RSA Archer 6.5 Platform Administrator's Guide

Platform Administrator's Guide
6.5
Contact Information
Go to the RSA corporate web site for regional Customer Support telephone and fax numbers:
https://community.rsa.com/community/rsa-customer-support.
Trademarks
RSA, the RSA Logo, RSA Archer, RSA Archer Logo, and Dell are either registered trademarks or trademarks of Dell
Corporation ("Dell") in the United States and/or other countries. All other trademarks used herein are the property of their
respective owners. For a list of RSA trademarks, go to www.emc.com/legal/emc-corporation-trademarks.htm.
License agreement
This software and the associated documentation are proprietary and confidential to Dell, are furnished under license, and may
be used and copied only in accordance with the terms of such license and with the inclusion of the copyright notice below. This
software and the documentation, and any copies thereof, may not be provided or otherwise made available to any other person.
No title to or ownership of the software or documentation or any intellectual property rights thereto is hereby transferred. Any
unauthorized use or reproduction of this software and the documentation may be subject to civil and/or criminal liability.
This software is subject to change without notice and should not be construed as a commitment by Dell.
Third-party licenses
This product may include software developed by parties other than RSA. The text of the license agreements applicable to third-
party software in this product may be viewed on RSA.com. By using this product, a user of this product agrees to be fully
bound by terms of the license agreements.
Note on encryption technologies
This product may contain encryption technology. Many countries prohibit or restrict the use, import, or export of encryption
technologies, and current use, import, and export regulations should be followed when using, importing or exporting this
product.
For secure sites, Dell recommends that the software be installed onto encrypted storage for secure operations.
For customers in high security zones, Dell recommends that a full application sanitization and reinstallation from backup occur
when sensitive or classified information is spilled.
Note on Section 508 Compliance
The RSA Archer® Suite is built on web technologies which can be used with assistive technologies, such as screen readers,
magnifiers, and contrast tools. While these tools are not yet fully supported, RSA is committed to improving the experience of
users of these technologies as part of our ongoing product road map for RSA Archer.
The RSA Archer Mobile App can be used with assistive technologies built into iOS. While there remain some gaps in support,
RSA is committed to improving the experience of users of these technologies as part of our ongoing product road map for the
RSA Archer Mobile App.
Distribution
Use, copying, and distribution of any Dell software described in this publication requires an applicable software license.
Dell believes the information in this publication is accurate as of its publication date. The information is subject to change
without notice. Use of the software described herein does not ensure compliance with any laws, rules, or regulations, including
privacy laws that apply to RSA’s customer’s businesses. Use of this software should not be a substitute for consultation with
professional advisors, including legal advisors. No contractual obligations are formed by publication of these documents.
THE INFORMATION IN THIS PUBLICATION IS PROVIDED "AS IS." DELL INC. MAKES NO REPRESENTATIONS OR
WARRANTIES OF ANY KIND WITH RESPECT TO THE INFORMATION IN THIS PUBLICATION, AND SPECIFICALLY
DISCLAIMS IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Copyright © 2010-2018 Dell Inc. or its subsidiaries. All Rights Reserved.

October 2018
Contents
Preface 14
About This Guide 14
Support and Service 14
Other Resources 14
RSA Archer Documentation 15
Chapter 1: Setting Up and Maintaining the Platform 17

Advanced Operator Logic 19
Chapter 2: Application Builder 22

Building Applications 23
Adding Applications 25
Setting Behaviors of an Application 26
Adding Fields to an Application 31
Defining the Layout of an Application 31
Creating Data Driven Events in an Application 31
Designating Navigation Menu Items 32
Defining a Workflow for Applications 34
Setting the Execution Order for Multiple Calculated Fields 35
Assigning Application Owners and Report Administrators 35
Assigning Applications to Solutions 37
Attaching Documentation to Applications 39
Changing the Application Status 39
Deleting Applications or Application Content 41
Chapter 3: Questionnaires 43
Assessment Process 49
Populating the Question Library 51
Adding Questions to the Question Library 51
Importing Questions into the Question Library 53
Building Questionnaires 54
Adding a Questionnaire 55
3
Adding Questions and Fields to a Questionnaire 56
Adding Attachment Questions 60
Adding Cross-Reference Questions 65
Adding Date Questions 73
Adding Numeric Questions 78
Adding Text Questions 84
Adding Values List Questions 89
Creating Questionnaire Values Lists 98
Customizing the Layout of a Questionnaire 103

Creating Data Driven Events for a Questionnaire 104
Designating Navigation Menu Items 105
Defining Workflows for Questionnaires 107
Configuring Display Rules for Questionnaires 109
Enabling Automatic Generation of Findings for Questionnaires 112
Setting Behaviors of a Questionnaire 115
Assigning Questionnaire Owners and Report Administrators 119
Creating Campaigns to Launch Questionnaires 122
Attaching Documentation to Questionnaires 124
Creating Mobile Ready Questionnaires 124
Changing the Questionnaire Status 129
Importing Data into a Questionnaire 130
Modifying a Questionnaire During the Assessment Cycle 131
Deleting Questionnaires and Content 132
Chapter 4: Solutions 134

Adding Solutions 134
Updating a Solution 135
Chapter 5: Fields 137

Dynamic Attributes 141
Creating Fields by Field Types 144
Adding Access History Fields 145
4
Adding Attachment Fields 146

Adding Cross Application Status Tracking Fields 151
Adding Cross-Reference Fields 153
Adding Date Fields 159
Adding Discussion Fields 163
Adding External Links Fields 166
Adding First Published Date Fields 168
Adding History Log Fields 170
Adding Image Fields 175
Adding IP Address Fields 179
Adding Last Updated Date Fields 182
Adding Matrix Fields 184
Adding Multiple Reference Display Control Fields 186
Adding Numeric Fields 189
Adding Questionnaire Reference Fields 195
Adding Record Status Fields 197
Adding Record Permissions Fields 198
Adding Scheduler Fields 201
Adding Sub-Form Fields 205
Adding Text Fields 209
Adding Tracking ID Fields 210
Adding User/Groups List Fields 213
Adding Values List Fields 218
Adding Voting Fields 221
Adding Field-Level Help 224
Assigning Access Rights to a Field 226
Identifying Field IDs 227
Changing the Field Status to Inactive 228
Deleting Fields 229
Enabling Fields for On-Demand Bulk Actions 230
Encrypting Data 232
Managing Field Encryption 235
Calculated Fields 236
Adding Calculated Fields 239
Calculation Process 243
5
Functions and Operators for Calculated Field Formulas 247

Scheduling Calculations 424
Recalculation Conditions 426
Recalculating Calculated Fields 430
References in Formulas 432
Troubleshooting Tips for Calculations 438
Cross-Reference Field 445
Adding Cross-Reference Fields 448
Dynamic Filters for Cross-Reference Fields 454
Creating Dynamic Filters for Cross-Reference Fields 457
Related Records Field 461
Cross-Reference Mismatches 462
Record Permissions Field 463
Adding Record Permissions Fields 469
Configuring Automatic Permissions for a Record Permissions Field 472
Configuring Inherited Permissions for a Record Permissions Field 475
Configuring Manual Permissions for a Record Permissions Field 477
Converting a User/Groups List to a Record Permissions Field 479
Values Lists 480
Adding Values List Fields 481
Adding a Global Values List 484
Adding Values to Values Lists 485
Arranging Values in Values Lists 487
Converting Field-Specific Values Lists into Global Values Lists 490
Defining Field-Specific Column and Row Values for a Matrix Field 490
Importing Values into Values Lists 494
Exporting Values from Values Lists 496
Deleting Values from Values Lists 497
Scheduler Field 499
Adding Scheduler Fields 501
Trending 505
Enabling and Disabling Trending on a Field 507
Chapter 6: Sub-Forms 509

Adding Sub-Forms 509
6
Adding and Removing Documentation from Sub-Forms 511

Assigning or Revoking Sub-Form Owners 512
Changing the Sub-Form Status 513
Deleting Sub-Forms 513
Chapter 7: Data Driven Events 515

Data Driven Event Process Flow 516
Data Driven Event Rules and Actions 522
Data Driven Event Rules 524
Data Driven Event Rules Evaluation 525
Adding Rules to Data Driven Events 528
Setting the Rule Order of Data Driven Events 530
Data Driven Event Actions 531
Apply Conditional Layout Action 533
Filter Values List Items Action 542
Generate Notification Action 547
Set Date Action 555
Set Values List Selection Action 558
Troubleshooting Data Driven Events Using Event Analyzer 561
Chapter 8: Layouts 563

Adding Additional Layouts 563
Adding Fields to the Layout 565
Adding Objects to the Layout 567
Adding Tab Sets on the Layout 574
Report Object Operator Types 577
Deleting Layouts 587
Chapter 9: Advanced Workflow 588

Using the Advanced Workflow Interface 595
Planning and Deploying Advanced Workflows 600
Building Advanced Workflows 602
Activating and Deactivating Advanced Workflows 617
Deploying Updates to Advanced Workflows 618
Troubleshooting Advanced Workflows 620
Chapter 10: Workflow 632
7
Adding Workflows to Applications or Questionnaires 634

Adding Workflow Notifications 638
Activating or Inactivating Workflows 641
Configuring the End Stage of Workflows 642
Deleting Workflow Notifications 643
Deleting Workflow Stages 644
Reordering Workflow Stages 645
Chapter 11: Offline Access 646

Configuring Offline Access Gateway 647
Offline Access Library 647
Resetting Your Offline Access Password 649
Resolving Online Access Conflicts 650
Synchronizing Offline Access Records 652
Offline Access Mode 654
Logging In to Offline Access 655
Installing Offline Access 656
Purging Data in Offline Access 658
Working Offline 659
Chapter 12: User Access Control 660

User Accounts 663
Adding User Accounts 665
Deleting User Accounts 671
Identifying User IDs 671
Ending Active User Sessions 672
Maintaining Security 672
Reassigning User Resources 673
Viewing User Login History 674
Understanding System Administrator and Default Services Account Passwords 675
Updating User Accounts 677
User Groups 680
Adding User Groups 681
Identifying User Group IDs 683
Assigning Users to User Groups 683
Deleting User Groups 684
8
Access Roles 685

Adding Access Roles 686
Assigning Rights to Access Roles 687
Assigning Access Roles to Users or Groups 688
Setting the Default Access Role 690
Updating Access Roles 691
Deleting Access Roles 691
Security Parameters 692
Adding Security Parameters 693
Security Parameters for Mobile Users 698
Adding Security Parameters for Mobile Users 701
Assigning Security Parameters to Users 707
Setting the Default Security Parameter 708
Deleting Security Parameters 708
LDAP Configuration 708
Configuring LDAP for Managing User Accounts and Groups 710
Synchronizing Your User Accounts and Groups 717
Viewing Synchronization Status 719
Changing LDAP Configuration Status 720
Deleting LDAP Configurations 721
Chapter 13: Communication Tools 722

Notifications 722
Notification Publishing 725
Notification Blueprints 726
Managing Notification Blueprints 740
Activating Notifications 741
Adding Admin Notifications 744
Adding On Demand Notifications 746
Adding Scheduled Report Distributions 750
Adding Subscription Notifications 756
Adding XML Notifications 761
Configuring Default Notification Settings 766
Configuring Global Notification Settings 767
Defining Letterhead Templates 767
Defining Read Receipt Rules 770
9
Troubleshooting Notifications 772

Discussion Forums for Administrators 777
Adding Discussion Communities 780
Adding Discussion Forums 781
Adding Discussion Forum Roles 784
Merging Topics in a Discussion Forum 785
Locking and Unlocking Discussion Forums 786
Archiving Discussion Forums 787
Training and Awareness 788
Adding Training and Awareness Campaigns 790
Adding Presentation Events 792
Adding Acceptance Events 794
Adding Quiz Events 796
Deleting Campaigns and Events 800
Mail Merge 801
Mail Merge Syntax 804
Adding Mail Merge Templates 805
Adding Report Templates to a Mail Merge Template 807
Assigning Access Rights to Mail Merge Templates 807
Changing the Status of a Mail Merge Template 808
Deleting Mail Merge Templates 808
Alias Names 809
Chapter 14: Data Integration 810

Data Imports 810
Preparing for Data Imports 819
Importing Data Through the Data Import Wizard 821
Reviewing Job Queues 825
Troubleshooting Data Imports 825
Data Feeds 829
Generating the Run Detail Report 836
Running Data Feeds Now 837
Viewing the Execution History for Data Feeds 838
Data Feed Tokens 838
Manipulating Data in the Source File of Standard Data Feeds 853
Troubleshooting Data Feeds 858
10
Archer-to-Archer Data Feeds 862

Database Query Data Feeds 889
File Data Feeds 912
File Transporter 912
FTP Data Feeds 940
FTP Transporter 940
HTTP Data Feeds 968
HTTP Transporter 968
Weak ciphers disabled 968
JavaScript Data Feeds 993
JavaScript Transporter 993
Mail Monitor Data Feeds 1016

RSS Data Feeds 1036
Threat Data Feeds 1059
Data Publications 1098
Adding Data Publications 1100
Changing the Status of a Data Publication 1102
Clearing the Data Publication Job History 1102
Configuring Connection Parameters for Data Publications 1103
Publishing Data Publications Immediately 1104
Setting the Data Publications Schedule 1104
Viewing the Data Publication Job History 1105
API Integration 1105
Generating API Code 1106
Using the Web Services Description Language File 1107
Chapter 15: Packaging 1108

Packaging Rules 1112
Before You Begin 1125
Creating Packages 1129
Reviewing the Package Generation Log 1132
Installing Packages 1134
11
Task 1: Backing Up Your Database 1135

Task 2: Importing Packages 1135
Task 3: Mapping Objects 1135
Task 4: Installing Packages 1151
Task 5: Reviewing the Package Installation Log 1154
Deleting Packages 1162
Chapter 16: Search and Reporting for Administrators 1163

System Reports 1163
Using the Master Report Listing 1175
Defining Report Export Templates 1177
Chapter 17: Dashboards, iViews, and Workspaces 1180

Building Workspaces 1181
Building Dashboards 1186
Building Global iViews 1189
Formatting iView Videos 1195
Assigning Access Rights to iViews, Dashboards, and Workspaces 1196
Attaching Documentation to iViews, Dashboards, and Workspaces 1196
Configuring Workspaces 1197
Exporting Dashboards 1198
Admin Dashboard 1200
Install the Admin Dashboard Package 1200
Add the Admin Dashboard 1202
Add Metrics to the Admin Dashboard 1203
Chapter 18: Customizing RSA Archer 1204

Branding Your System 1204
Setting a System Language - Globalization 1208
Translated File Example 1214
Chapter 19: Configuring the Hardware Security Module 1220
Chapter 20: Managing Field Encryption 1223
Chapter 21: Secure Deployment and Usage Settings 1224

Web Server Security Configuration 1231
Disallow IIS Arbitrary File Extensions 1232
12
Disallow Arbitrary File Uploads 1232

Remove IIS and ASP.NET Version Information from HTTP Headers 1233
AspNet-Version HTTP Header 1234
Remove X-Powered-By HTTP Header 1234
IP Whitelist 1234
Host Hardening 1235
Recommendations for TLS/SSL cipher hardening 1235
Chapter 22: Physical Security Controls Recommendations 1238
13
Preface
About This Guide 14
Support and Service 14
RSA Archer Documentation 15
About This Guide

This guide contains administrator topics available in the RSA Archer Online Documentation.
Support and Service
Customer Support Information https://community.rsa.com/community/rsa-customer-support
Customer Support E-mail archersupport@rsa.com
Other Resources
Resource Description
RSA Archer Our public forum, on the RSA Link Community platform, brings together customers,
Community prospects, consultants, RSA Archer thought leaders, partners and analysts to talk
on about GRC as a practice, and includes product demos, GRC videos, white papers,
RSA Link blogs and more.
https://community.rsa.com/community/products/archer-grc
RSA Archer Our private community, is a powerful governance, risk and compliance online
Customer / network that promotes collaboration among RSA Archer customers, partners,
Partner industry analysts, and product experts. Engaging with the RSA Archer Community
Community on RSA Link enables you to collaborate to solve problems, build best practices,
on establish peer connections and engage with RSA Archer thought leaders.
RSA Link https://community.rsa.com/community/products/archer-grc/archer-customer-partner-
community
Preface 14
Resource Description
RSA Ready RSA's Technology Partner Program is where third parties gain access to RSA
Software in order to develop an interoperability and have it documented and
certified. RSA Ready certifications are posted to an online community and
supported by RSA Support.
https://community.rsa.com/community/products/rsa-ready
RSA The RSA Exchange for RSA Archer offerings help you rapidly deploy adjacent or
Exchange supporting risk business processes, quickly integrate new risk data sources, and
for implement administrative utilities to make the most out of their risk and compliance
RSA Archer investment.
https://community.rsa.com/community/products/archer-grc/exchange
RSA Archer Documentation

You can access RSA Archer documentation on the Archer Customer/Partner Community on RSA
Link at: https://community.rsa.com/community/products/archer-grc/archer-customer-partner-
community/
The following table describes each document.
Document Description
Release Notes A list of issues fixed in the release and a list of issues known at the time of the
release. Available in PDF format.
What's New Overview of the new and updated features in the current release. Overview of the
Guide differences between RSA Archer version 5.x and version 6.x. Suggestions on
planning for moving from 5.x to 6.x are included. This information is available in
the RSA Archer Online Documentation and in PDF format.
Installation Instructions for installing the latest RSA Archer release, and upgrading from 5.x
and Upgrade and 6.x to the latest release. Available in PDF format.
Guide
Preface 15
Document Description
Online Information for using RSA Archer including how to set up and maintain the
Documentation Platform, how to use the Platform features, how to use the RESTful and Web
APIs, security configuration information, and how to install and use the solution
use cases. Available from within the product in HTML5 format using context-
sensitive links, as well as in a Zip format for local installation. The Online
Documentation is also available in full on the RSA Archer Community on RSA
Link at: https://community.rsa.com/community/products/archer-grc/archer-
customer-partner-community/. Content from the Online Documentation system is
also available in PDF format, divided in to the following guides:
l Administrator's Guide
l User's Guide
l RESTful API Guide
l Web API Guide
l Content API Guide
l Security Configuration Guide
l Use Case Guides (one guide for each of the available solution use cases)
Archer Control Information for using the RSA Archer Control Panel module to manage the
Panel (ACP) internal settings of the Platform, such as license keys, global paths and settings.
Help Available from within the ACP module, in a ZIP format for local installation, and
in PDF format.
Planning Information about how to plan for your new RSA Archer installation. This
Guide document is intended for system administrators who are responsible for installing
and managing RSA Archer. Available in PDF format.
Preface 16
Chapter 1: Setting Up and Maintaining the Platform

As an administrator, you might be responsible for setting up or maintaining any of the following
features:
Applications, questionnaires, and solutions

