: {0} "{1}" - id: "{2}" #{0}ControlInstance name {1} RiskInstance name {2}ControlInstance ID {3}RiskInstance ID answerSheet.controlIncompleteForSignOff.fmt.txt=Ratings and/or justifications must be filled out for control "{0}" - id: "{2}" (mapped to risk "{1}" - id: "{3}") before sign-off can occur.
Two new parameters as follows are now available to be used to control if user can see the close or delete actions for these components.
CPB components:RiskRatingsSummaryTableNew parameters are:
ControlRatingsSummaryTableshowCloseActionThe default value for these 2 parameters is "true" i.e. the close and delete actions will show. If users don't want to show the close and delete actions, then pass these parameters as "false".
showDeleteActionExample: In RatingsSummary.xml
<field name="TEMP.populatedRisks" type="component"
component-name="RiskRatingsSummaryTable"
..........
<param name="showCloseAction" value="false" />
<param name="showDeleteAction" value="false" />
...........
</field>
With this hot fix, if the config option is set to monitor.validation.return.returnToOriginator=false, and the Kri Observation validator returns an observation, then it will go to the preceding stage instead of to the originator. However, the message shown during this observation return will still be something like :
Observation for "KRI name" returned to originator.
If user wants to set a different message for this case, then they need to set the key "KriObservationEditor.returnToPrecedingStage.fmt.txt" in customMessages.properties.
For example:
KriObservationEditor.returnToPrecedingStage.fmt.txt=Observation returned to preceding stageIf the above key is set, then it will display that message when returning observation. Otherwise, it will show the original message of observation returned to originator.
As part of the new feature for allowing multiple recommendations during Accept / Responsd phase of Assessment:
<SASHOME>\SASOpRiskMonitorMidTier\4.1\Config\Deployment\Content\Preload\Config
monitor.risk.allowMultipleRecommendations=falseNote: setting the above values i.e “monitor.risk.allowMultipleRecommendations=false” and “monitor.risk.businessOwnerRecommendation.required=true” will keep the out-of-box behavior as in the past, i.e., Business Owner can select only one recommendation or add only one recommendation during accept / respond phase of assessment.
monitor.risk.businessOwnerRecommendation.required=true
Changes in RiskInstance.xml:
Use the new SelectedRecommendationTableComponent by changing this line:New configuration options:From: <field name="TEMP.selectedRecommendations" type="component" component-name="SelectedRecommendationTable" required="true">To: <field name="TEMP.selectedRecommendations" type="component" component-name="SelectedRecommendationTableComponent" required="true">Make selected recommendation optional based on config option "monitor.risk.businessOwnerRecommendation.required", ie:
Remove the required flag from the SelectedRecommendationTableComponent as in this line:<field name="TEMP.selectedRecommendations" type="component" component-name="SelectedRecommendationTableComponent">Add the line to require selectedRecommendation based on config option in the populatedAssessable.riskResponseTypeCd field as follows:<field name="populatedAssessable.riskResponseTypeCd" type="dropdown" required="true">
<label><message key="populatedAssessable.field.riskResponseTypeCd.displayName.txt" /<>/label>
<on-change>
<set-visible name="populatedAssessable.acceptanceExpiryDt" test="populatedAssessable.riskResponseTypeCd = 'ACC'" />
<set-visible name="TEMP.selectedRecommendations" test="populatedAssessable.riskResponseTypeCd = 'MIT'" />
<set-required name="TEMP.selectedRecommendations" test="populatedAssessable.riskResponseTypeCd = 'MIT'
and getConfigValue('monitor.risk.businessOwnerRecommendation.required') = 'true'"/>