End users work with records. As an administrator, you are responsible for building (or maintaining)
applications or questionnaires, which contain the records, and for creating the fields and other
elements that define the structure of the records.
Note: If you are using any of the RSA Archer use cases, you might be responsible for customizing
the out-of-the-box applications or questionnaires to meet your organization's requirements. For more
information on use cases, see "Solutions and Use Cases Overview" in the RSA Archer Online
Documentation.
Finally, you can group related applications and questionnaires into a solution.
Users and access control

Access control provides a framework for maintaining users, roles, and security parameters, and for
assigning access rights at the system, application, record, and field levels.
l User accounts allow users to log on to RSA Archer.
l User groups provide a means of grouping users based on organizational structure or geographic
locations.
l Access roles are collections of application-level and page-level rights that an administrator can
create and assign to any number of users and groups to control user privileges (create, read,
update, and delete).
l Security parameters are rules for controlling user access to RSA Archer and its individual pages.
l LDAP Configuration streamlines the administration of users and groups by allowing updates and
changes that were made in the LDAP server to be automatically reflected in RSA Archer.
Communication tools
The Platform offers multiple tools for communication with and between your end users and for
ensuring that your users have access to the right information in the system.
l Notifications alert users to specific conditions within records, particularly when it is something
that requires their attention or action (for example, a record is ready to be reviewed).

l The Discussion Forums feature enables you to create structured environments where users can
exchange information on various topics.
l The Training and Awareness feature enables you to construct and deliver training and awareness
communications to specified users and groups.
l Mail merge functionality allows you to export data into a Microsoft Word document.
l An Alias name is a short name for a unique object in the system that is human readable, but also
can be used in code or as a reference in configuration processes.
Data integration
You can use RSA Archer as a point of consolidation for enterprise data of any type for supporting
analysis and process management. RSA Archer is vendor neutral, content independent, and provides
three integration methods for consolidating data from disparate enterprise systems for governance,
risk, and compliance management.
l Data imports allow you to import data into an application or sub-form from an external data file
on a one-time basis.
l Data feeds allow you to build dynamic integrations with external enterprise systems and files that
can run automatically on an on-going schedule.
l The RSA Archer Web Services API also offers you a programmatic interface for automating the
exchange of information between RSA Archer and an external application.
l Finally, data publications allow you to extract data from your RSA Archer system and load it into
external systems for data analysis and modeling.
Data packaging
Packaging allows you to copy applications and other objects from one RSA Archer instance to
another, for the purposes of transferring large changes from development to test to production
instances or receiving and installing updates to RSA Archer Solutions.
Reporting
Any search against an application or questionnaire that you want to save and reuse at a later time
can be saved as a report. RSA Archer offers pre-built system reports and allows you to create your
own custom reports.
Workspaces, dashboards, and iViews

Workspaces, dashboards, and iViews are the visual tools that provide users quick access to records
and information related to their job function. You can create dashboards and iViews to display
reports, links, embedded web pages, RSS feeds, and other custom content. You can display these

iViews and dashboards to end users through workspaces, which are pages of related content.
Customizing the system

l You can match RSA Archer to your brand by using the Appearance menu to customize colors and
logos across the user interface.
l Globalization features in RSA Archer enable administrators and users to adapt the interface and
solutions to appear in languages and formats that meet the needs of different geographical and
cultural regions.
Advanced Operator Logic

When creating filters, you can use custom operator logic to form relationships between the individual
filters. By default, multiple conditions are related with the AND operator, as are multiple actions.
However, by creating custom operator logic, you can also use the OR and NOT operators, as well
as parenthetical groupings.
Note: The OR operator is supported only when you are filtering fields within a single level of a
leveled application or in a flat application. If you are filtering fields across different levels and
applications, you must use only the AND operator. Ultimately, the results of a search across
multiple levels and applications depend on the filters you apply and the relationships the search
process builds between the filtered fields.
Operator logic statements are evaluated left to right with parenthetical groupings evaluated first. By
using advanced operator logic with your filters, you can eliminate extraneous data that may be
imported with your data feed or included in your search results.
You enter the custom operator logic in the Advanced operator logic field.
Important: Custom operator logic must validate before you can save or apply changes to your data
filter. If your custom operator logic does not validate, you are prompted with an "Invalid Operator
Logic" error message.
Example: Single operator expression

You are importing assets from an external source into the Assets application. You want to import
assets from your external file only if they are labeled as being in a production environment or if they
are customer impacting.

To set up this process, you define data filters to evaluate both the System Environment and Security
Class elements in your external data file for the values you want. Without using operator logic, your
conditions are related with the AND operator, and the data feed imports items that are both in a
production environment AND have a high security class. By using operator logic with the OR
operator, you achieve the result you want: Assets that are in a production environment OR have a
high security class are imported into the Assets application.
Example: Multiple operators with nested parenthetical expressions

You also can use nested parenthetical expressions in your operator logic. Nested parenthetical
expressions allow you to combine the results of two separate logical conditions, thereby creating an
additional logical condition, as shown in the following example.
Based on the above criteria, the following table details the result of the operator logic.
(1) System (2) Security (3) (4) Operating (5) Server
Result
Environment Class Manufacturer System Room
Production Medium IBM RHEL 4.0 Denver Imported

Facility
Testing High Dell Windows Server Denver Imported

2003 Facility
Testing High Dell Windows Server Chicago Not

2003 Facility Imported
Production Medium Dell CentOS Denver Not

Facility Imported

The Data Feed Manager evaluates the nested parenthetical expressions first. In the last example in
the previous table, since neither 3 or 4 evaluate to "TRUE" in the nested parenthetical expression,
the primary parenthetical expression evaluates to "FALSE," and thus the entire logical condition
fails and the data is not imported, even though all of the other conditions are met.
Example: Multiple operators with a parenthetical expression

You can use additional operators by incorporating parentheses in your operator logic, as shown in the
following example.
Based on the above criteria, the following table details the result of the oper-
ator logic.
(1) System
(2) Security Class (3) Manufacturer Result
Environment
Production Medium IBM Imported
Testing High IBM Imported
Production High Dell Not Imported
Testing Medium IBM Not Imported
The system evaluates the parenthetical expression first. In the last example in the previous table,
since neither 1 or 2 evaluate to "TRUE," the entire condition fails even if 3 evaluates to "TRUE".

Chapter 2: Application Builder

Applications contain specific types of data records, such as incidents, controls, policies, or assets.
Through Application Builder, you can define the properties of applications, including the fields they
contain, their layout, and their appearance in the Navigation Menu. You can also group multiple
applications into solutions, enabling end users to search against those applications.
Each application has one or more owners who can modify its properties. When you access the
application list on the Manage Applications page, you can view all existing applications in RSA
Archer, but you can only edit those of which you have been granted ownership rights. Owners also
have unrestricted access to records stored in the application.
Note: When you view a record of an application of which you are the assigned owner or an
administrator, you can recalculate all calculated fields within the record.
Leveled applications
You can create multiple data levels within an application. By organizing fields into levels, you can
create master-detail record relationships within a single application. By linking records from one
level to records at the level above or below it, you can create hierarchical applications.
Example: Leveled application
The Policies application in the Policy Program Management use case is an example of a leveled
application. It contains three levels of data: Policy, Area, and Section. Each record in the Area level
is related back to a record in the Policy level, and each record in the Section level is related back to
a record in the Area level, as shown in the associated diagram of the Policies application.
An application can have many levels, and each data level has its own distinct fields, as shown in the
following figure. As a best practice and to ensure optimal application performance, create no more
than four data levels in an application.

Using a leveled application is especially useful for relating records in a child data level to one
parent-level record. In the Policies application example, the record “8.3.3 Password Expiration” in
the Section data level can only relate back to record “8.3 Authentication” in the Area level. You
would not relate record “8.3.3” in the Section level to record “5.5 Project Management” in the Area
level.
If you are considering a leveled application, but foresee child-level records relating back to more
than one parent-level record, consider creating two applications instead and linking those
applications with a cross-reference field.
Building Applications
The following table describes the steps to build an application.
Required
Step Task or Description
optional
1 Create the Required Create the application and set basic behaviors, such as the
application default language and whether users receive updates when
and set content is published or updated.
behaviors
2 Add the fields Required Create the fields that you need for collecting and managing
to the data in the application.
application
3 Define the Required Add fields to the layout and organize the fields in groups and
application sections.
layout
4 Create data Optional Create data driven events (DDEs) if you want to automate a
driven events variety of actions based on values or dates within individual
questionnaire records.
5 Designate the Optional Determine which fields display in the search results by
Navigation default.
Menu items

Required
optional
6 Define a Optional If the application is part of a workflow or advanced

specific workflow, you can specify the order in which a user performs
workflow the tasks.
You cannot enroll records in a workflow and an advanced
workflow at the same time. To determine which feature is
best suited for your needs, see the Workflow topic for either
feature.
7 Set the Optional If the application includes more than one calculated field, you
execution can specify the order in which each field is executed.
order of
calculated
fields
8 Assign Required Each application must include at least one application owner
application and report administrator. By default, the user who adds the
owners and application is automatically given these roles. You can
report specify additional users if needed for either role.
administrators

Adding Applications
Before adding an application, decide how the application will be used and how its content will be
managed. Consider the following questions:
l Should the application be placed in production immediately, or should it remain in development
until its structure has been formally approved?
l Is there any need to assign and track tasks associated with the application content records?
l Would the use of multiple data levels make information stored within the application easier to use
and organize?
l Should notification emails be used to alert users of new and updated records within the
application?
l Which users should be granted ownership rights to the application?
l Which users should be able to create global reports in the application to share with other
application users?
l Is there a need to change the default language for the application?
After you have made these decisions, you can frame the basic structure of an application, add the
appropriate fields, configure the application layout, designate the items that display in the Navigation
Menu, and create sub-forms, among many other application options.
1. Go to the Manage Applications page.
a. From the menu bar, click .

b. Under Application Builder, click Applications.
2. Click Add New.

3. In the Method field, do one of the following:
l To add a new application, click Create a new Application from scratch.
l To add an application from an existing application, click Copy from an existing Application
and select the application you want to copy.
Note: Copying an application does not duplicate advanced workflow system fields.
4. Click OK.
5. Enter the name of the application.
6. In the Solutions field, click to assign the application to one or more solutions.
7. (Optional) In the Language field, select the default language for the application. By default, the

language is set to the language specified for the instance.

8. Click OK.
Adding Data Levels in Applications
A data level is a hierarchical grouping mechanism for a subset of fields within an application.
1. Go to the General tab of the application that you want to update.

c. Select the application.
2. In the Structure field of the Options section, click Leveled (Outline).

3. In the Levels section, click Add New.
4. In the Files to Upload section, click Add New.
5. (Optional) Enter a name and description.
6. Click OK.
7. Click Save or Apply.
l Click Save to save and exit.
l Click Apply to apply the changes and continue working.
Setting Behaviors of an Application

The behaviors of an application include:
l Whether task management for workflow is enabled.
l Whether users receive notifications when content is updated.
l Whether spell check is run automatically when a record is saved.
l Whether users with update rights can edit a record directly from the key field link of search
results.
l Whether the default language is that of the user locale and not of the instance.
Enable direct to edit mode

The direct to edit mode allows users to open a record for editing from any supported area. Users
with update rights can open an editable record instead of a view-only record when they click the key
field link for a record in any of the following areas:

l Search Results list

l Cross references
l Related records
l Record links in notifications
l iViews (without having to display the report first)
l Tasks & activities on the Task Driven Landing Screen
l System reports that allow record drill-in

2. In the Options section, select the Direct to Edit checkbox.

Enable or disable notifications

When notifications are enabled, end users are allowed to receive notifications when content in the
application is published or updated.

2. In the Options section, do one of the following:

l To enable notifications, select the Notifications checkbox.
l To disable notifications, clear the Notifications checkbox.


Enable or disable task management

If you are using Workflow or Advanced Workflow, you must enable task management. By enabling
an application with task management capabilities, users can easily track and manage open and
completed activities associated with specific content records.
When you enable task management capabilities for an application, a related records field is placed
on the application layout.
Components of the related records field include:
l Open Tasks/Activities. Lists all of the open Task Management records associated with the
content record.
l Activity History. Lists all of the closed Task Management records associated with the content
record.


l To enable task management, select the Task Management checkbox. If you want to rename
the default settings for the related record fields, do the following
a. In the Task Field Name field, enter the name of the task, for example,
Open Tasks/Activities.
b. In the History Grid Label field, enter the name of the task, for example, Closed Tasks.
l To disable task management, clear the Task Management checkbox.
Note: If you disable task management, Task Management records are no longer viewable in
records of the associated application. However, all Task Management records still are stored
in the Task Management application. If task management is subsequently reactivated, all
existing Task Management records are displayed with their associated content records.


Enable spell check

Use this option to automatically spell check a record each time it is saved in an application.

2. In the Options section, select the Spell Check checkbox.

Select a default format for search results

You can select a default format for search results generated from the Records link in the Navigation
Menu, and from the Search Records page.

2. In the Options section, in the Search Results field, select one of the following formats.
The following table describes the options.
Options Description
Column - Displays the search results in a columnar layout where fields are displayed
Hierarchical across the page from left to right, and the values in the search results fields are
presented showing relationships.
Column - Displays the search results in a simple columnar layout without any grouping of
Flat values.

Options Description
Row Displays the search results in a row layout with fields stacked vertically and
records separated by horizontal lines.
Summary Displays the search results in a simple block record format with the key field as
the heading for each record. Fields in the search display as values only in a
single paragraph with each value separated by a diamond symbol.

Change the default language

2. In the Options section, in the Language field, click Change.

3. From the Language list, select a default language for the application.
4. Click OK.
Optimize calculations
Note: If an administrator disables the option in the RSA Archer Control Panel, field-level
calculation optimization is not available.


2. In the Options section, in the Enable Optimize Calculations field, select Optimize related
calculations after bulk actions complete.
Adding Fields to an Application

When you create a new application from scratch, three system fields are added by default: a First
Published Date field, a Last Published Date field, and a Tracking ID field. When you create a new
application by copying another application, all of the fields from the original application are copied
over. In both cases, create as many other fields as you need.
See the Fields section for more information.
Defining the Layout of an Application

From the Layout tab in an application, you can control the layout of fields within the application.
You can also add tabs, sections, supporting text, and custom controls to create an intuitive interface
for users as they add and edit records in the application. This tab also provides a drag-and-drop
control for organizing page elements in multiple columns, which enables you to make effective use
of larger monitors and greater screen resolution.
See the Layouts section for more information.
Creating Data Driven Events in an Application

By creating data driven events (DDEs) within an application, you can automate a variety of actions
based on values or conditions within individual application records. For example, you can apply a
conditional layout, generate a notification, or set a date.
See the Data Driven Events section for more information and detailed steps for creating DDEs.

Designating Navigation Menu Items

You can select which menu items display for an application in the Navigation Menu. In addition to
configuring the display of menu items in the Navigation Menu, you can define default search settings
for searches executed in the application from the Navigation Menu. These searches include the
fields that are displayed, and the sort order of those fields.
Important: Do not use the names Version, Level ID, or Content ID for fields that you add to an
Application or Questionnaire. Using these names in Applications or Questionnaires prevents the
fields from displaying properly. To ensure that the fields display properly, use different names.
Menu item types

The following table describes menu items.
Menu
Description
Item
Default By default, the following items display in the Navigation Menu:

l Search Records
l New Record
l Records
l Data Import
l Reports
If you do not want a default item to appear in the Navigation Menu, clear the checkbox
for that item.
field Certain field types are labeled as By field name menu items and enable you to search for
name records that include that specific field value. The following field types enable quick
filtering from the Navigation Menu:
l Cross-Reference
l Matrix
l Record Permissions
l Record Status
l User/Groups List
l Values List
data For leveled applications, the menu items are labeled By data level and enable you to
level select records that reside within a specific data level.

Designate menu items for the Navigation Menu

1. Go to the Navigation Menu tab of the application that you want to update.

b. Under Application Builder, click Application.
d. Click the Navigation Menu tab.
2. In the Show Item column, do one of the following:

l To show a menu item, click the checkbox for that item.
l To hide a menu item, clear checkbox for that item.
3. (Optional) To edit additional properties of a menu item, do the following:
a. In the Menu Item column, click the item name.
b. Set any of the following options as applicable.
Option Description
Visibility Displays the item in the Navigation Menu.
Display Specifies the text that appears in the Navigation Menu for the item that you
Alias selected to display. If you selected to display the item in the Visibility field,
you must provide the Display Alias.
Default Expands the item node in the Navigation Menu by default. This field becomes
Expansion available when the Visibility field is enabled.
Fields to Specifies the fields that display in the search results when a user clicks one of
Display these items to execute a search. The fields you select are listed under Records
and By field or By data level menu items.
Use below the Selected list to arrange the fields in the display order.
Use to remove a field from the search results for a menu item.
Sorting Specifies the list order of the fields displayed in search results, which is
executed when a user clicks the menu item.
Use the Field drop-down menu to specify whether the search results are
initially sorted in ascending or descending order. You can add new fields to
sort by.
4. Click OK.


Defining a Workflow for Applications

You can define a workflow or advanced workflow for an application.
Workflow and Advanced Workflow are separate features available in RSA Archer. RSA does not
support simultaneously enrolling records in both features. Enrolling records in both Workflow and
Advanced Workflow at the same time adversely affects record layouts and creates confusion when
identifying when a record has successfully progressed through a workflow.
The following table contains information to help you determine which feature suits your needs best.
Workflow Advanced Workflow
l Create a linear content review process l Create complex non-linear workflow processes
within applications, leveled applications, within applications, leveled applications, or
or questionnaires. questionnaires.
l Send notifications only after content is l Send notifications to multiple users on-demand.
updated and saved by a user. l Enable automatic enrollment for new records,
l Enable only user-initiated enrollment updated records, or user initiated options.
options. l Visually depict the end-to-end advanced
workflow process at the administrator level.
l Designate a specific name for each node to
easily identify the intent of each stage in your
workflow process.
l Create tasks that are linked to the task-driven
landing screen of specified users.
See one of the following:

l For more information about advanced workflow and detailed steps for using them, see the
Advanced Workflow section.
l For more information about workflow and detailed steps for using them, see the Workflow
section.

Setting the Execution Order for Multiple Calculated Fields

If you are working with an application that contains multiple calculated fields and the formula for
one calculated field is dependent on the result of another calculated field, you must specify the order
in which you want to compute the calculated fields.
Note: When you add a new calculated field to an application, it displays at the bottom of the list in
the Field Calculation Order listing.
Set the execution order for multiple calculated fields

1. Go to the Calculations tab of the application that you want to update.

d. Click the Calculations tab.
2. Go to the Field Calculation Order section.