</on-change>
</field>
- There are changes made to RiskRecommendation screen definition to allow users to flag which recommendation is *selected* out of the multiple recommendations (when monitor.risk.allowMultipleRecommendations=true). Please merge the changes from:
In RiskRecommendation.xml
In the initialize block, added:<if test="assessment.assessmentStageCd = 'ARD'">At the end of the screen, added a field for selectedFlg:
<set name="selectedFlg" value="true" />
</if>
<if test="assessment.assessmentStageCd = 'ASE'">
<set name="selectedFlg" value="false" />
</if><field name="selectedFlg" type="boolean" visible="false" >
<label><message key="recommendation.useToCreateIAP" /></label>
</field>
- Add the new customization file “RiskInstanceTableRecommendationEntryCustomizations.xml” that is added for the Selected Recommendation table to your content server from:
<SASHOME>\SASOpRiskMonitorMidTier\4.1\Config\Deployment\Content\Preload\Config\Customizations\ RiskInstanceTableRecommendationEntryCustomizations.xml
- Add the following new message in customMessages.properties:
recommendation.useToCreateIAP=Use this Recommendation to Create Issue and Action Plans
- These are some optional Customizations information that user can use for certain optional behaviors:
- If user wants to have an option to mark one of the recommendations created by Business owner as selected, then they can add the following update to RiskRecommendation.xml screen definition: Change the "selectedFlg" field
from:
<field name="selectedFlg" type="boolean" visible="false" >
<label><message key="recommendation.useToCreateIAP" /></label>
</field>
to:
<field name="selectedFlg" type="boolean" visible="assessment.assessmentStageCd = 'ARD'" >
<label><message key="recommendation.useToCreateIAP" /></label>
</field>and remove this from initialize block:
<if test="assessment.assessmentStageCd = 'ARD'">
<set name="selectedFlg" value="true" />
</if>
<if test="assessment.assessmentStageCd = 'ASE'">
<set name="selectedFlg" value="false" />
</if>
- If user wants to restrict to one selected recommendation, then they can add a validation in RiskInstance.xml screen definition similar to this:
<if test="assessment.assessmentStageCd = 'ARD' and populatedAssessable.riskResponseTypeCd = 'MIT' and (getConfigValue('monitor.risk.businessOwnerRecommendation.required') EQ 'true')">And add the custom message in customMessages.properties:
<validation test="(size(filterRecommendations(populatedAssessable.recommendations, true, false, ratingsSummary.frozenDttm))) EQ 1">
<errmsg><message key="one.recommendation.needed" /></errmsg>
</validation>
</if>one.recommendation.needed= Only one Recommendation must be selected by the business owner during Accept/Respond phase
monitor.nameTxt.maxLength
monitor.descTxt.maxLength
monitor.helpTxt.maxLength
For example, if user sets:
monitor.nameTxt.maxLength=100then it will give error during data load for KriTemplates and Kris if the name text has more than 100 chars and if description text and help texts have more than 1000 chars.
monitor.descTxt.maxLength=1000
monitor.helpTxt.maxLength=1000
monitor.change.reason.required
monitor.change.reason.key.default
If monitor.change.reason.required is set to false, GRC will not prompt for change reason. It will use default change reasons that are predefined in GRC or Workflow, and if none available, use the key value of monitor.change.reason.key.default found in customMessages.properties
For example,monitor.recovery.totalsUseBookedAmounts
monitor.change.reason.key.default=com.sas.egrc.sample.defaultChangeReasonin customMessages.properties
com.sas.egrc.sample.defaultChangeReason=This is my sample default change reasonBy default, monitor.change.reason.required is set to true.
This option will limit recovery totals to use booked amounts, similar to financial effects. The default is set to false.