3. Drag and drop each field name into the Formula section until all the fields are in the calculation
order you want.
4. Click Save.
Assigning Application Owners and Report Administrators

Application owners have unrestricted access to all record content in their applications, including
sub-form content. If you are an owner for one or more applications, you can open those applications
for editing from the Manage Applications page. When you access this page, you see all of the
applications that administrators in your organization have created, but you can only edit those
applications for which you have ownership rights. If no users have been assigned ownership, only
users who have been granted the System Administrator access role can open the applications for
editing.
Application owners
You can select the users who will serve as owners of an application.
Note: If you want to edit notifications associated with an application, an administrator must assign
you an access role that gives you access to the Manage Subscription Notifications page.
l Owners have full editing rights over their designated applications, which means they can fully
customize its properties. This includes adding and arranging fields in the application, enabling

notifications, configuring data driven events, and others.

l Ownership is automatically granted to the user who creates it. However, your rights can be
revoked by any other user who is subsequently granted ownership of the application.
As an application owner, you can:

l Create new records in the application and its sub-forms.
l View all records and field content in the application and its sub-forms, regardless of record-level
or field-level permissions.
l Update all records in the application and its sub-forms.
l Delete any existing records in the application and its sub-forms.
l Create global reports for the application as report administrators.
Report administrators
You can assign permissions to users and groups for creating and editing global reports in a specific
application.
l Global reports can be shared with any user in the application, but only users with access to the
application for which the report was created can see the contents of the report.
l Users who do not have global report creation rights can only create personal reports, which
cannot be shared with other users.
Assign application owners and report administrators
1. Go to the Administration tab of the application that you want to update.

d. Click the Administration tab.
2. In the Applications Owners control group, click and do the following:

a. From the Available list, select the users or groups you want to specify as the application
owners.
b. (Optional) Search for a specific user or group name.

3. In the Report Administrators control group, click and do the following:

a. From the Available list, select the users or groups you want to specify as the application
owners.
4. Click OK.
Revoke ownership or report administrators
1. Go to the Administration tab of the application that you want to update.

2. Do one of the following:
l To revoke ownership, click in the Applications Owners field and click to the right of
the appropriate name in the Selected list.
l To revoke report administrators, click in the Report Administrators field and click to
the right of the appropriate name in the Selected list.
3. Click OK.
Assigning Applications to Solutions

You can assign an application to one or more solutions. Solutions are groups of related applications
that work together to address a particular business need. For example, you might have a Security
Compliance solution that contains the following applications: Audit Tracking, Audit Requests, and
Contacts. Typically, solutions are assigned when you create the application.

By selecting multiple solutions for a single application, you can reuse the same information for a
variety of purposes. For example, you could group a Contacts application into your Customer
Relationship Management and Project Management solutions so that both solutions can use contact
information from the same source.
You can also remove an application from a solution when you want.
Assign an application to a solution

2. In the Solutions field of the General Information section, click .

3. From the Available list, select the solution that you want to hold your application.
4. Click OK.
Remove an application from a solution

2. In the Solution(s) field on the General Information section, click .

3. In the Selected list, click to the right of the solution name.
4. Click OK.

Attaching Documentation to Applications

Complete this task to attach supporting documentation to an application, such as design
specifications, approval forms, or other documentation.
If you are using the Relationship Visualization feature and have created the visualization xml file,
attach this file to the application or questionnaire. For more information on the Relationship
Visualization feature, see the Configuring Relationship Visualization topic in the RSA Archer
Online Documentation.
Attach documentation to an application

1. Go to the General tab of the application to which you want to attach a file.

c. Click the application.
2. In the Documentation section, click Add New.

3. Select the document file or files that you want to add to the application.
4. Click OK.
5. Click Save.
Changing the Application Status

The application status allows you to:
l Create an application for test purposes.
l Archive an application so that data can no longer be entered.
l Hide an application when it is no longer used.
l Use an application to collect active data for your business.


2. In the Status field, select the status for the application.
Application status options

The following table describes the options you can set for an application status.
Status Description
Production Sets the application so that users can enter 'live' data for your business
environment. These applications can be referenced using cross-reference and
cross-application status tracking fields, and users can execute searches in these
applications and save those searches as named reports.
Development Sets the application so that users can enter data without impacting live data. A
development application has all of the characteristics of a production
application, but all records in the application are displayed with a watermark.
Development applications do not count against your custom application
licenses.
Archived Sets the application so that content is read-only and users can continue to
search and display the application content. The Add, Edit, and Delete options
are disabled, along with the Data Import feature. End users can continue to
select records in an archived application through cross-reference fields in
production applications. However, calculated fields and record permissions are
not recalculated in archived applications. Archived applications do not count
against your custom application licenses.
Retired Sets the application so that it is hidden from users. Users cannot create or edit
records, and cannot execute searches or view reports that were saved in the
application at a time when it was in production.
If you retire an application that an administrator has referenced in another
application cross-reference or cross-application status tracking field, that field
is also retired.
Application owners can continue to modify retired applications, assign access
rights for retired applications, and create notification templates for retired
applications.
Data feeds and questionnaires associated with the retired application continue
to use system resources. Prior to retiring an application, RSA recommends
deactivating all data feeds that target retired application.
Important: After your organization reaches its application limit as specified by your license,
you cannot create additional production applications. You can however still create development
applications.


Deleting Applications or Application Content

If you have delete permissions on the Manage Applications page, you can delete applications for
which you have ownership rights.
Important: When an application is deleted, all data within that application is permanently lost.
Delete an application

2. Select the row of the application that you want to delete.
3. Under the Actions column, click .
Delete all content from an application
Note: You can only delete the content of retired applications.

c. Click the application.
2. In the Status field, select Retired.
3. Click in the page toolbar to save your changes.

4. Click the Administration tab.
5. In the Delete Application Content field, click Delete Content.
6. In the Warning dialog box, select the checkbox indicating that you understand the implications of
performing this operation.
7. Click OK.

42
Chapter 3: Questionnaires
The Questionnaire feature is available only if your organization has licensed one or more use cases
that contain questionnaires. Questionnaires can be configured to run on mobile devices if RSA
Archer is licensed for mobile questionnaires.
The Questionnaire feature enables you to do the following:
l Automatically score questionnaire records and generate findings for each incorrect answer.
l Build and deliver targeted assessment campaigns for any type of organizational object, such as
your assets, business processes, or vendors.
l Build or import questions in the Question Library application for use in any questionnaire.
o Assign questions to categories and apply filter properties that you can later use to create
question display rules.
o Assign correct answers, numeric answer values, and question weighting, and you can link
Values List questions to authoritative sources and control standards to measure and report
compliance.
l Build questionnaires by selecting questions from the Question Library for inclusion and assigning
the questionnaire to a target application, such as Applications or Facilities.
l Configure your application structure by preparing the target application and by configuring risk
register and metrics.
l Create a library of questions linked to authoritative sources and control standards.
l Define question display rules that dynamically show or hide questions to end users based on
attributes of the target they are assessing.
l Ensure that all necessary policies, control standards, and authoritative sources are available.
l Launch questionnaires online through assessment campaigns.
l Monitor and report on inherent and residual risk, and measure compliance.
Questionnaire terminology
The following table describes questionnaire terms.
Term Definition
Questionnaire A questionnaire is structurally similar to an application but with unique qualities

that enable administrators to better create and support risk assessment processes.
A questionnaire is tied to a target application, such as Assets, Vendors, Business
Processes, and so on to facilitate the assessment of specific target objects.
Questionnaires include system-generated fields that calculate the progress, status,
and scoring of individual questionnaire records. These system fields also enable
administrators to assign submitters and reviewers for questionnaire records and to
specify due dates. You can add an unlimited number of questions to a
questionnaire based on the type of target the questionnaire is designed to assess.
Questionnaire A collection of fields and questions linked to a specific target application record.
Record Questionnaire records are stored within questionnaires.
Question A field type unique to questionnaires that serves as the functional component of an
assessment. The following question types are available: Attachment, Cross-
Reference, Date, Numeric, Text, and Values List.
Questions enable users to evaluate the specific item being assessed, such as an
asset, business process, vendor, facility, and so on. Each question has a
configurable set of properties that govern how the question is displayed in the
questionnaire and how (or whether) the user is to interact with it. In addition to the
properties associated with standard fields, questions can be filtered through
specific question display rules, linked to authoritative sources, included in
assessment scoring, and utilized in automated findings generation.
You can create questions with predefined answers that users can select from, or
you can allow users to enter free-form text, dates, or numeric entries. You can
also allow users to attach documents, pictures, diagrams, and other types of files
to a questionnaire to provide supporting information or evidence.
Target The application that contains a specific set of items, such as servers, vendors, or
business processes. For example, a Data Security questionnaire might have the
Devices application as its target. The questionnaire records within the Data
Security questionnaire would pertain to individual records in the Devices
application, such as a specific database server.
Term Definition
Campaign Automates creating questionnaire records for assessment targets based on the
properties of target records. For example, if the target of the questionnaire is a
Devices application, the campaign can auto-create questionnaire records for all
devices in a production environment. Campaigns may be configured to populate
questionnaire records with the year, quarter, and due date of the assessment, along
with the assigned submitter and reviewer. Recurring campaigns can be launched,
and multiple campaigns may be created for each questionnaire.
Findings Documents incorrect answers to questions in a questionnaire. Findings are

managed through the Findings application and can be automatically generated
when findings rule criteria are satisfied. Users can also create findings manually.
Using the Findings application, administrators can document, categorize, and
remediate issues of non-compliance. Findings are not a required component of the
assessment process, but by enabling findings, administrators can gain valuable
insight into areas of non-compliance within their organization.
Question A unique grouping of questions enabling you to organize and filter results, such as
Category Access Control, Business Continuity, and Risk Management. If you enable
Findings for a questionnaire that you are managing, RSA Archer automatically
creates Findings records for questions that are answered incorrectly, and each
finding includes the associated question category, enabling you to search and sort
findings by category.
A key use of question categories is for creating question display rules. You can
define rules to show or hide questions when end users fill out a questionnaire
based on attributes of the target they are assessing. For example, you have defined
a question display rule for a questionnaire that assesses targets in your Assets
application. The question display rule specifies that if an asset contains
confidential customer data, the questionnaire should display all questions in the
Access Control category. When an asset manager in your organization fills out the
questionnaire to assess the security of a server that houses confidential customer
data, the asset manager will be prompted to answer the Access Control questions
you have selected for display.
Question Show or hide questions in a questionnaire based on attributes of the assessment

Display Rule target. Using display rules, a single questionnaire can be used to assess all targets
of one type (such as all servers) even though those targets vary in their individual
attributes.
Question A numeric attribute that can be assigned to any Values List question. The question
Weighting weight is used to generate the question score.
Term Definition
Question A calculated value determined for each Values List question. The value is
Score determined by the following formula:
[question weight] * [numeric value assigned to selected answer] = question score
or (for multi-select Values List questions):
[question weight] * SUM ([numeric value assigned to selected answer1], [numeric
value assigned to selected answer2]) = question score
Question scores are rolled up to determine a questionnaire score.
Inherent The sum of all question scores for a questionnaire record. This score represents
Score the natural risk associated with the target in absence of any remediation activities
or changes in the environment.
Residual The risk that remains in a target after findings are remediated. This score is
Score calculated as Inherent Risk – Remediation Changes = Residual Risk. While
inherent risk is calculated only once, residual risk changes over time as findings
are remediated. The residual score is displayed in the Quantitative Summary in a
questionnaire record, enabling end-users to monitor changes to the score over
time.
Tasks Action items that have been assigned to a user relating to a finding. All tasks are
created and managed through the Task Management application, which can be
used to document the remediation activities associated with items identified in the
Findings application.
Question types
The following table describes question types.
Question
Description
Type
Attachment Enables users to upload documents, pictures, diagrams, and other types of files to a
questionnaire record to provide supporting information or evidence. When
configuring an Attachment question, you can specify the total number of files that
can be uploaded (attached), as well as the size (between 1 and 100 MB) permitted
for each file. You can also enable end users to keyword search into attached
documents. The following file types are supported for document searching:
l Microsoft Word
l Microsoft Excel
l PDF
l Text
Cross- Enables users to associate records from other applications or questionnaires with a
Reference questionnaire record.
When you create a Cross-Reference question, a Related Records field is
automatically added to the related application or questionnaire. Within an individual
record in the related application or questionnaire, you can see all records that have
been cross-referenced to that record.
Date Accepts only a valid date entry and is displayed to users with a calendar icon. Users
can either enter dates directly or click to select a date from the Date Range
dialog box. You can also enable users to enter a time of day to associate with the
date.
The Date question type also supports a default date value. The default date value is
set when a questionnaire record is created. When configuring the default value, you
can select to display the date of questionnaire record creation, a date that is a
specific number of days after the date of record creation, or a static, specific date.
You can also select to display no default value.
Question
Description
Type
Numeric Accepts both positive and negative values and, by default, accept values of any size.
However, when configuring a Numeric question, you can choose to apply minimum
and maximum value constraints. You can also specify the number of decimal places
permitted for the value.
The Numeric question type also supports the following specialized options:
l Numeric Ranging - If you enable this option, you can define a set of numeric
ranges and apply a descriptive name to each range. For example, a range named
"High" might be mapped to the numeric range "8 - 10." The range name you
define for the question is then displayed in the Filter by Value section of the
Search Records page for the questionnaire. This allows users to search across a
range of values for your Numeric question by selecting the range name as part of
their filter criteria.
l Format - By selecting this option, commas are used to separate units of numbers.
For example, if you enter the value "10000" in the Edit mode of the record, the
value would be displayed as "10,000" in the View mode of the record.
l Prefixes and Suffixes - By selecting one or both of these options, you can insert
text (up to 10 characters, including special characters) before or after the value in
a Numeric question to provide context for end users. For example, you can enter a
dollar sign as a prefix or a distance unit as suffix.
Text Accepts both alphabetic and numeric entries. It can be displayed to users in a single-
line or a multi-line (scrolling) text area. If the question is configured as a text area,
you can specify the height (in lines) for the control.
By default, entries in this question type are not restricted. However, when
configuring this question type, you can choose to set a maximum character length for
entries. In addition, you can restrict users from entering a value in the Text question
that is identical to a value entered in another record within the questionnaire, thereby
ensuring that all values in the Text question are unique.
Question
Description
Type
Values List Provides users with a list of predetermined values from which to choose. This field
type can be expressed using one of several interface control types:
l Drop-down
l Radio buttons
l Checkboxes
l List box
l Values pop-up
You can also add a numeric weight to a question and assign a numeric value to the
individual selections available within the question. These numbers are used to
compute the score for a questionnaire.
You can populate a Values List question with either a custom or a questionnaire
values list. If you use a custom answer list, you must define the answers for the
question. Custom answer lists cannot be reused to populate any other Values List
question.
You can create questionnaire values lists that you can reuse for any Values List
question within the questionnaire.
Assessment Process
The following phases provide a general overview for building and delivering an online questionnaire
to assess risk within your organization.
Assessment
User Details
Phase
Creating and Questionnaire Create new questions or import your existing questions through
Configuring Owner/Admin the Question Library application. When configuring your
Questions questions, do the following:
l Select the appropriate question type to ensure the correct data
is collected.
l Determine the weighting of individual questions.
l Include the appropriate answer selections and determine the
correct answer to the question.
Assessment
User Details
Phase
Building Your Questionnaire Build your questionnaire according to requirements outlined by

Questionnaire Owner/Admin your organization by doing the following:
l Create your questionnaire and select the application that
contains the targets that you want to assess, such as
applications, facilities, or vendors.
l Copy your questions from the Question Library and edit them
as needed.
l Define rules to determine the questions that are displayed
based upon the properties of the specific target.
l Enable the automatic generation of Findings records for
incorrectly answered questions.
l Create an assessment campaign to launch the questionnaire to
the appropriate end users.
Important: Configure the questionnaire completely before

releasing it to users. If you change a questionnaire during an
assessment cycle, you may lose data that has already been
gathered by the questionnaire.
Assessing End-users Users complete their assigned assessments through the RSA
Your Target Archer web-based interface. While assessing a target, the end
user can include question-specific comments to support their
answers, attach supporting evidence, and delegate additional
users to an assessment as needed.
Evaluating End-users When users complete their assigned questionnaire records, they
Findings can view reports to determine the risk associated with specific
targets. With the Findings feature enabled, RSA Archer
automatically generates Findings records for each incorrectly
answered question to identify areas of noncompliance.
Resolving End-users To help resolve issues of non-compliance, the Exception

Issues of Requests and Remediation Plans applications are tied to Findings.
Non- In addition, as findings are discovered, you can assign, track, and
Compliance manage open and completed activities associated with specific
findings through the Task Management application.
Populating the Question Library

The Question Library is an application in RSA Archer that stores assessment questions that you can
reference and copy into a questionnaire. Each question is stored as an individual record, and each
record contains information including the question and answer text as well as information necessary
to display and score the question. Depending on the use cases that you have licensed, the Question
Library contains a large set of pre-built questions by default. In addition, you can add new questions
and store them in the Question Library.
When you create a questionnaire, you can copy any number of questions from the Question Library
to the questionnaire. Once copied, you can modify and configure that question as needed, without
affecting the original question record stored in the Question Library.
You can use the Question Library application to build a consistent, centralized library of questions
for any type of assessment. For each question in the library, you can assign correct answers,
numeric score values, weighting, and other attributes. These settings enable you to dynamically filter
the questions that are presented in specific assessments. Additionally, you can easily link questions
to authoritative sources, control standards, and corporate policies to measure and report compliance.
If your organization uses the Policy Management solution as the foundation to an enterprise risk and
compliance management program, you can link individual questions directly to relevant internal
controls and authoritative sources. While this linkage is not required, it enables you to measure
compliance with controls and regulations for any type of target, such as a vendor, business process,
or facility.
You can update the question text that is displayed to end users when they fill out a questionnaire or
view the results of a completed questionnaire. For example, you could change the question "Is all
data stored on this server encrypted?" to "Is all confidential data stored on this server encrypted?"
If you are working with a Values List question, the Question tab also provides a control for applying
a numeric weight to the question. (You cannot assign a weight to other question types, including
Text, Numeric, Date, Attachment, and Cross-Reference). When a user completes a questionnaire,
the question weight is multiplied by the numeric value of the selected answer to produce a question
score.
Use the following tasks:
l Adding Questions to the Question Library
l Importing Questions into the Question Library
Adding Questions to the Question Library

Each record in the Question Library application represents a single question. Once saved in the
library, this question can be copied and used within a questionnaire as long as it has an active status.
You also can import multiple questions at the same time.
1. Add a new record to the Question Library application.

a. From the menu bar, click workspace.
b. Select the solution you want.
c. Click Question Library.
d. Click New Record.
2. In the Status field, select Active.

3. In the Question Name field, enter a name for the question.
Note: This name labels and identifies the question. It also is the key field for the Question
Library record.
4. From the Category list, select a category.
Note: The category determines the section in which the question is displayed. It also determines
whether a question is displayed to a user when there are Question Display Rules in the
questionnaire. If your user account has edit privileges, you can click Edit and add additional
categories to the list.
5. In the Question Text field, enter the text for the question that is displayed to the user.
6. From the Question Type list, select a question type.
Note: You cannot change this value after you save the question.
7. In the Display Format field, select how the question is displayed.