- Set to 'true' to use only booked statuses in recovery totals
- Set to 'false' to include all recovery statuses in recovery totals
If the option is reset, the application server hosting GRC will need to be restarted.
monitor.nonRevalidationFields.issue.enabled
When this option is set to false, all changes in Issue would not cause revalidation.By default, or if not specified, this option is set to true.
monitor.nonRevalidationFields.actionPlan.enabled
When this option is set to false, all changes in Action Plan would not cause revalidation.By default, or if not specified, this option is set to true.
monitor.validation.nearMissEvent.estimatedAmount
When the monitor.validation.nearMissEvent.estimatedAmount is set to true, all "near miss" incidents validation stage calculation will based on Estimated Amount of the Incident. Other Incidents will continue to calculate based on total financial amounts.By default, or if not specified, this option is set to false.
monitor.qba.sort.customfield.name
This config option specifies the custom field name to store user's selection for sort order in Questionnaire Based Assessment (QBA). In this fix we provided changes in SAS code to add a custom field named "x_assessment_sort_order" for Assessment, but user can specify to another custom field with different name if needed. This custom field has to be mapped to the new named list "x_assessment_sort_order_option". If "x_assessment_sort_order" is not a custom field of Assessment, or whatever the custom field name specified by this config option does not exist, QBA will behave the same as before this fix.monitor.custfield.sort.riskEventTypes
When this option is set to false, sorting of custom fields for Risk Event Types tables are disabled, which would improve UI performance in adding Risk Event Types to Questionnaire Templates in certain scenarios.By default, or if not specified, this option is set to true.
monitor.custfield.sort.controlTypes
When this option is set to false, sorting of custom fields for Control Types tables are disabled, which would improve UI performance in adding Control Types to Questionnaire Templates in certain scenarios.By default, or if not specified, this option is set to true.
If any of the options are reset, the application server hosting GRC will need to be restarted.
New KRI Functionality: NOTE: If you have completed these steps as part of
a previous hot fix application, the steps below can be skipped:
This
hot fix introduces new KRI functionality. To enable the added KRI scale type
functionality, Scale Type (4), you must add the following custom fields, named
lists, and named list mappings to your system, and remove references to the
‘com.sas.oprisk.monitor.view.kri’ keyword in SAS Management Console.
First, execute the program <SASCONFIGDIR>\Applications\SASEnterpriseGRCServerCfg\4.31\Source\sasstp\orm_job_autoexec.sas
Custom Fields
|
Business Object Type Name |
Custom Field Name |
Custom Field Type |
Description |
|
kri |
x_target |
NUM |
Enables KRI’s to display and store the target value
associated with them. |
|
kriTemplate |
x_target |
NUM |
Enables KRI Definitions to display and store the
target value associated with them. |
|
kri |
x_targeted |
OPS |
Allows saving of new options for KRI scale
interpretations when Scale Type of “Scale (4)” is selected. The new
options are “Improving Moving toward the center of the scale” and
“Improving moving away from the center of the
scale”. |
|
kriTemplate |
x_targeted |
OPS |
Allows saving of new options for KRI definition scale
interpretations when Scale Type of “Scale (4)” is selected. The new
options are “Improving Moving toward the center of the scale” and
“Improving moving away from the center of the
scale”. |
|
kriObservation |
x_normalized_score |
NUM |
Provides the ability for an observation's normalized
score to be passed to the operand of ‘X_NORMALIZED_SCORE’ in KRI notification
workflows. |
/* Kri Template and Indicator */Named Lists
%orm_insert('kri', 'x_target', 'NUM', null, 'Target Value for a targeted KRI.');
%orm_insert('kriTemplate', 'x_target', 'NUM', null, 'Target Value for a targeted KRI.');