8. Depending on the question type that you selected, configure the applicable sections.
l For Attachment questions, complete steps 2-4 in Adding Attachment Questions.
l For Cross-Reference questions, complete steps 2-4 in Adding Cross-Reference Questions.
l For Date questions, complete steps 2-4 in Adding Date Questions.
l For Numeric questions, complete steps 2-4 in Adding Numeric Questions.
l For Text questions, complete steps 2-4 in Adding Text Questions.
l For Values List questions, complete steps 2-7 in Adding Values List Questions.
9. Click Save or Save and Close.
l Click Save to apply the changes and continue working.
l Click Save and Close to save and exit.
Importing Questions into the Question Library

If you have a large number of questions to add to the Question Library, you can use the Data Import
feature instead of manually entering each question individually. The Data Import feature includes a
set of configuration options to import data from a file to the appropriate fields and records in the
Question Library.
Task 1: Prepare for data import

To ensure that the data is correctly and efficiently copied into the application, examine both your
external data file and the Question Library application before importing questions into the Question
Library. Taking a few minutes to plan a successful data import reduces the amount of time spent
resolving import errors.
Consider the following points as you examine your import file and the Question Library application
into which you are importing data:
l Your file must be a delimited-values data file. The Data Import Wizard requires you to specify
the primary and secondary delimiters used in your data file. Know these characters before you
begin the data import.
l Many fields in the Question Library application are required. These fields, including their values,
must be present in your data import file for a successful data import. In addition, only certain
types of values are accepted in the Question Library fields. Base the structure of your import file
on the fields described in Add a Question to the Question Library.
l The import process copies data from the import file into the Question Library; it does not create
any new fields. The data within your import file must map to an existing field within the Question
Library application.
l Mapping fields from your data file to fields in the application is much easier if the corresponding
fields have the same name. The application automatically maps import fields to application fields
when they have the same name, which can save time in manually mapping fields.
l If your data import includes Values List questions, you must perform two separate operations.
First, import data into the Question Library records. Second, import the associated Answer
Values sub-form on a subsequent data import. You cannot import the Answer Values information
at the same time as the initial data import.
Important: Your import data file for the Answer Values sub-form must contain the unique identifier
from the parent Question Library record. For example, if you are importing answer values for the
question, "Does this application contain customer data?" you need to include the unique identifier for
this question. This practice ensures that your answer values are associated with the correct question.
You can use values from either the Question ID or the Question Name field as unique identifiers for
a Question Library record.
Task 2: Import questions into the Question Library

1. Examine both your external data file and the Question Library application.
2. To import the data file that contains the questions, run the Data Import Wizard.
3. If your data import includes Values List questions, you need to import the associated Answer
Values sub-form on a subsequent data import.
Note: You cannot import the Answer Values information at the same time as the initial data
import.
Building Questionnaires
The following table describes the steps to build a questionnaire.
Required
Optional
1 Create the Required Create the questionnaire.

questionnaire
2 Add questions Required Create the questions and fields that you need for collecting
and fields to data during the assessment.
the
questionnaire
3 Configure the Required Add fields and questions to the layout and organize them in
layout groups and sections.
4 Create data Optional Create data driven events (DDEs) if you want to automate a
driven events variety of actions based on values or dates within individual
questionnaire records.
5 Configure Optional You can determine which fields display in the search results
Navigation by default.
Menu items
6 Define Optional If the questionnaire is part of a workflow, you can specify the
workflows order in which a user performs the tasks.
7 Configure Optional You can create rules to show or hide questions based on
question individual attributes of the assessment target.
display rules
Required
Optional
8 Enable Optional You can configure a questionnaire to automatically generate

automatic findings when a user answers one or more questions
generation of incorrectly while filling out the questionnaire.
findings
9 Set the Optional If the questionnaire includes more than one calculated field,
execution you can specify the order in which each field is executed.
order for
multiple
calculated
fields
10 Set Required Set basic behaviors, such as the question display style and
questionnaire whether the questionnaire is mobile-ready.
behaviors
11 Assign Required Each questionnaire must include at least one questionnaire

questionnaire owner and report administrator. By default, the user who
owners and adds the questionnaire is automatically given these roles. You
report can specify additional users if needed for either role.
administrators
Adding a Questionnaire
You can create a new questionnaire by naming and describing the questionnaire, and assigning the
questionnaire to an existing solution. For example, if you are assessing technical assets for PCI
compliance, you would group the questionnaire into the PCI Compliance solution. You also select
the target application that houses the objects of your assessment, such as applications, business
processes, vendors, and so on.
Another key step in the creation process is to determine whether you want to copy questions from
the Question Library into your questionnaire or create new questions from scratch. If you select to
copy questions, you can select any number of questions from the Question Library, and those
questions automatically are displayed in the layout of your questionnaire and grouped into sections by
category.
Important: Ensure that all necessary policies, control standards, and authoritative sources are
available.
Add a questionnaire
1. Go to the Manage Questionnaires page.

b. Under Application Builder, click Questionnaires.
2. Click Add New.

l To use the settings of an existing questionnaire as a starting point for your new questionnaire,
click Copy an existing Questionnaire, and select the existing questionnaire from the
Questionnaires list.
Note: Copying a questionnaire does not duplicate advanced workflow system fields.
l To select new settings for the questionnaire, click Create a new Questionnaire from scratch.
4. Click OK.
5. Complete the General Information section:
a. In the Name field, enter a name for the questionnaire.
b. In the Solutions field, click , assign the questionnaire to one or more solutions, and click
OK.
c. In the Language field, select a language.
d. In the Target Application field, click , select an available application to assign to the
questionnaire and click OK.
If the application that you selected is leveled, the Target Level field is displayed. Click
and select a level from the list.
e. To copy questions from the Question Library into the questionnaire, select the Question Copy
checkbox.
6. Click OK.
Adding Questions and Fields to a Questionnaire

When you create a questionnaire, you can add questions by copying questions from the Question
Library or by adding them manually.
In addition to the questions themselves, questionnaires contain several standard fields for collecting
data on the assessment. Standard fields differ from questions in that they do not include question text
or weighting, they cannot be filtered using question display rules, and they are not included in
progress calculations for questionnaire records and campaigns. However, standard fields offer more
variety for data collection than questions do, and you can control user access to fields, whereas all
questions are inherently public.
Copy questions from the Question Library into a questionnaire
Note: After you copy a question from the Question Library into your questionnaire, it is no longer
connected to the original question in the Question Library. As a result, you can modify the question
without affecting the version in the Question Library. This enables you to tailor questions for a
specific type of assessment. For example, you can change the question weighting, relate a question
to additional authoritative sources, add new answer options, and more.

l If you just added a new questionnaire and selected the Question Copy checkbox, go to step 2.
l Go to the Fields tab of the questionnaire you want to modify, and click Question Library.

c. Select the questionnaire.
d. Click the Fields tab.
e. Click Question Library (in the top-right corner of the page).
Note: You also can access the Record Lookup page from the Layout tab. Click the Add
New Field arrow and select Add from Question Library.
2. On the Record Lookup page, select the checkbox for each question that you want to copy into
your questionnaire.
Note: To limit the types of questions that you see on the Question Lookup page, enter the values
that you want to filter by in the filter boxes for that column. Click Filter in the column header to
refine your search results. You can also select all questions within the Search Results page by
selecting the checkbox at the top of the Question Name column.
3. Click OK to copy the selected questions into your questionnaire. When prompted to confirm your
selections, click OK to complete the copy operation.
When you leave the Question Lookup page, the Administrators tab is displayed on the Manage
Questionnaires page. In the Last Question Library Copy control group at the bottom of the page,
you can see the status of your copy operation. When it is complete, click the Layout tab to view
your questions in the questionnaire layout. The questions automatically are grouped in sections by
question category.
Add questions manually

See the following tasks:
l Adding Attachment Questions
l Adding Cross-Reference Questions
l Adding Date Questions
l Adding Numeric Questions
l Adding Text Questions
l Adding Values List Questions
Add fields
l Adding Access History Fields
l Adding Attachment Fields
l Adding Cross-Application Status Tracking Fields
l Adding Calculated Fields
l Adding Date Fields
l Adding Discussion Fields
l Adding External Links Fields
l Adding First Published Date Fields
l Adding History Log Fields
l Adding Image Fields
l Adding IP Address Fields
l Adding Last Updated Date Fields
l Adding Matrix Fields

l Adding Multiple Reference Display Control Fields
l Adding Numeric Fields
l Adding Record Status Fields
l Adding Record Permissions Fields
l Adding Scheduler Fields
l Adding Sub-Form Fields
l Adding Text Fields
l Adding Tracking ID Fields
l Adding User/Groups List Fields
l Adding Values List Fields
l Adding Voting Fields
Copying Questions from the Question Library into a Questionnaire
When you create a questionnaire, you can copy questions from the Question Library into your
questionnaire. You also can copy questions at any time using the Fields or Layout tab of the Manage
Questionnaires page.
Note: After you copy a question from the Question Library into your questionnaire, it is no longer
connected to the original question in the Question Library. As a result, you can modify the question
without affecting the version in the Question Library. This enables you to tailor questions for a
specific type of assessment. For example, you can change the question weighting, relate a question
to additional authoritative sources, add new answer options, and more.
1. Go to the Fields tab of the questionnaire you want to modify.

2. Click the Question Library link in the top-right corner of the page.
Note: You also can access the Record Lookup page from the Layout tab. Click the Add New
Field arrow and select Add from Question Library.
3. On the Record Lookup page, select the checkbox for each question that you want to copy into
your questionnaire.
Note: To limit the types of questions that you see on the Question Lookup page, enter the values
that you want to filter by in the filter boxes for that column. Click Filter in the column header to
refine your search results. You can also select all questions within the Search Results page by
selecting the checkbox at the top of the Question Name column.
4. Click Apply to copy the selected questions into your questionnaire. When prompted to confirm
your selections, click Continue to complete the copy operation.
When you leave the Question Lookup page, the Administrators tab is displayed on the Manage
Questionnaires page. In the Last Question Library Copy control group at the bottom of the page,
you can see the status of your copy operation. When it is complete, click the Layout tab to view
your questions in the questionnaire layout. The questions automatically are grouped in sections by
question category.
Creating Questions

l Adding Attachment Questions
l Adding Cross-Reference Questions
l Adding Date Questions
l Adding Numeric Questions
l Adding Text Questions
l Adding Values List Questions
Adding Attachment Questions
To protect data integrity, you cannot change the question type. For example, you cannot change a
Date question into a Text question, after a question has been created.
Task 1: Create a new attachment question in a questionnaire
1. Go to the Fields tab of the questionnaire in which you want to add a new question.

2. Click Add New.

3. In the Creation Method section, select one of the following:
l To add a new field, click Create a new Field from scratch, and click Attachment from the
Question Field Type list.
l To add a new question from an existing question, click Copy an existing Field, and select the
attachment field you want to copy.
4. Click OK.
5. In the General Information section, enter a name and description for the question.
Task 2: Set question options
1. Go to the Options tab of the question that you are creating.

e. In the Field column, click the question that you want to configure.
f. Click the Options tab.
2. In the Display Control section, select the option you want.

Display
Description
Control
Grid Displays multiple fields of data from the referenced record spanning the width of
the page in a table format (Grid) or in a single-column format. The attachment
information displays as a resizable grid control that displays the name, size and file
type for each file. When you select the Grid option, users with appropriate access
can view the Download History report. This report provides a summary of the
download history of a document including the user, email address, and download
date. Users can upload files by clicking Add New.
Single Displays a single column with links to the attachment files.

Column
3. In the Options section, select the options you want to use.

Option Action
Required Designates the field as required and forces users to enter a value when adding or
Field editing a record in the application. An icon (selected in the Appearance feature)
indicates required fields to alert users that they must enter a value. If you do not
select this option, you can skip this field when adding or editing a record in the
application.
Auditing Displays auditing information next to the field each time that its value is
Information changed. The auditing information includes only the name of the user who made
the change and the date and time of the change. If this checkbox is not selected,
auditing information is not displayed with the field in the user interface.
Search Makes this field available for display in search results and references its values
Results in search filters.
Search Includes the field by default in search results for the application. This option does
Default not prevent users from removing the field from the Search Results page. Users
Field can click Modify in the toolbar and remove the field from the Fields to Display
section of the application Search Records page.
Option Action
Keyword Allows users to use this field in a keyword search to find documents attached to
Searching the field. File types supported for document searching include Microsoft Word,
Microsoft Excel, PDF, Text, and .CSV. If a user does not have access to the
field but the field is configured to allow keyword searching, the field is still
searched but not included in the search results.
Note: When an attachment field is encrypted, keyword search is not supported.
Calculated Designates the field as a calculated field determined by a formula that computes
Field a value dynamically for this field. If you select this option, the field is read-only
for all users, and the defined formula computes its value.
Validate Designates that a field is validated whenever any value changes in a record. If
Always the Validate Always option is not selected, this field validates only when the
value in that field has changed.
4. In the Configuration section, specify the minimum and maximum number of attachments and size
limitations of the attachment files
Option Description
Minimum Specifies the minimum number of attachments that you want to require for an
Attachments attachment field.
Maximum Specifies the maximum and minimum number of attachments that you want to
Attachments require for the field.
Maximum Specifies the maximum file size, up to 100 MB, that you want to allow for each
Size file uploaded to the attachment field. This setting does not restrict the total size
of all files uploaded to the field.
Users may experience a long wait time when attaching large files to a record. If
you allow users to attach multiple large files, periodically monitor the available
space and current usage of the file repository to ensure optimized system
performance.
Display Designates the fields you want to display along with your attachment file.
Fields Important: The Downloads and History fields require System Administrator
access to view.

Task 3: Add question text
1. Go to the Question tab of the question that you are creating.

e. In the Field Name column, click the question.
f. Click the Questions tab.
2. In the Question Text field, enter the text for your question.
3. From the Category list, select an appropriate category for the question. If necessary, click Edit to
modify the list of categories.
Note: A question can belong to only one category.
4. In the Format Style field, select the applicable option.

Task 4: Set question filter properties

You can create and assign any number of filters to a question. You can apply the filters that you
create for one question to any other question in the same questionnaire. However, you cannot share
filter properties between questionnaires.

e. In the Field Name column, click the field whose properties you want to define.
l To apply an existing filter to the current question, click in the Values column for that filter
in the Question Filter Properties section, and select the specific filter value that applies to
your question. To remove a filter from the question, click to the right of the filter value.
l To add a new filter, click Add New.
Important: Do not click to remove a filter from the current question. Doing so will
permanently delete the filter for all questions that use it. Instead, use to remove the filter
from the current question while preserving its application to other questions. If the Value
column for a filter is blank, that filter is not applied to the current question.
3. In the General Information section, enter a name and description for the filter.
4. In the Filter Values section, click Add New.
5. In the Value field, enter the value text and click Apply.
6. (Optional) Repeat steps 4 - 5 to add any additional values as needed.
7. Click Save on the Edit Filter Property page to return to the Manage Field page.
8. In the Question Filter Properties section, click to the right of the filter that you just created.
9. Select one or more filter values to apply to the question.
Adding Cross-Reference Questions
The cross-reference question type enables users to associate records from other applications or
questionnaires with a questionnaire record.
Task 1: Create a new cross-reference question in a questionnaire
Note: To protect data integrity, the Questionnaire feature prohibits question type changes, for
example, changing a Date question to a Text question, once a question has been created.

2. Click Add New.

l To add a new field , click Create a new Field from scratch, and click Cross-Reference from
the Question Field Type list.
cross-reference field you want to copy.
4. Click OK.
6. In the Available Reference field, select the application or questionnaire that you want to
associate with this question.


Display
Description
Control

Column

Option Action
application.
Enable Allows the field to be editable in search results and reports.

Inline Edit
Option Action
Enable Determines whether a display is editable in a grid that has inline edit enabled.
Editable
Grid
Display
Lookup Specifies whether users can access a Record Lookup page for selecting records
from the related application. Clear this checkbox if you only want to allow users
to create new records for cross-referencing. You must select this checkbox if
you want the cross-reference field to be available for selection in a MRDC field
or are creating a dynamic filter.
Add New Determines whether the Add New link is displayed in a grid for allowing users to
add new records to the related applications from a record in view mode. Users
will not have to open a record in edit mode to create new related records. If a
user does not have rights to create records in the related application, the link is
not displayed for that user.
When a user creates a new related record from view mode, that record will be
selected in the cross-reference field just as it would if it were created from edit
mode. For example, if a user opens a Vendor record in View mode and creates a
record in the related Audits application by clicking Add New in the cross-
reference field, that new Audit record will be selected in the cross-reference
field of the Vendor record, even though the user did not open the Vendor record
for editing.
Tree Determines whether the related records in a leveled application for cross-
Display referenced records are displayed in a hierarchical format for a single-column
display. The following figure shows top-level record references flush with the
left margin of the field, and record references in subsequent data levels indented.
When records with the cross-reference field are exported in CSV format, the
Tree Display option is disabled to allow the data to be re-imported into the
application. All other data export formats preserve the cross-reference tree
display for the field.
Option Action
Disable Disables the Remove button for records displayed in this field.
Remove
4. In the Record Lookup Configuration section, specify the rules for finding the related records of
the cross-reference field.
Option Action
Display If you selected the Grid or Single Column display control, you can define the fields
Fields of data from the relationship application that should display in the Record Lookup
page for end users when they select related records in the Cross-Reference field.
To select fields for display, click in the Display Fields field and select the fields
that you want to display from the Available list.
Use the below the Selected list to arrange the fields. The top-to-bottom order
of fields in the Selected list display as the left-to-right order of fields in the Record
Lookup page.
Note: If the relationship application is a leveled application, and you selected fields
from two or more levels to be displayed in the Cross-Reference field, you can only
arrange those fields on a level-by-level basis. You cannot intermix fields from
separate data levels.
Filters To limit the records users can select in the Cross-Reference question to only those
records that contain specific field values, apply filter criteria to the records.
Sorting If you selected the Grid or Single Column display control, you can define the fields
by which cross-referenced records should be sorted within the Lookup control. For
example, in an "Investigators" Cross-Reference field, you could sort the display of
referenced records alphabetically by investigator name.
Option Action
Display Select how you want the cross-referenced records displayed on the Record Lookup
Format page:
l Column Hierarchical. Displays the records in a columnar layout where fields
are displayed across the page from left to right, and the field values are presented
showing relationships.
l Column-Flat. Displays the records in a simple columnar layout without any
grouping of values.
5. In the Grid Display Properties section, select the fields displayed in the record look-up for the
cross-reference field.
Option Action
Use Record Select this option to apply the values selected in the Record Lookup
Lookup Configuration section to the corresponding View/Edit Display control group
Configuration fields.
Display If you selected the Grid or Single Column display control, you can define the
Fields fields of data from the relationship application that should display in the
Lookup control for end users when they select related records in the Cross-
Reference question.
To select fields for display, click in the Display Fields field and select the
fields that you want to display from the Available list.
Use the below the Selected list to arrange the fields. The top-to-bottom
order of fields in the Selected list display as the left-to-right order of fields in
the Lookup control.
Note: If the relationship application is a leveled application, and you selected

fields from two or more levels to be displayed in the Cross-Reference field,
you can only arrange those fields on a level-by-level basis. You cannot
intermix fields from separate data levels.
Option Action
Sorting If you selected the Grid or Single column display control, you can define the
fields by which cross-referenced records should be sorted within the Lookup
control.
For example, in an "Investigators" Cross-Reference question, you could sort
the display of referenced records alphabetically by investigator name.
Option Description
Minimum Specifies the minimum number of selections (from none to 20 selections) that a
Selections user can select in the Dropdown, Checkboxes, Listbox, or Values Popup display
control.
Maximum Specifies the maximum number of selections (from none to 20 selections) that a
control.
Default Determines the number of cross-referenced records that display in the grid and is
Records only available when the display control is set to Grid. If this option is selected,
Display only the first designated number of records are displayed. For example, when this
option is set to 10, only the first 10 records display in the grid. If the number of
records exceeds the default display number, a View All link is displayed. A user
can click this link to view all of the associated records.