%orm_insert('kri', 'x_targeted', 'OPS', 400, 'Determines if the Scale is targeted toward the center or outer bounds.');
%orm_insert('kriTemplate', 'x_targeted', 'OPS', 400, 'Determines if the Scale is targeted toward the center or outer bounds.');
%orm_insert('kriObservation', 'x_normalized_score', 'NUM', null, 'Calculated Score Normalization.');
|
Named List |
Named List Value |
Named List Value Row Number |
Description |
|
x_targeted_template |
biggerBetter |
1 |
As values increase, the indicator is
improving. |
|
x_targeted_template |
smallerBetter |
2 |
As values decrease, the indicator is
improving. |
|
x_targeted_template |
targetedOutter |
3 |
As values move away from the target from either
direction, the indicator is improving. |
|
x_targeted_template |
targetedCenter |
4 |
As values move toward the target from either
direction, the indicator is improving. |
|
x_targeted_kri |
biggerBetter |
1 |
As values increase, the indicator is
improving. |
|
x_targeted_kri |
smallerBetter |
2 |
As values decrease, the indicator is
improving. |
|
x_targeted_kri |
targetedOutter |
3 |
As values move away from the target from either
direction, the indicator is improving. |
|
x_targeted_kri |
targetedCenter |
4 |
As values move toward the target from either
direction, the indicator is improving. |
/* Kri Template and Indicator */
%orm_insert('x_targeted_template',
'biggerBetter', 1);
%orm_insert('x_targeted_template', 'smallerBetter',
2);
%orm_insert('x_targeted_template', 'targetedOutter', 3);
%orm_insert('x_targeted_template', 'targetedCenter', 4);
%orm_insert('x_targeted_kri', 'biggerBetter', 1);
%orm_insert('x_targeted_kri', 'smallerBetter', 2);
%orm_insert('x_targeted_kri', 'targetedOutter', 3);
%orm_insert('x_targeted_kri', 'targetedCenter', 4);
Named List Mappings
|
Business Object Type Name |
Custom Field Name |
Named List |
|
kri |
x_targeted |
x_targeted_kri |
|
kriTemplate |
x_targeted |
x_targeted_template |
Add the following lines to <SASCONFIGDIR>\Applications\SASEnterpriseGRCServerCfg\4.31\Source\sasmisc\sample\config\load_named_list_mappings.sas (after "proc sql noprint" and before "quit;") and execute it:
/* Load named list mappings */Updating KRI Report Keyword in SAS Management Console (SMC)
%orm_insert('kri', 'x_targeted', 'x_targeted_kri');
%orm_insert('kriTemplate', 'x_targeted', 'x_targeted_template');
To enable the updated report display of new Scale Types for KRI’s, references to the keyword ‘com.sas.oprisk.monitor.view.kri’ must be removed. These steps will detail removing from the default location in SMC, if you have customized your system to include the report in alternate locations you will need to address those as well.
- Login to SMC.
- Click on the "Folders" tab.
- Expand the following folder path "System -> Applications -> SAS Enterprise GRC Server -> Enterprise GRC Server 4.31"
- Click on the "EnterpriseGRC" folder.
- Right click on the "Key Risk Indicators" displayed on the right hand panel and select "Properties" from the displayed drop down.
- In the "Keywords:" section of the displayed popup click on ‘com.sas.oprisk.monitor.view.kri’.
- Click the "Delete" button.
- Click "Yes" in the Confirm Delete window.
- Click "Ok" at the bottom of the window.
- Exit SMC
M36004 for SAS Enterprise
GRC Administrative Tools 4.31
<SASHome>\SASOpRiskMonitorAdministrativeTools\4.1\dbscripts\data\screenDefs\EffectAmount.xmlFor example, in EffectAmount.xml, we added this block of code to validate Financial Effect Amount’s "Date of Booking" field:
<SASHome>\SASOpRiskMonitorAdministrativeTools\4.1\dbscripts\data\screenDefs\DirectRecoveryAmount.xml
<SASHome>\SASOpRiskMonitorAdministrativeTools\4.1\dbscripts\data\screenDefs\InsuranceRecoveryAmount.xml
<finalize>The new function "dateOnOrAfterEventDiscoveryDate" will validate if the Financial Effect Amount’s "Date of Booking" is on or after its corresponding Event’s Discovery Date.
<validation test="dateOnOrAfterEventDiscoveryDate(financialEffect.businessObject)">
<errmsg><message key="impactDetailFormEx.error.lossDateBeforeEventDiscoveryDate.txt" /></errmsg>
</validation>
</finalize>
Copy
<SASHOME>\SASOpRiskMonitorAdministrativeToosl\4.1\picklistto
<SASCONFIGDIR>\Applications\SASEnterpriseGRCAdminTools\4.31\dbscripts\picklist