Adding Date Questions
To protect data integrity, you cannot change the question type. For example, changing a Date
question to a Text question, after a question has been created.
Task 1: Create a new date question in a questionnaire

2. Click Add New.

l To add a new field, click Create a new Field from scratch, and click Date from the Question
Field Type list.
date field you want to copy.
4. Click OK.


Display Control Description
Text Box - Date Only Displays a date in a text box or dropdown list by date or by date
Text Box - Date and and time.
Time
Dropdown - Date Only
Dropdown - Date and
Time

Option Action
application.

Inline Edit
Unique Prevents users from entering an identical value in a field in separate records. If a
Field user saves a value in this field and the same value already exists in the field in a
different record, RSA Archer prompts the user to enter a unique value.
Key Field Designates the field as the key field of a record. You must designate one field in
the application as the key field, but can only designate one field as the key field.
You can select the key field values in search results, and users can click the
values to open individual records. A key field must be on the page layout of the
application.
After saving the field, you can only clear this checkbox by selecting another field
as the key field in the application. Selecting this option automatically selectsthe
Required Field, Search Results, and Search Default Field options.
limitations of the attachment files.

Option Description
Default Specifies the default date value of the date field when a user adds a new record in
Value the application. The default date is set at record creation. Record edits do not affect
this date The following options are available:
l None. Select None if you do not want to place a default value in the date field.
l Current Date. Select Current Date to display the date of record creation in the
date field.
l Future Date. Select Future Date to display a default date value that is a specific
number of days after the date of record creation. Then enter the specific number
of days in the field to the right.
l Specific Date. Select Specific Date to display a static date as the default value
for the date field, and enter the date in the field to the right or click the Calendar
icon to select the date from a calendar dialog box.





Adding Numeric Questions
To protect data integrity, you cannot change the question type changes. For example, changing a
Date question to a Text question, after a question has been created.
Task 1: Create a new numeric question in a questionnaire

2. Click Add New.

l To add a new field , click Create a new Field from scratch, and click Numeric from the
numeric field you want to copy.
4. Click OK.

2. In the Options section, select the options you want to include in search results.
Option Action
application.

Inline Edit
Option Action
Trending Enables trending on the field based on a duration period.

l Duration Type. Designates the duration for which you want to retain trending
data. The available values calculate in days as follows:
l Days = 1 day
l Months = 30 days
l Quarters = 90 days
l Years = 365 days
By default, the value of this field is No Selection, but you must select a
Duration Type when the Trending option is selected. If you click Apply
without changing the value, a warning message displays. Click OK to return
to the Options tab.
l Duration Type. Specifies the number of days, months, quarters, or years for
which RSA Archer retains trending data.
application.
Sum Field Provides a total of all values entered in the field on the Search Results page for
an application or leveled application. The sum is only shown on Column-
Hierarchical and Column-Flat report format types.
When this option is selected, the total value appears in the last row of Numeric
Field column. The summation value represents a grand total and displays on each
page.
Option Action
Numeric Allows users to filter search results in the application based on specific ranges of
Ranging values in the numeric field. When you select this option, you must define the
numeric range and its values after the numeric field is configured.
Format Formats the value using thousand separators.
Option Description
Decimal Specifies the number of decimal places required for values entered in the field
Places (maximum 6). Entering a value in the numeric field with fewer decimal places
than the required number pads the value with zeros.
For example, if you require 3 decimal places and you then enter a value of "4.1" in
the field, the value displays as "4.100" when you save the record.
On the other hand, if you enter a value in the field with more decimal places than
the required number, you must limit the number of decimal places in the value to
fit the field requirements before you can save the record.
Negative Specifies how the negative numbers display. Options include:

Display l (1234.56) font color = red; default option
l -1234.56 font color = red
l (1234.56) font color = black
l -1234.56 font color = black
Minimum Specifies the minimum values users must enter in the numeric field within a
Values defined range, for example, 1-100.
Maximum Specifies the maximum values users must enter in the numeric field within a
Prefix Specifies the text (up to 10 characters) that appears in front of the numeric value.
For example, when you enter "ABC" in this field, record displays "ABC123456."
Option Description
Suffix Specifies the text (up to 10 characters) that appears after the numeric value. For
example, entering "miles" labels the field value as a measurement of distance. For
the tracking ID, you enter "XYZ" in this field. The tracking ID value for a record
displays "123456XYZ."
Increment Specifies the value by which the number is to increase or decrease. Available
By options are .01, .1, 1, 10, 100, 1000, or No Increment.





Adding Text Questions
To protect data integrity, you cannot change the question type. For example, changing a Date
question to a Text question after a question has been created.
Task 1: Create a new text question in a questionnaire

2. Click Add New.

l To add a new field , click Create a new Field from scratch, and click Text from the Question
Field Type list.
text field you want to copy.
4. Click OK.


Display
Description
Control
Text Field Displays the field as a limited character text box or in a rich text area where
Text Area users can enter text in HTML format.

Option Action
application.

Inline Edit
Option Action
application.
Option Description
Default Specifies the default date value of the date field when a user adds a new record
Value in the application. The default date is set at record creation. Record edits do not
affect this date The following options are available:
date field.
l Future Date. Select Future Date to display a default date value that is a
specific number of days after the date of record creation. Then enter the
specific number of days in the field to the right.
for the date field, and enter the date in the field to the right or click the
Calendar icon to select the date from a calendar dialog box.
Option Description
Maximum Restricts the number of characters a user can enter in a text field.
Characters If you use rich text formatting in a text area, RSA Archer counts the HTML
formatting tags embedded in the text as characters, causing a warning message
informing you that the text entered in the field exceeds the maximum number of
characters. If this condition occurs, set the Maximum Characters field to a value
higher than the number of characters that you expect to be entered in the field.
Input Specifies the text format that a user must enter for a text area field. You can
Mask select one of the following masks:
l SSN - Format = ###-##-####. The mask will be configured so the entire SSN is
confined to one field.
l Telephone - Format = ###-###-####. The mask will be configured so the entire
phone number is confined to one field.
l Zip Code - Format = #####.
l Zip+4 - Format = #####-####.
l IP Address v4 - Format = ###.###.###.###.
l IP Address v6 Full - Format = ####.####.####.####.####.####.####.####.
l Email Address - The mask will be configured to require the At (@) sign.






Adding Values List Questions
A Value List question type enables you to create questions with predefined answers.
Task 1: Create a new values list question in a questionnaire
Note: To protect data integrity, the Questionnaire feature prohibits question type changes, for
example, changing a Date question to a Text question, once a question has been created.

2. Click Add New.

l To add a new field, click Create a new Field from scratch, and click Values List from the
values list field you want to copy.
4. Click OK.
6. In the Values List, field, do one of the following:

l If you want to create new answer values for this question, leave Field-Specific List selected.
l If you want to use answer values from a previously created list, click [...], select the values
list, and click OK.

You can define the display and functionality of a question. Because the options provided on this tab
vary significantly among the various question types, this section first explains how to access the
Options tab on the Define Fields page, and then it provides specific instructions for each field type.


Display
Description
Control
Dropdown Displays a list of items from which users can select an item.
Radio Displays a list of items from which users can select an item.
Buttons
Check Displays a list of items from which a user can select one or more items.
Boxes
Listbox Displays a selection list from which users can select one or more items.
Values Displays a selection list from which users can select one more items. For
Popup example, a users and groups list may contain hundreds or thousands of users. In
this case, a values popup list may be the best solution. For a two or three
selections, the best control might be dropdown, radio buttons, or checkboxes.

Option Action
application.
Option Action

Inline Edit

l Days = 1 day
l Months = 30 days
l Years = 365 days
to the Options tab.
Description Displays the selected value for the field as a hyperlink when users view records
Links in the application. Users can click the linked value to read a description of the
value from a pop-up window.
Option Description
control.
control.






Task 5: Link to authoritative sources

You can link a Values List question to authoritative sources with which your company must comply,
such as regulations, industry standards, common practices and state laws. If your organization
licenses the Policy Management solution, you can link directly to records within the Authoritative
Sources application. If you do not license Policy Management but have a custom application that
includes authoritative sources, you can link to records in this application.
Important: If you do not manage authoritative source data in RSA Archer, disregard the
Authoritative Source References section on the Define Fields page. You cannot use this feature.
1. Go to the Question tab of the question you are creating

2. In the Authoritative Sources section, click Manage References.
3. Create a reference to authoritative source application as follows:
a. Click Add New.
b. Select one or more applications.
c. Click OK.
4. Click the Question tab.
5. To link the question to a specific record within your designated authoritative sources application,
click Select in the Authoritative Source References section.
6. Select one or more authoritative sources that you want to link to your question.
7. Click Save.
8. Click OK.
9. To remove a selected authoritative source reference, click in the Reference column.
Task 6: Link to control standards

Linking a question to a control standard also enables you to search completed questions for instances
of non-compliance with a particular standard. If you enable findings for the questionnaire that you
are managing, the system automatically creates Findings records for questions that are answered
incorrectly, and each finding includes the associated control standard, enabling you to search and
sort findings by standard.
Important: This option is available only if your organization licenses the Policy Management
solution, which includes a Control Standards application. If you do not license Policy Management,
the Control Standards control is not displayed, and you cannot use this feature.
2. In the Control Standards section, click in the Reference column.

3. Select the control standard that you want to link to your question:
a. Scroll through the list of available control standards, or click Show Filters and enter
keywords to narrow the list.
b. After you locate the control standard that you want to link to your question, select the
checkbox for that standard. You may select multiple checkboxes.
4. Click OK.
5. To remove any selected control standard references, do the following:
a. Click and in the Record Lookup dialog box.

b. Clear the checkboxes or any record references that you want to remove.
c. Click Apply.
Task 7: Add answer values
Note: This step is only required if you created a values list question in step 1.
Important: The Answers tab enables you to create and edit custom answers that are unique to the
question you are managing. If you have selected to use a questionnaire values list rather than a
custom list for the question, you also can create and edit answers in that shared list. Any changes
that you make to a questionnaire values list impacts every question that uses the list. If you need to
add or edit answers for a question that uses a questionnaire values list but you do not want your
changes to impact other questions, RSA recommends that you delete the question and recreate it to
use a custom answer list. You can then create the appropriate answers for the question without
affecting any others.
The answers must have an active status so that it is available for selection.
1. Go to the Answers tab of the question that you are creating.
To add answer values manually, follow these steps:

a. Click Add New.
b. In the Text Value field, enter the answer text, for example, Yes.
c. In the Description field, enter a description for the answer.
d. Do one of the following:
l To configure this answer as the default selection for users, select the Default Selection
checkbox .
l To associate a numeric value with the answer, in the Numeric Value field, enter the
appropriate number in this field.
l To display the answer in a specific color, click in the Text Color field and select the
color.
Note: If you associate a color with an answer, the color is displayed in questionnaire
records in view mode. Answers are not displayed in color when users fill out a
questionnaire.
l To set the answer as the correct answer for all questions that utilize the list, select the
checkbox in the Correct field.
l To include an image to represent the answer, such as a green checkmark for the value
"Yes," click Add in the Image field, select a graphic and click OK.
Note: If you associate an image with an answer, the image is displayed in questionnaire
records in view mode in place of the value name. Answers are not displayed as an image
when users fill out a questionnaire.
l To require users to enter an explanation when they select the answer, select the
checkbox in the Other field and enter comments in the text box.
Important: You may select Other for only one answer per answer list. If you create
another answer and select the Other checkbox, the checkbox is cleared for the first
answer. If users have already provided comments for the first answer while filling out a
questionnaire, those comments will be lost.
e. In the Properties area, click Save.
To import answer values from an XML file, follow these steps:
a. Click Import.
b. Click Add New.
c. In the Open dialog box, select the .xml file that you want to import.
d. Click Open.
e. Click OK.
3. From the Sort Order list, select the applicable option for sorting the items list.

Option Description
Custom Lists the values in the specific order that you define. To adjust the order of
values, click and drag the value to the position in the list.
Ascending Lists the values in ascending alphanumeric order. For example, the values
"High," "Medium," and "Low" would be displayed in the following order: High,
Low, Medium.
Alphanumeric sort is not supported for values lists that contain values in multiple
languages.
Descending Lists the values in descending alphanumeric order. For example, the values
"High," "Medium," and "Low" would be displayed in the following order:
Medium, Low, High.
Random Lists the values in a different order each time the list is displayed. This variation
in display order minimizes the chance that end users detect patterns.

Creating Questionnaire Values Lists
Complete this task to create questionnaire values lists that you can reuse for any values list question
within the questionnaire.
For example, you could create a questionnaire values list with the answers "Yes," "No," and "I don't
know," and you could use this list for questions such as "Is sensitive cardholder data securely
disposed of when no longer needed?" and "Are all but the last four digits of the account number
masked when displaying cardholder data?" By creating questionnaire values lists that you can reuse,
you can save a significant amount of time in the creation and management of Values List questions
within your questionnaire.
Questionnaire values lists are different from global values lists in that you cannot share them
between questionnaires. The questionnaire values lists are restricted to individual questionnaires but
can be shared among questions in that questionnaire. You can export a list from one questionnaire to
another. Keep in mind that if you export a questionnaire values list to another questionnaire, the two
values lists are not connected in any way. If you make a change to one list, that change is not
reflected in the other.
Create questionnaire values lists

1. Go to the Properties tab of the questionnaire you want to modify.

b. Under the Application Builder section, select Questionnaires.
d. Click the Properties tab.
2. Click the Lists tab.

l To create a new questionnaire values list, click Add New and select whether to make an
original list or copy an existing list. To select new settings for the values list, select Create a
new Values List from scratch. To use the settings of an existing values list, select Copy an
existing Values List and select the existing values list from the list. Click OK.
l To edit the properties of an existing list, click the name of the list in the Name column.
a. In the Name field, enter the name for the list.
b. In the Description field, enter a description.
c. In the Alias field, update the alias for the list.
5. In the Values section, add or edit the values in a values list.
Adding Fields to a Questionnaire
In addition to the questions themselves, questionnaires contain several standard fields for collecting
data on the assessment. Standard fields differ from questions in that they do not include question text
or weighting, they cannot be filtered using question display rules, and they are not included in
progress calculations for questionnaire records and campaigns. However, standard fields offer more
variety for data collection than questions do, and you can control user access to fields, whereas all
questions are inherently public.
System-generated questionnaire fields

When you create a questionnaire, the system-generated fields described in the following table are
added to the questionnaire. You can configure the properties of some of these fields, while others
must remain in their original state.
The following table shows the system-generated questionnaire fields.
Name Field Type Configuration Description
% Correct Calculated Field access The percent of Values List questions that were
Numeric only answered correctly rounded to the nearest whole
number.
All Findings Calculated Field access The number of findings related to the
Numeric only questionnaire record.
Campaign Values List Field access The name of the campaign to which the
Name only questionnaire record belongs.
Comments Sub-Form Fully A sub-form that captures comments made for

configurable individual questions.
Correct Calculated Field access The number of Values List questions that were
Numeric only answered correctly.
Created By User/Groups Fully The user who created the questionnaire record.
List configurable
Created Date First Fully The date the questionnaire record was created.
Published configurable
Due Date Date Fully The date by which the questionnaire record
configurable should be completed and submitted.
Findings Cross- Fully Findings associated with the questionnaire

Reference configurable record.
Findings Values List Fully The status of findings-generation activity for the
Generation configurable questionnaire record.
Status
History Log History Log Fully A history log that tracks the following fields:
configurable Due Date, Year, Quarter, Submitter, Submission
Status, Submit Date, Reviewer Review Status,
and Review Date.

Incorrect Calculated Field access The number of Values List questions that were
Numeric only answered incorrectly.
Inherent Calculated Field access The sum of all Values List question weighted
Score Numeric only scores.
Last Updated Last Fully The date the questionnaire record was last
Updated configurable updated.
Date
Maximum Calculated Field access The maximum potential score for the
Score Numeric only questionnaire, calculated by summing the
question scores for every Values List question
displayed in the questionnaire record.
Open Calculated Field access The number of findings related to the

Findings Numeric only questionnaire record that have a status of
"Open."
Overall Calculated Fully The overall status of the questionnaire based on

Status Values List configurable the Submission Status and the Review Status
(values include In Process, Awaiting Review,
Approved, and Rejected).
Progress Calculated Field access The number of questions that have been
Text only answered and the total number of questions in
the questionnaire record, for example, "13 of
30."
Progress Calculated Field access Percent of the questionnaire record that is

Status Values List only complete rounded to the nearest 20% (values
include 0%, 20%, 40%, 60%, 80%, and 100%).
Quantitative Calculated Field access The results of the completed questionnaire in an

Summary Text only HTML table with the following information
grouped by category: correct questions, incorrect
questions, percent correct, inherent score,
residual score, and open findings.
Note: This field will only be populated if you

enable findings for the questionnaire.

Quarter Values List Fully The calendar quarter of the assessment.

configurable
Questionnaire Tracking ID Fully The unique tracking ID for the questionnaire

ID configurable record.
Questions Calculated Field access The number of Values List questions in the
Scored Numeric only questionnaire record.
Queue Status Values List Fully Tracks the success or failure of findings
configurable generation for a questionnaire.
Remediation Calculated Field access The maximum potential score for all findings that
Score Numeric only are closed, calculated by subtracting the score
for each incorrectly answered question from the
maximum possible score for each of those
questions, and then adding the resulting values
together. For example, you have a question that
was incorrectly answered, resulting in a score of
1. If the questions were answered correctly, the
score would have been 5. The difference is 4. If
you have five questions that follow this same
pattern, and the finding for each of these
questions is closed, your remediation score
would be 20.
Residual Calculated Field access The remaining inherent risk after the closure of
Score Numeric only some or all of the findings associated with the
questionnaire record.
Review Date Date Fully The date the completed questionnaire record is
configurable reviewed.
Review Values List Fully The review status of the questionnaire (values
Status configurable include Awaiting Review, Approved, and
Rejected).
Reviewer User/Groups Fully The user who is responsible for reviewing the
List configurable questionnaire record once it is submitted.

Submission Values List Field access The submission status of the questionnaire
Status only (values include In Process, Submitted, and Re-
Submitted).
Submit Date Date Fully The date the completed questionnaire record is
configurable submitted.
Submitter User/Groups Fully The user who is responsible for answering the
List configurable questions in the questionnaire record.
Target Cross- Fully The specific target of the assessment, located in

Reference configurable your target application.
Year Values List Fully The year of the assessment.

configurable
Use the following tasks to add fields to a questionnaire:

l Adding Cross-Reference Fields
Customizing the Layout of a Questionnaire

Once you add questions and fields to a questionnaire, you can arrange their layout using the Layout
tab of the Manage Questionnaires page. The options for arranging the layout of a questionnaire are
the same as arranging the layout of an application, except that you work on the Manage
Questionnaires page rather than on the Manage Applications page.

Note: For information about mobile layouts for mobile ready questionnaires, see Creating Mobile
Ready Questionnaires.
In addition, the questionnaire already includes a variety of system-generated fields arranged in

sections within the layout. These fields enable you to assign submitters and reviewers, to specify due
dates, and to identify the year and quarter for all questionnaire records in an assessment campaign.
Some of the system fields are read-only calculated fields that contain the status of a questionnaire
record, the score of the completed record and links to findings that were generated for incorrect
answers. System-generated fields are not available in a mobile-ready questionnaire.
When adding questions, try to group your questions into sections, especially if you have a large
number of questions. Sections help to visually organize a questionnaire for the benefit of the users.
All fields moved on to the mobile layout are maintained in the sections to which they belong on the
web layout.
For more information, see Layouts.
Creating Data Driven Events for a Questionnaire

By creating data driven events (DDEs) within a questionnaire, you can automate a variety of actions
based on values or dates within individual questionnaire records. Data driven events, which are
configured on the Events tab of the Manage Questionnaires page, provide two types of conditional
actions: the ability to change certain parameters of the user interface based on specific field values
and the ability to generate email notifications based on date information.
Important: When a data driven event includes a rule with a Set Date action and is used in a
questionnaire, the Review Date and Submit Date must be included in the General Information
section of the questionnaire. By default, these fields are included in this section.
System-generated questionnaire events

When you create a questionnaire, a series of data driven events are generated by the system and
added to your questionnaire. An event is made up of two parts: a rule and an action. These data
driven events help your organization automate some of the manual processes involved in submitting
and reviewing questionnaire records. Each rule is described in the following table.
Action
Rule Description
Type
Hide Findings Apply This action hides the Findings section when no findings have been
Grid Conditional associated with the questionnaire record.
Layout

Action
Rule Description
Type
Quantitative Apply This action provides the Quantitative Summary Section when all the
Summary Conditional questions displayed within the questionnaire record have been
Section Layout answered.
Display
Set Review Set Date This action sets the Review Date field within a questionnaire record
Date to the current date when the value in the Review Status field
changes to Approved or Rejected.
Set Review Set Values This action sets the Review Status field to Awaiting Review when
Status Upon List the value in the Submission Status field changes to Re-Submitted.
Re- Selections
Submission
Set Set Date This action sets the Submission Date field within a questionnaire
Submission record to the current date when the value in the Submission Status
Date field changes to Submitted or Re-Submitted.
Set Set Values These actions limit the values available for selection in the
Submission List Submission Status field to In Process and Re-Submitted when the
Status List Selection value of the Review Status field changes to Rejected.
Values Filter
Values
List Items
See Data Driven Events for more information and detailed steps for creating DDEs.
Designating Navigation Menu Items

You can select which menu items display for an questionnaire in the Navigation Menu. In addition to
configuring the display of menu items in the Navigation Menu, you can define default search settings
for searches executed in the questionnaire from the Navigation Menu. These searches include the
fields that are displayed, and the sort order of those fields.
Important: Do not use the names Version, Level ID, or Content ID for fields that you add to an
Application or Questionnaire. Using these names in Applications or Questionnaires prevents the
fields from displaying properly. To ensure that the fields display properly, use different names.

Menu item types

The following table describes menu items.
Menu
Description
Item
Default By default, the following items display in the Navigation Menu:

l Search Records
l New Record
l Records
l Data Import
l Reports
If you do not want a default item to appear in the Navigation Menu, clear the checkbox
for that item.
field Certain field types are labeled as By field name menu items and enable you to search for
name records that include that specific field value. The following field types enable quick
filtering from the Navigation Menu:
l Cross-Reference
l Matrix
l Record Status
l User/Groups List
l Values List
data For leveled applications, the menu items are labeled By data level and enable you to
level select records that reside within a specific data level.
Designate menu items for the Navigation Menu

1. Go to the Navigation Menu tab of the questionnaire that you want to update.

b. Under Application Builder, click Questionnaire.

2. In the Show Item column, do one of the following:

l To show a menu item, click the checkbox for that item.
l To hide a menu item, clear checkbox for that item.
3. (Optional) To edit additional properties of a menu item, do the following:
a. In the Menu Item column, click the item name.
b. Set any of the following options as applicable.
Option Description
Visibility Displays the item in the Navigation Menu.
Display Specifies the text that appears in the Navigation Menu for the item that you
Alias selected to display. If you selected to display the item in the Visibility field,
you must provide the Display Alias.
Default Expands the item node in the Navigation Menu by default. This field becomes
Expansion available when the Visibility field is enabled.
Fields to Specifies the fields that display in the search results when a user clicks one of
Display these items to execute a search. The fields you select are listed under Records
and By field or By data level menu items.
Use below the Selected list to arrange the fields in the display order.
Use to remove a field from the search results for a menu item.
Sorting Specifies the list order of the fields displayed in search results, which is
executed when a user clicks the menu item.
Use the Field drop-down menu to specify whether the search results are
initially sorted in ascending or descending order. You can add new fields to
sort by.
4. Click OK.
Defining Workflows for Questionnaires

By default, questionnaires include two User/Group List fields: Submitter and Reviewer. These fields
facilitate a two-stage workflow process. You can define the workflow process by doing the
following:

l Defining the users and groups available for selection in these fields.
l Promoting the users and groups fields to Record Permissions fields if you want to use them to
control access to questionnaire records.
l Adding User/Groups List or Record Permissions fields to expand the content review process
according to your risk management methodologies.
In addition, you can define a workflow or advanced workflow for a questionnaire.

workflow process.
See one of the following:

l For more information about advanced workflow and detailed steps for using them, see Advanced
Workflow.
l For more information about workflow and detailed steps for using them, see Workflow.

Configuring Display Rules for Questionnaires

Using display rules allows you to utilize a single questionnaire for all targets of one type (such as all
vendors), even if those targets vary in their individual attributes. Without display rules, you would
have to create separate questionnaires for each variation of your target type. For example, you would
have to create one questionnaire for vendors that have access to your confidential data and another
questionnaire for vendors that do not. Display rules give you the flexibility to centralize all questions
for a target type in a single questionnaire, which saves you time and enables you to use your
additional questionnaire licenses to assess other types of targets (such as assets, controls, business
processes, and so on).
Display rule types - show and hide

l Show Rules - Enable you to display specific questions within a questionnaire record based on the
attributes of your questions and of the assessment target. For example, you could create a show
rule specifying that when a target vendor provides payment handling services to your company.
The questionnaire record for that vendor should show questions related to access authorization,
encryption and intrusion detection, and all questions related to the Payment Card Industry (PCI)
Data Security Standard. When you define show rules, it is important to note that only the
questions that meet your rule criteria are displayed. All other questions are omitted from the
questionnaire.
l Hide Rules - Allow you to hide specific questions within a questionnaire record based on
attributes of your questions and of the assessment target. For example, you have created a hide
rule specifying that when a target application is used to manage internal accounting processes, the
questionnaire record should exclude questions related to encryption but display all other questions
related to applications. When you define hide rules, it is important to note that all questions in the
questionnaire except for those you select to hide are displayed in questionnaire records for targets
that meet the rule criteria. Questions that are hidden within a questionnaire record are not counted
when the score for the questionnaire is calculated, nor are they counted when the system
calculates the overall completion status of the assessment campaign.
Display rules and question filters

Display rules are based on the filter properties that you assign to a question. Each filter must have a
name and list of values, and you can create and assign any number of filters to a question. For
example, the name of your filter could be "Customer Data," and the available values could be "Yes"
and "No." When you assign the filter to a question, you will select the filter and the specific filter
value that applies to the question. For example, you would apply the "Customer Data: Yes" filter to
the following question: "Do you have a documented program in place to dispose of customer data
when you no longer need to handle it?"

Then, for example, you have defined a question display rule for a questionnaire that assesses targets
in your Vendors application. The question display rule specifies that if a vendor handles the financial
information of your customer, the questionnaire should display all questions with the following filter
properties:
l Customer Data: Yes
l Financial Data: Yes
When a vendor relationship manager in your organization fills out the questionnaire to assess a
vendor that handles the financial information of your customer, the manager is prompted to answer
all questions with these filter properties, as determined by the question display rule that you defined.
How display rules are evaluated

Question display rules are evaluated only one time for each questionnaire record. Each show rule
and hide rule is evaluated individually at the time of record creation to determine the appropriate
questions to display in the questionnaire. The system first evaluates the show rules and generates a
list of questions to show based on attributes of the assessment target. Then the system evaluates the
hide rules, generates a list of questions to hide, and removes those questions from the show list.
Finally, a questionnaire record is created that includes only those questions that are applicable to the
assessment target.
If the assessment target changes after the questionnaire record for that target has been created, the
display rules are not re-evaluated for the questionnaire. For example, if the target is an application
that is changed from Development to Production status, the questionnaire record is not updated to
include questions related to production environments. To include these questions in a questionnaire
for the application, you would need to create a new questionnaire record for the application.
Configure show and hide rules for questionnaires


b. Under Application Builder, click Questionnaire.
2. Click the Rules tab.

3. Complete one or both of the following:
l To create a show rule, in the Show Rules section, click Add New.
l To create a hide rule, in the Hide Rules section, click Add New.

4. Complete the General Information section.

5. In the Target Application Conditions section, define the conditions within the assessment target
that will cause the rule to prove true.
a. In the Field To Evaluate column, select the field to evaluate for one or more specific values.
b. In the Operator column, select the filter operator.
c. In the Value(s) column, select the values for the condition.
d. If you have created more than one condition, you can apply advanced logic to your search
criteria.
Note: To create additional conditions, click Add New.
6. Add more conditions, if needed, to the Target Application Conditions section. To add more
conditions, click Add New.
7. In the Question Display Actions section, define which questions to show or hide in the
questionnaire record when the rule evaluates to true for the target of the assessment. In the Filter
Property column, select the question property that you want to use to determine which questions
to show or hide when the rule criteria are met.
8. In the Operator column, select one of the following operators to define the relationship between
the question property and the specific filter values that cause a question to be shown or hidden
when the rule proves true:
The following table describes the operators.
Operator Description
Contains If the question is configured with the filter property and value, the question will be
shown or hidden. The question may also have other values in the same filter
property. For example, if you specify the filter "Confidentiality: High" where
"Confidentiality" is the filter property and "High" is the value, a question that
includes the filter "Confidentiality: High" and the filter "Confidentiality: Medium"
will be shown or hidden.
Does not If the question is configured with the filter property and value, the question will be
Contain shown or hidden. The question may also have other values in the same filter
property. For example, if you specify the filter "Confidentiality: High" where
"Confidentiality" is the filter property and "High" is the value, a question that
includes the filter "Confidentiality: High" and the filter "Confidentiality: Medium"
will be shown or hidden.

Equals If the question is configured with the filter property and only the value you
specify, the question is shown or hidden. For example, if you specify the filter
"Confidentiality: High" and a question includes the filters "Confidentiality: High"
and "Confidentiality: Medium," that question is not displayed or hidden because it
is not an exact match.
Does not If the question is not configured with the exact filter property and value, the
Equal question is shown or hidden. The question may have the filter property and value
you specify, but if it also has other values in the same property, it is not an exact
match. For example, if you specify the filter "Confidentiality: High" and a
question includes the filters "Confidentiality: High" and "Confidentiality:
Medium," that question is shown or hidden.
9. In the Value(s) column, select the specific filter values that should trigger a question to be shown
or hidden.
For example, if you selected the Criticality property in the Filter Property column, you could
select the value "High" in the Value(s) column. All questions created with this specific filter
value are shown or hidden, depending on the type of display rule that you are creating.
10. Add more conditions, if needed, to the Question Display Actions section.
Enabling Automatic Generation of Findings for Questionnaires

Important: The Control Standards application must be licensed for findings to be generated for core
questionnaires.
You can configure a questionnaire to automatically generate findings when a user answers one or
more questions incorrectly while filling out the questionnaire. By default, findings are created for a
questionnaire record when the value in the Submission Status field is changed to Submitted. You can
change this default condition, or you can create additional conditions that will trigger findings
creation. For example, you can generate findings when a questionnaire record is submitted and when
it is approved. If multiple conditions are defined, all of them must be met in order to trigger findings
creation.
Note: A finding is created only once for each incorrectly answered question. So if a finding is
created for a question when the questionnaire is submitted, and that same question is still incorrectly
answered when the questionnaire record is marked Approved, the system does not create another
finding for that question.

As an optional step, you can create static or dynamic content that is displayed in the Description
field in all findings generated for the questionnaire.
Each finding generated by the system is prepopulated with the following:
l Question that was incorrectly answered.
l Incorrect answer the user selected.
l Specific target of the assessment.
l Questionnaire record in which the question was incorrectly answered.
l Authoritative source related to the question that was incorrectly answered (if applicable).
l Control standard related to the question that was incorrectly answered (if applicable).
The prepopulation of Findings records enables you to report on areas of non-compliance by target,
questionnaire, question, authoritative source, and control standard. As you remediate findings, you
also can monitor areas of improvement in your compliance posture.
Note: You can add the Findings application to the same solution as your questionnaire to access the
Findings application from the Navigation Menu for the purposes of searching and managing records.
Enable automatic generation of findings for a questionnaire


2. Click the Findings tab.

3. In the Generation section, select Enable automatic generation of findings based upon answers
within the questionnaire.
Note: If you do not enable findings for a questionnaire, the Quantitative Summary section within
individual questionnaire records are not included in the Findings column.
4. Complete the Findings Generation Condition section.
Note: If you have created more than one condition, you can apply advanced logic to your search
criteria.
5. In the Findings Generation section, enter the default text to be displayed in the Description field
of Findings records.

By default, the Description field within individual Findings records is populated with information
about the question that was answered incorrectly. You can modify the default text using any of
the following dynamic elements:
l [Question Name]. This element is the question label, not the question text. For example, the
question name might be "Encryption 1" for the following question text: "Is strong encryption
used for restricted information?"
l [Question]. This element is the question text, such as "Is sensitive cardholder data securely
disposed of when no longer needed?"
l [Answer]. This element is the incorrect answer the user provided, such as "No, we do not
dispose of cardholder data."
l [Weighted Score]. This element is the weighted score for the question, which the system
generates by multiplying the question weight and the numeric value associated with the
incorrect answer.
For example: The question "[Question]" was answered incorrectly:Question: [Question
Name]Answer: [Answer] Question Risk Score: [Weighted Score]

If you are working with a questionnaire that contains multiple calculated fields and the formula for
one calculated field is dependent on the result of another calculated field, you must specify the order
in which you want to compute the calculated fields.
Note: When you add a new calculated field to a questionnaire, it displays at the bottom of the list in
the Field Calculation Order listing.

1. Go to the Calculations tab of the questionnaire that you want to update.


order you want.
4. Click Save.
Setting Behaviors of a Questionnaire

The behaviors of a questionnaire include:
l Whether task management for workflow is enabled.
l Whether users receive notifications when content is updated.
l Whether spell check is run automatically when a record is saved.
l Whether users with update rights can edit a record directly from the key field link of search
results.
l Whether the default language is that of the user locale and not of the instance.
Enable direct to edit mode

The direct to edit mode allows users to open a record for editing from any supported area. Users
with update rights can open an editable record instead of a view-only record when they click the key
field link for a record in any of the following areas:
l Search Results list
l Cross references
l Related records
l Record links in notifications
l iViews (without having to display the report first)
l Tasks & activities on the Task Driven Landing Screen
l System reports that allow record drill-in
1. Go to the General tab of the questionnaire that you want to update.

2. In the Options section, select the Direct to Edit checkbox.



Enable or disable notifications

When notifications are enabled, end users are allowed to receive notifications when content in the
questionnaire is published or updated.


l To enable notifications, select the Notifications checkbox.
l To disable notifications, clear the Notifications checkbox.
Enable or disable task management

If you are using Workflow or Advanced Workflow, you must enable task management. By enabling
a questionnaire with task management capabilities, users can easily track and manage open and
completed activities associated with specific content records.
When you enable task management capabilities for a questionnaire, a related records field is placed
on the questionnaire layout.
Components of the related records field include:
l Open Tasks/Activities. Lists all of the open Task Management records associated with the
content record.
l Activity History. Lists all of the closed Task Management records associated with the content
record.



l To enable task management, select the Task Management checkbox. If you want to rename
the default settings for the related record fields, do the following
a. In the Task Field Name field, enter the name of the task, for example,
Open Tasks/Activities.
b. In the History Grid Label field, enter the name of the task, for example, Closed Tasks.
l To disable task management, clear the Task Management checkbox.
Note: If you disable task management, Task Management records are no longer viewable in
records of the associated questionnaire. However, all Task Management records still are
stored in the Task Management application. If task management is subsequently reactivated,
all existing Task Management records are displayed with their associated content records.

Enable spell check

Use this option to automatically spell check a record each time it is saved in a questionnaire.

2. In the Options section, select the Spell Check checkbox.


Select a default format for search results

You can select a default format for search results generated from the Records link in the Navigation
Menu, and from the Search Records page.

2. In the Options section, in the Search Results field, select one of the following formats.
Options Description
Column - Displays the search results in a columnar layout where fields are displayed
Hierarchical across the page from left to right, and the values in the search results fields are
presented showing relationships.
Column - Displays the search results in a simple columnar layout without any grouping of
Flat values.
Row Displays the search results in a row layout with fields stacked vertically and
records separated by horizontal lines.
Summary Displays the search results in a simple block record format with the key field as
the heading for each record. Fields in the search display as values only in a
single paragraph with each value separated by a diamond symbol.

Change the default language

2. In the Options section, in the Language field, click Change.

3. From the Language list, select a default language for the questionnaire.
4. Click OK.
Optimize calculations
Note: If an administrator disables the option in the RSA Archer Control Panel, field-level
calculation optimization is not available.

2. In the Options section, in the Enable Optimize Calculations field, select Optimize related
calculations after bulk actions complete.
Assigning Questionnaire Owners and Report Administrators

Questionnaire owners have unrestricted access to all record content in their questionnaires, including
sub-form content. If you are an owner for one or more questionnaires, you can open those
questionnaires for editing from the Manage Questionnaire page. When you access this page, you see
all of the questionnaires that administrators in your organization have created, but you can only edit
those questionnaires for which you have ownership rights. If no users have been assigned ownership,
only users who have been granted the System Administrator access role can open the questionnaires
for editing.
Questionnaire owners
You can select the users who will serve as owners of an questionnaire.
Note: If you want to edit notifications associated with an application, an administrator must assign
you an access role that gives you access to the Manage Subscription Notifications page.

l Owners have full editing rights over their designated questionnaires, which means they can fully
customize its properties. This includes adding and arranging fields in the questionnaire, enabling
notifications, configuring data driven events, and others.
l Ownership is automatically granted to the user who creates it. However, your rights can be
revoked by any other user who is subsequently granted ownership of the questionnaire.
As an questionnaire owner, you can:

l Create new records in the questionnaire and its sub-forms.
l View all records and field content in the questionnaire and its sub-forms, regardless of record-
level or field-level permissions.
l Update all records in the questionnaire and its sub-forms.
l Delete any existing records in the questionnaire and its sub-forms.
l Create global reports for the questionnaire as report administrators.
Report administrators
You can assign permissions to users and groups for creating and editing global reports in a specific
questionnaire.
l Global reports can be shared with any user in the questionnaire, but only users with access to the
questionnaire for which the report was created can see the contents of the report.
l Users who do not have global report creation rights can only create personal reports, which
cannot be shared with other users.
Assign questionnaire owners and report administrators
1. Go to the Administration tab of the questionnaire that you want to update.

2. In the Questionnaire Owners control group, click and do the following:

a. From the Available list, select the users or groups you want to specify as the questionnaire
owners.

3. In the Report Administrators control group, click and do the following:

a. From the Available list, select the users or groups you want to specify as the questionnaire
owners.
4. Click OK.
Revoke ownership or report administrators
1. Go to the Administration tab of the questionnaire that you want to update.

l To revoke ownership, click in the Questionnaire Owners field and click to the right of
the appropriate name in the Selected list.
l To revoke report administrators, click in the Report Administrators field and click to
the right of the appropriate name in the Selected list.
3. Click OK.

Creating Campaigns to Launch Questionnaires

Assessment campaign enables you to automatically generate questionnaire records for specific
assessment targets. For example, if the target of the questionnaire is a Devices application, the
campaign can auto-create questionnaire records for all devices in a production environment.
Campaigns may be configured to populate questionnaire records with the year, quarter, and due date
of the assessment, along with the assigned submitter and reviewer. Recurring campaigns can be
launched, and multiple campaigns may be created for each questionnaire.
You can create any number of campaigns for a questionnaire, enabling you to reuse the
questionnaire many times. You can configure the campaign to populate questionnaire records with
certain values, for example, year, quarter, due date, submitter, and reviewer. In addition, you can
create rules that determine which specific records in the target application require the creation of a
questionnaire record. For example, you can define a rule that generates questionnaire records only
for vendors with an active status. If you do not define any target generation rules, the campaign
creates questionnaire records for every record in the target application.
You can create campaigns that are generated automatically or manually.
l Automatic campaigns can be recurring or scheduled. A recurring campaign creates a campaign
that is evaluated when the specified target record is saved. A scheduled campaign creates a
campaign that is executed on a schedule.
l Manual campaigns are initiated by a user, which triggers the creation of questionnaire records.
Prior to launching a campaign, you can make any necessary changes to the campaign, including
adding or editing target generation rules. After a manual campaign is launched, you cannot make
further changes. If you need to modify a manual campaign after it is launched, you must create a
new campaign.
Create a campaign to launch a questionnaire

a. From the menu bar, click Administration.
b. Under Application Builder, click Manage Questionnaires.
2. Click the Campaigns tab.

l To create an automated campaign, click Add New in the Automated Campaigns section. In
the Type list on the Manage Questionnaire Campaign page, select one of the following
options.


Option Description
Recurring Creates a campaign that is evaluated when the specified target record
Campaign is saved.
Scheduled Creates a campaign that is executed on a scheduled basis.

Campaign
l To create a manual campaign that must be launched by the user, click Add New in the
Manual Campaigns section.
5. In the Optional Campaign Attributes section, select default values.
Note: The target application must contain a User/Groups List or Record Permissions field to
assign the submitter and reviewer for each questionnaire record triggered by the campaign.
When the campaign triggers the creation of a questionnaire record for a specific asset, such as a
database server, the owner of that asset automatically is assigned as the submitter for the
6. Create a target generation rule to filter the list of specific targets that need to be assessed. In the
Target Generation Conditions section, do the following:
a. In the Field To Evaluate column, select the field to evaluate for one or more specific values.
To create additional conditions, click Add New.
b. In the Operator column, select the filter operator.
c. In the Value(s) column, select the values for the condition.
d. (Optional) If you have created more than one condition, you can apply advanced logic to your
search criteria.
7. (Optional) If you are creating a Scheduled campaign, in the Schedule Properties section, select
values from the Frequency, Time, and Time Zone lists.
Note: After a campaign has run, you can view the Campaign Execution History report by
clicking the Report icon for that campaign.

Attaching Documentation to Questionnaires

Complete this task to attach supporting documentation to a questionnaire, such as design
specifications, approval forms, or other documentation.
If you are using the Relationship Visualization feature and have created the visualization xml file,
attach this file to the application or questionnaire. For more information on the Relationship
Visualization feature, see the Configuring Relationship Visualization topic in the RSA Archer
Attach documentation to a questionnaire

1. Go to the General tab of the questionnaire to which you want to attach a file.

c. Click the questionnaire.

3. Select the document file or files that you want to add to the questionnaire.
4. Click OK.
5. Click Save.
Creating Mobile Ready Questionnaires

The Mobile Ready functionality is available only if RSA Archer is licensed for Mobile
Questionnaires. To make a questionnaire mobile ready, you must define both a web layout and a
mobile layout. The mobile ready functionality can be applied only to questionnaires with an assigned
Target and a defined Submitter.
The following conditions apply to mobile ready questionnaires:
l Assessments are validated after users upload them from the mobile app to the RSA Archer
Platform.
l Calculated and data-driven event fields are not supported on mobile devices.
l Findings are generated if automatic finding generation is enabled, and if all required questions in
the questionnaire have been answered.
l Users can synchronize specific data in the mobile questionnaire to the RSA Archer Platform.

Supported and unsupported fields

The following field types are supported for updating or read-only use on a mobile device, and for
placement on the mobile layout.
Fields Supported for Updating Fields Supported for Read-Only Access
Comments First Published Date

Date Last Updated Data
External Links Record Permissions
Image (attach a photo from the mobile device) Record Status
IP Address Tracking ID
Numeric
Text
Values List
The following fields and field types are unsupported on the mobile device or for placement on the
mobile layout. Custom Objects and Placeholders layout elements are ignored on the mobile device.
Unsupported System
Unsupported Field Types
Fields
Access History Attachments (Exception: Photos can be uploaded from the mobile
Calculated Fields device to RSA Archer)
History Log CAST (ScoreCard)
Record Status Discussion Forum

Matrix
MRDC
Record Permission Fields
Scheduler
Sub-form (except comment)
Users/Groups
Voting
Task 1: Make a questionnaire mobile ready
1. Go to the Layout tab of the questionnaire you want to modify.


d. Click the General tab.
2. In the Options section, select the Mobile Ready checkbox.
Task 2: Configure the mobile layout
Note: Only data defined in the mobile layout of the questionnaire will be downloaded to the mobile
device.
1. Go to the Layout tab of the questionnaire you want to modify.

d. Click the Layout tab.
2. In the Layout list, select Mobile.

3. Add or remove the fields and sections from the Available panel to the Selected panel using the
following actions.
The following table describes the actions.
Action Task
Add individual fields Click the field in the Available Fields panel that you want to
move to the mobile layout.
Add entire sections Click on the Section title in the Available panel that you want
to move to the mobile layout.
Add all fields and sections Click on the Available Fields title bar and click Add All to
Selected Fields.
View unsupported field Click on the Available Fields title bar and click Show
types Unsupported Field Types.
Hide unsupported field Click on the Available Fields title bar and click Hide
types Unsupported Field Types.

Action Task
Remove individual field Click the field in the Selected Fields panel that you want remove
to the mobile layout.
Remove entire sections Click on the Section title in the Selected Fields panel that you
want to remove to the mobile layout.
Remove all unrequired Click on the Selected Fields title bar and click Remove All
fields and sections From Selected Fields.
The following table describes the icons that might be displayed in the field bar of a field.
Required fields are denoted with an asterisk (*).
Icon Name Description
Key field Denotes the field is a key field.
Private field Denotes the field is a private field.
Calculated field Denotes the field is a calculated field.
Grid (Table field Denotes the field is a table field type.

type)
Unsupported field Denotes the field is an unsupported field type for mobile
types devices.
The Unsupported Field Types icon is applicable to mobile
layout only.

Task 3: Set synchronization criteria

The criteria you set for synchronizing assessments of mobile-ready questionnaires determines which
assessments are downloaded from the RSA Archer Platform to a mobile device. The Mobile Sync
Condition Options determine the filtering criteria for synchronizing assessments. Assessments are
downloaded to the mobile device after the mobile sync conditions have been set.
Note the following important items:

l Only fields on the mobile layout will be downloaded to the mobile device in the questionnaire.
Nested cross-reference fields and Description fields are not downloaded.
l You can set the criteria only when questionnaires are licensed for mobile availability, and after
you select a questionnaire to be mobile ready and define Target and Submitter (user).
1. Go to the General tab of the questionnaire you want to modify.

2. In Options, verify that the questionnaire is mobile ready.

3. Click the Properties tab.
4. Click the Mobile tab.
5. In Field To Evaluate, select the field to evaluate.
6. In Operator, select the value for the condition.
7. In Value(s), select the field value that must meet the condition.
l Repeat steps 4 – 7 for all condition statements that you want to add. After adding the second
condition, click Add New to add a blank row, and then repeat steps 4 – 7.
l Go to step 9.
l In Advanced Operator Logic, enter the evaluation statement, for example ((1 OR 2) AND (3
OR 4)) AND NOT 5.
Note: Operator logic statements are evaluated left to right with parenthetical groupings
evaluated first. Advanced operator logic helps to eliminate extraneous data that may be
downloaded to the mobile devices.
l Go to step 10.

Changing the Questionnaire Status

The questionnaire status provides the means for creating a questionnaire for test purposes, archiving
a questionnaire so that data can no longer be entered, hiding a questionnaire when it is no longer
used, and for using a questionnaire to collect active data for your business.

2. In the Status field, select the status you want to use for the questionnaire.
Status
Description
Option
Production Production questionnaires can be launched to end users through assessment

campaigns. Users can execute searches in these questionnaires and save those
searches as reports. In other words, production questionnaires are available for
use.
Development A development questionnaire has all of the characteristics of a production

questionnaire, except that it is displayed to end users with a watermark.
Archived When you archive a questionnaire, end users can continue to search and view
questionnaire content, but that content is read-only. You cannot launch archived
questionnaires to end users through assessment campaigns. The Edit and Data
Import options are disabled for archived questionnaires, and calculated fields
and record permissions are not recalculated.

Status
Description
Option
Retired Retired questionnaires are not available to end users. You cannot launch retired
questionnaires through assessment campaigns, nor can end users view existing
questionnaire content. If you retire a questionnaire that is displayed in a
Questionnaire Reference field within a target record (such as an Asset or
Vendor record), the questionnaire is removed. Although retired questionnaires
are hidden from end users, administrators can continue to modify retired
questionnaires from the Manage Questionnaires page.
Data feeds and questionnaires associated with the retired questionnaire
continue to use system resources. Prior to retiring a questionnaire,
RSA recommends the following:
l Deactivate all data feeds that target retired questionnaire
l Deactivate all campaigns within the questionnaire
Note: If the questionnaire is mobile ready and the status is changed to Archived or Retired, the
questionnaire is no longer available on the mobile device. The mobile layout will remain in tact
just as the web layout does so that if the questionnaire is reactivated, the mobile layout is
available. The questionnaire is validated upon save when the status is changed to ensure that
certain conditions do not affect the mobile readiness. The validation checks for required fields
that are off layout and required fields that are unsupported field types. If either of these
conditions exist, the questionnaire will no longer be mobile ready.

Importing Data into a Questionnaire

You can use the Data Import feature to import data into a questionnaire from an external data file.
This is a great way to prepopulate questionnaire records with data from a previous assessment
campaign, enabling end users to simply update their previous answers rather than filling out a new
The data import process for a questionnaire is exactly the same as the process for applications.
Because questionnaire records must be linked to a target application, a reference to the target
application content record must be included in the external data file when creating new questionnaire
records.

Modifying a Questionnaire During the Assessment Cycle

RSA recommends that you configure a questionnaire completely before releasing it to users.
However, you may need to make minor changes during an assessment cycle. Depending on the
change, there can be an impact on content records created prior to the change.
Note: You can review changes made to the configuration of a question by viewing the History Log.
Changes to the following properties of a questionnaire impact content records cre-

ated prior to the change:
l Question text l References to authoritative sources and control
l Answer text standards
l Question name l Data driven events
l Question field l The default selection option for an answer

options l The correct option for an answer
l Question l The numeric value of an answer
weighting l The text color and image of an answer
l Category
l Standard fields
The following changes do not impact content records created

prior to the change:
l Adding a new question l Creating a new
l Changing question filter campaign
properties l Inactivating an answer
l Changing the findings options
Modify a questionnaire during the assessment cycle

1. Go to the questionnaire you want to modify.

c. Select the questionnaire you want to modify.
2. Add a filter property for the Retired question and select the property as True.

3. Add a rule to hide questions with the Retired filter property.
Note: Because hide rules take precedence over show rules, the question is hidden regardless of
any other question filter properties or question display rules.
4. Add a new question to the questionnaire with the new changes.

Deleting Questionnaires and Content

If you have delete permissions to the Manage Questionnaires page, you can delete questionnaires for
which you have ownership rights.
You can delete a question from a questionnaire. Once deleted, that question is removed from all
questionnaire records created prior to the deletion. It removes the question from the layout, deletes
any answers previously provided, and modifies the question count and scoring appropriately. It does
not modify any existing findings related to the deleted question.
Important: RSA recommends deleting a question only when you need to remove it from previous
and future questionnaire content records. To keep the questionnaire content records created prior to
the deletion, deactivate the existing answer values and leave only the N/A option available, selected
by default with a value of zero. You cannot deactivate a question, only the answers.
CAUTION: RSA Archer does not recommend moving a question off the questionnaire layout. This
does not change the question count or scoring records. Once it is removed from the layout, users
cannot complete the questionnaire and save the questionnaire content record.
Delete content from a questionnaire

You can quickly delete all records from a questionnaire. This feature is useful if you have created a
large number of records to test the functionality and performance of a new questionnaire.
Prior to deleting the content of a questionnaire, you must retire the questionnaire (see step 3 in the
following procedure). The content delete feature is available only for retired questionnaires.
Important: Use extreme caution when deleting content from a questionnaire. Once the content is
deleted, it cannot be recovered. RSA highly recommends that you create a backup of your data
before deleting questionnaire content. Do not import data into a questionnaire until the content delete
process is complete. If the questionnaire contains a large number of records, this process could take
several minutes. To determine whether all content has been deleted from the questionnaire,
reactivate the questionnaire and run a search to display all records. When your search returns zero
records, you can initiate a data import.

1. Back up questionnaire data.

2. Go to the General tab of the questionnaire you want to modify.

b. Under the Application Builder section, click Questionnaires.
3. In the Status field, select Retired.

4. Click Apply.
5. Click the Administration tab.
6. In the Delete Questionnaire Content section, click Delete Content.
Note: If this button is unavailable, the questionnaire is not retired. See step 3.
7. In the Warning dialog box, select "I understand the implications of performing this operation."
8. Click OK.
The delete process may take several minutes to complete.
Note: You cannot import data into the questionnaire until the content delete process has finished.
Delete a questionnaire
1. Go to the Manage Questionnaires page.

2. Select the row of the questionnaire that you want to delete.

Chapter 4: Solutions
You can add solutions to group related applications or questionnaires that work together to address a
particular business need. For example, you can create a Customer Relationship Management
solution that houses the following applications: Accounts, Contacts, Opportunities, and Projects. By
grouping these applications into a solution, you access these applications from the Workspace menu,
search these applications as a single entity from the Search feature, access reports for the
applications using a Solution filter on the Master Reports Listing, and more.
An application can be grouped into multiple solutions. For example, a Contacts application can be
associated with Vendor Management, Customer Relationship Management, and Service Request
solutions. By grouping an application with multiple solutions, you can reuse the same information for
a variety of purposes.
Adding Solutions
Adding a solution is the process of selecting applications and questionnaires and attaching
documentation, for example, design specifications, sign-off forms, and others. When you create a
solution, a workspace is also automatically created to support the solution. A system-specific iView
for the new workspace is displayed by default.
1. Go to the Manage Solutions page.

b. Under Application Builder, click Solutions.
2. Click Add New, and do one of the following:

l To create a new solutions, click Create a new Solution from scratch.
l To create a solution from an existing solution, do the following:
a. Click Copy an existing Solution to be modified.
b. Select the solution you want to copy.
3. Click OK.
4. In the General Information section, enter the name, alias, and description.
5. In the Applications section, click Add New.
6. Do one or more of the following:
l To assign one or more applications, select the applications you want.
l To assign one or more questionnaires, click Continue, and select the questionnaires you want.
7. Click OK.

8. In the Applications section, select Menu Display or Global Search to specify whether the
application or questionnaire is displayed in the navigation menu, as a global search link, or both.
9. (Optional) In the Documentation section, do the following.
a. Click Add New.
b. On the File Upload dialog box, click Add New.
c. Select the file to upload and click Open.
d. Click OK.
Updating a Solution
Updating a solution allows the process of selecting or deleting additional applications and
questionnaires, and attaching documentation, for example, design specifications, sign-off forms, and
others.
1. Go to the solution you want to update.

c. Select the solution.
2. In the General Information section, edit the name, alias, and description.
3. To update an application or questionnaire, click Add New in the Applications section.
l To add or remove one or more applications, select or deselect the applications you want.
l To add or remove one or more questionnaires, click Continue, and select or deselect the
questionnaires you want.
5. Click OK.
6. In the Applications section, select Menu Display or Global Search to specify whether the
application or questionnaire is displayed in the navigation menu, as a global search link, or both.

7. In the Documentation section, do one or both of the following.

l Add a new document.
a. Click Add New.
b. On the File Upload dialog box, click Add New.
c. Select the file to upload, and click Open.
d. Click OK.
l Remove a document.
a. Click the button next to the document.

b. Click OK.

Chapter 5: Fields
RSA Archer provides a wide variety of field types that allow you to collect and shape information
according to your business needs. A field collects data that is displayed as an interface control for
your users as they create and update records in an application, questionnaire, solution, and sub-form.
Each field has a configurable set of properties that govern how the field displays in the application
and how (or whether) the user interacts with it.
You can add, edit, configure and arrange data collection fields in applications, questionnaires,
solutions, and sub-forms. RSA Archer includes Basic, Advanced, and System field types. Each have
a unique function and are available based on the type application to which it is associated.
To protect data integrity, you cannot change a field to another field type (for example, changing a
Date field to a Text field). Every application must have a key field.
Available field types

Data collection field types are divided into three categories: basic, advanced, and system. Field
types may or may not be available depending on the type of application into which you are adding
fields.
Basic field types

The following table lists basic field types.
l Attachment l Numeric
l External Links l Text
l Date l User/Groups List
l Image l Values List
l IP Address l Voting
Advanced field types

The following table lists advanced field types.
l Cross-Application Status Tracking l Multiple Reference Display Control
(CAST) l Questionnaire Reference
l Cross-Reference (and the l Record Permissions
associated Related Records field)
l Scheduler
l Discussion
l Sub-Form
l Matrix

System field types

System fields do not allow data input from users. They are automatically populated by the system
when a record is saved.
The following table lists system field types.
l Access History l Last Updated Date Field
l First Published Date l Record Status Field
l History Log l Tracking ID
Field types for mobile questionnaires

See Creating Mobile Ready Questionnaires.
Behavior and validation options by field type

When you add a field, each field type has behavior and validation options that control the way users
interact with the field. Some options required additional configuration. For example, a numeric field
can have defined numeric ranges, advanced display options, and a formula for calculating it based on
defined conditions.
Field description guidelines

After you have entered a description of the field on the General tab, saving the field definition strips
the HTML tags <?xm>l, <form>, <textarea>, <option>, <select>, <meta>, and <body> that you may
have inserted while defining the field because they may constitute vulnerabilities in the system. The
following example shows how you can correct the cascading style sheet (CSS) syntax for the
<body> tag so that it will function correctly:

<html>
<head>
<style type="text/css">.c0 { font-family: 'Arial' } .c1 { margin: 0px; background-color: #ffe4e1 }
</style>
</head>
<body class="c0">
<p class="c1">This is a text field.</p>
</body>
</html>
Field name guidelines

l Limit field names to one or two words wherever possible. For example, Description is preferable
to Description of the Asset.
l To ensure readability, limit field name lengths to 20 characters wherever possible.
l Capitalize the first letter of each word in the field name. For example, Predicted Impact is
preferable to Predicted impact.
l Avoid redundant wording in field names. For example, using the word Asset is unnecessary in the
following series of fields: Asset Name, Asset Type and Asset Value.
l Use noun-based field names whenever possible. Avoid verb-based field names, for example, Set
Asset Name
l Do not use the names: Version, Level ID, or Content ID for fields that you add to an Application
or Questionnaire. Using these names in Applications or Questionnaires prevents the fields from
displaying properly. To ensure that the fields display properly, use different names.
Operators by field type

The following table describes the operators you can use for
filtering rule conditions in a field type.
Field Type Operator
Cross-Reference and Related Records Contains

Matrix Does Not Contain
Record Permissions Equals
Text Does Not Equal
User/Groups List Changed
Values List Changed To
Changed From

Field Type Operator
Date Equals
First Published Date Does Not Equal
Last Updated Date Current
Last
Next
Greater Than
Less Than
Between
After Today
Prior To Today
Changed
Changed To
Changed From
IP Address Equals
Record Status Does Not Equal
Changed
Changed To
Changed From
Numeric Equals
Does Not Equal
Greater Than
Less Than
Between
Changed
Changed To
Changed From

Field Type Operator
Numeric Ranging Contains

Does Not Contain
Equals
Does Not Equal
Greater Than
Less Than
Between
Changed
Changed To
Changed From
Sub-form Changed
All fields have common and unique properties. The unique properties are managed through the
Options and Configurations tabs and vary based on the field type. Options determine the validation
rules and Configurations determine the valid input parameters for the field. You can also create
field-level help to assist users while working in an application and assign access privileges.
Dynamic Attributes
Dynamic field attributes determine what users are allowed to do when adding or editing records and
the behavior of the field under certain conditions. These attributes are defined in the Options tab of
the field type.
The following table describes dynamic field attributes.
Attribute Description Field Type
Calculated Designates the field as a calculated field determined by a formula that Date
Field computes a value dynamically for this field. If you select this option, Numeric
the field is read-only for all users, and its value is computed by a Text
defined formula. Values List

Enable Allows users to edit the field while in search results, the Record Cross-
Inline Edit Browser, and reports. When this option is selected, User/Groups list Reference
and Record Permissions fields, which normally display as a link to the Date/Time*
profile page when populated, do not display as links. Also, the ability Numeric
to re-order columns on the Search Results page by dragging and Record
dropping them with the mouse is not supported. Permissions
Text
Important: For the Record Browser, Inline Edit is not supported in User/Groups
leveled applications and Date/Time field. List
Values List
Note: Inline Edit is not supported in fields that are a part of Data-
Driven Event rules.
*Not
Some View/Edit specific functionality not supported with Inline Edit is
supported in
as follows:
the Record
l Automatic spell-checks are not performed when saving records Browser
through Inline Edit.
l Data Driven Events are not supported when updating records
through Inline Edit. If a field that is used in an active Data Driven
Event rule is modified through Inline Edit, the save attempt for the
record will not be successful.
l The Workflow buttons (Accept, Reject, etc.) are not available
through Inline Edit.
l Advanced Workflow transitions are not available through Inline
Edit.
l The Record Conflict functionality available when saving a record in
View/Edit is not available through Inline Edit. If a record conflict
exists for a record updated through Inline Edit, the save attempt for
the record will not be successful.
l The Pending Calculations Warning message is not displayed on the
Search Results page.

Key Field Designates the field as the key field of a record. All applications must Date
contain a key field, and multi-level applications must contain a key Numeric
field at each data level. The key field setting is exclusive; only one Text
field in each single-level application or in each level of a multi-level Tracking ID
application can serve as the key field.
The Key Field icon indicates that the field is the key field in an
application, questionnaire or sub-form. The key field is displayed in
search results as a hyperlink within each record. By clicking the
hyperlink, users can click the key field to view the details of a record.
By default, the Tracking ID field is set as the key field. You can
select this setting as one of the other eligible field types.
Required Designates the field as required and forces users to enter a value when Attachment
Field adding or editing a record. Required fields are indicated with an icon Cross-
to alert users that they must enter a value. Reference
Date
External
Link
Image
IP Address
Matrix
MRDC
Numeric
Record
Permissions
Sub-Form
Text
User/Groups
List
Values List
Unique Prevents users from entering an identical value in a field in separate Date
Field records. If a user saves a value in this field and the same value has IP Address
already been saved in the field in a different record, the user is Numeric
prompted to enter a unique value. Text

Validate Designates that a calculated field is recalculated whenever any value Attachment
Always is changed in a record. If the Validate Always option is not selected, Date
this field is validated only when the value in that field has changed. External
Link
Image
IP Address
Matrix
Numeric
Record
Permissions
Sub-Form
Text
User/Groups
List
Values List
Voting
Creating Fields by Field Types

l Adding Access History Fields
l Adding Attachment Fields
l Adding Cross-Application Status Tracking Fields
l Adding Discussion Fields
l Adding External Links Fields
l Adding Image Fields
l Adding IP Address Fields
l Adding Matrix Fields
l Adding Multiple Reference Display Control Fields


l Adding Questionnaire Reference Fields
l Adding Record Status Fields
l Adding Record Permissions Fields
l Adding Scheduler Fields
l Adding Voting Fields
Adding Access History Fields

The Access History field type enables users to access a record-specific view history for the record.
By clicking the View Access History link in a record in view or edit mode, you can track:
l Record level: Who accessed the record and when.
l Application level: Who accessed which content records and when.
The access history field type and the Record Views – Detail reports help you understand how users
are interacting with content within Archer. By using the access history field in appropriate records,
you have visibility into individual user content activities to ensure that the sensitive information you
handle in your RSA Archer environment is secure and managed properly. The Record Views –
Detail report supports internal audit requirements and provides easy access to reporting related to
end user access history.
You can add an access history field to an application or questionnaire.
1. Go to the Fields tab of the application or questionnaire to which you want to add an access
history field.

b. Under Application Builder, click Applications or Questionnaires.
c. Select the application or questionnaire.
2. Click Add New.

3. In the Creation Methods section, do one of the following:

l To add a new field, click Create a new Field from scratch and click Access History from the
System Field Type list.
l To add a field from an existing field, click Copy an existing Field and select the access
history field you want to copy.
4. Click OK.
5. In the General Information section on the General tab, enter the name and description of the
field.
6. Click the Options tab and select the options for including the field in search results.
Option Action
Search Makes this field available for display in search results and references its values in
Results search filters.
Search Includes the field by default in search results for the application. This option does not
Default prevent users from removing the field from the Search Results page. Users can click
Field Modify in the toolbar and remove the field from the Fields to Display section of the
application Search Records page.

Adding Attachment Fields

The Attachment field type allows users to upload one or more files and attach them to a record. The
attachment field accepts any type of file as long as its size does not exceed the limitations set for the
field. An attachment field can be added to an application or questionnaire. Attachment fields can be
encrypted.

When configuring an attachment field, you can specify the total number of files that can be uploaded
(attached) to the field, as well as the file size (between 1 and 100 MB) permitted for each file. You
can also enable end users to keyword search into unencrypted attached documents. Encrypted
attachment fields do not support keyword search. The following file types are supported for
document searching:
l Microsoft Word
l Microsoft Excel
l PDF
l Text
l CSV
File size limitations for attachment files

When determining the maximum file size of an attachment or image field, also consider the
restriction limits set in the web.config file and Microsoft Internet Information Services (IIS). If a file
exceeds either restriction, the following occurs during the upload:
l If an attachment file is larger than the designated file size in IIS, a 404 error appears. The host
server, not RSA Archer, generates this message. The IIS setting outranks RSA Archer setting.
l If the attachment file meets the restrictions in IIS but exceeds the maximum file size of the
attachment or image field, a message appears, stating that the file exceeds the limitations. If this
condition occurs, the user must upload a file that is smaller than the maximum file size. If the
attachment file includes more than one file and the total size exceeds the maximum file size, the
user can upload the files individually, up to the maximum size limitation.
Add an attachment field

1. Go to the Fields tab of the application or questionnaire to which you want to add an attachment
field.

2. Click Add New.

3. In the Creation Methods section, select one of the following:
l To add a new field, click Create a new Field from scratch and click Attachment from the
Basic Field Type list.

l To add a field from an existing field, click Copy an existing Field and select the attachment
field you want to copy.
4. In the Encrypt Field Data field, select whether to enable encryption. For more information, see
Encrypting Data.
5. Click OK.
6. In the General Information section, enter the name and description of the field.
7. Click the Options tab.
8. In the Display Control section, select the option for displaying the field: Grid and Single Column.
Display
Description
Control

Column
9. In the Options section, select the options for including the field in search results and setting its
behavior.
Option Action
application.

Option Action
Advanced Adds descriptive text and alters the standard display of the field. After selecting
Field this checkbox, specify the display text and layout for the field in the Advanced
Display Field Display Options section.
Encrypt Indicates whether field data is encrypted. You can enable or disable field
Field Data encryption when creating and updating fields. To decrypt file, clear the
checkbox. For more information about encryption, see Encrypting Data.

Option Action
Encryption Indicates the status of the field encryption. If this field displays Stationary, then
Status any encryption process is complete and field data is encrypted. If any other status
displays, you must wait until the status returns to Stationary before attempting to
select or clear the checkbox. This may take some time depending on the amount
of data you need to process.
Note: If the encryption status is actively encrypting or decrypting, RSA Archer

does not allow users to add, edit, or delete the field value. To stop the active
field encryption, click Stop Encryption.
If you attempt to select or clear the checkbox ,or delete a content record that
contains an encrypted field with a non-stationary status, RSA Archer may
display an error. This can result from validation or system errors. You can click
the View Error Details link to see the cause of the error. After you have resolved
the error, click Restart Encryption or Restart Decryption to complete the process.
limitations of the attachment files.
Option Description
Maximum Specifies the maximum file size, up to 100 MB, that you want to allow for each
Size file uploaded to the attachment field. This setting does not restrict the total size
of all files uploaded to the field.
Users may experience a long wait time when attaching large files to a record. If
you allow users to attach multiple large files, periodically monitor the available
space and current usage of the file repository to ensure optimized system
performance.
Display Designates the fields you want to display along with your attachment file.
Fields Important: The Downloads and History fields require System Administrator
access to view.


Adding Cross Application Status Tracking Fields

The Cross-Application Status Tracking (CAST) field type allows users to track the completion status
of tasks stored in one application against records in another application. For example, track the
implementation of security controls against specific assets, indicating status changes, using the list
of field status values for the CAST field. Creating a cross-reference to another application classifies
that field as a related-record.
The application that contains the task records (such as security controls or patches) is considered the
child application, and the application that contains the object records (such as assets or vendors) that
you want to track tasks against is the parent application. For example, if you include a CAST field in
an Incidents application, the application you relate might store response procedures.
Linking a CAST field

After you link a CAST field to a child application, a matching field is created in the child application
to note the linkage. When updating a record in the parent application, a user can select a value from
the CAST field to define the status of the relationship between the parent-application record and the
child-application record. For example, while updating an asset record in the parent application, a
user can select the implementation status of a related security control from the CASTfield.
Important: If you change the associated application for a CAST field, but records with values for
the CAST field were already saved in the previously associated application, those values are no
longer displayed in the previously associated application because the CAST field is removed.
Therefore, RSA recommends that you do not change the associated application for a CAST field if
records in the current related application have already been saved.
Child-application records can be linked to parent-application records by selecting a field in each

application that is populated with an identical global values list or by creating a field-value rule with
one or more conditions that filters records in the child application, or both. The values list that you
select must contain status values that users can select to indicate the current completion status for a
task. For example, you could select a global values list with the values Accept Risk, Implemented,
Time Extension and Not Applicable. You can also select a cross-reference field referencing the
same application.
Important: If any records were saved using the current values list for the CAST field, changing the
status of the values list is not recommended. If you change the values list after records have already
been saved with values from a previous values list, the CAST values in those records are set to the
default value for the new values list. If no default value is configured for the new values list, the
CAST values in records saved with the previous values list is set to No Value. In either case, you
lose any status changes made to records saved with the previous values list.

Add a cross application status tracking field

1. Go to the Fields tab of the application to which you want to add a CAST field.

2. Click Add New.

3. In the Methods section, select one of the following:
l To add a new field, click Create a new Field from scratch and click Cross Application Status
Tracking (Scorecard) from the System Field Type list.
l To add a field from an existing field, click Copy an existing Field and select the CAST field
you want to copy.
4. Click OK.
6. In the Associated Application field, click and select the application to relate through the
CAST field.
7. In the Status List field, click and select the values list to populate the CAST field.
9. In the Options section, select whether the field is included in search results.
Option Action
Quick Displays a statuses in a list on the Status Tracking Results page to enable immediate
Status status changes.
Change

10. In the Configuration section, specify how the records are associated.
Option Description
Relate Relates two applications based on a field in both applications. There must be a
Content By common value between the fields.
Field If you have a values list field in your parent application, for example, Asset
Management, that denotes the Asset Type, and you have the same field in your
child application, for example, Security Controls, you can link the two fields so
controls are only linked to an asset if the asset shares the same value in the
Asset Type field.
Relate Specifies the rule that determines which records to link from an outside
Content By application. If you relate content by a rule, all content records in the child
Rule application that satisfy that rule are linked to all records in the parent application.
For example, you can create a rule that links all records in the child application
with the value "High" in the Priority field to records in the parent application.
Application Specifies the application field and related field for two applications when content
Field and is related by a rule.
Related
Field
Rule Adds or removes search criteria in the table to specify a rule that determines
which records to link from the outside application when content is related by a
field.

Adding Cross-Reference Fields

Use cross-reference fields to create associations between records in the same application (internal
references) or records in one or more different applications (external references).
1. Go to the Fields tab of the application to which you want to add a cross-reference field.



2. Click Add New.

l To add a new field, click Create a new Field from scratch and click Cross Reference from
the Advanced Field Type list.
l To add a field from an existing field, click Copy an existing Field and select the cross-
reference field you want to copy.
4. Click OK.
5. In the General Information section, complete the name and description of the field.
Note: When you click Apply on a cross-reference field, the record saves and the calculation
status can not be changed.

7. In the Display Control section, select a display option.
Display Control options

Display
Description
Control

Column
8. In the Options section, select the applicable options:

Options

Option Action
application.
Enable Enables this field to be available for update from Advanced Search Results.
Bulk
Update
Enable Enables this field to be available for creation from Advanced Search Results.
Bulk
Create

Inline Edit
Editable
Grid
Display

Option Action
for editing.
Remove

Record Lookup Configuration options

Options Description
Display Specifies the fields of data from the relationship application that is displayed on the
Fields Record Lookup page for users when they select related records in the Cross-
Reference field.
Use to select the fields that you want to display from the Available list.
of fields in the Selected list will be the left-to-right order of fields in the Record
Lookup page.
Note: If the relationship application is a leveled application, and you select fields
Filters Determines the filtering criteria for selecting records for display on the Record
Lookup page.
Sorting Specifies the fields by which cross-referenced records are sorted in the Record
Lookup page.
For example, in an "Investigators" Cross-Reference field, you can sort the display
of referenced records alphabetically by investigator name.
Display Determines how the cross-referenced records are displayed on the Record Lookup
Format page:
l Column-Hierarchical. Presents the records in a columnar layout where fields are
displayed across the page from left to right, and the field values are presented
l Column-Flat. Presents the records in a simple columnar layout without any
grouping of values.
10. In the Grid Display Properties section, select the fields you want to display in the record look-up
for the cross-reference field.

Grid Display options

Options Description
Record Indicates the related record displays using the Record Lookup configuration.
Lookup
Note: This option is not available for calculated cross-reference or related record
fields.
Display Indicates which related record fields to display, instead of Record Lookup
Fields configuration. This is available if Record Lookup is unchecked.
Note: Fields with the Enable Inline Edit option enabled appear here. If your field is
not available, go to the record in question and update the options on that field.
Sorting Specifies the default sorting order of related record fields to be displayed. This is
available if Record Lookup is unchecked.
11. In the Configuration section, specify the range of selections a user can make.
Configuration options

Option Description
Field For Single Column option: Specifies the height of the field in a single-column
Height display. This setting impacts the display of the field only when users add or edit
records in the application. For example, if you set the field height to three lines,
and a user makes four selections in the field, a scroll bar is displayed.
control.
control.


Adding Date Fields

The Date field type accepts only a valid date entry and displays to users as a field with a calendar
icon beside it. Users can either enter dates directly in the field or click the calendar to select a date
from the dialog box.
When configuring the properties of a date field, you can enable users to enter a time of day to
associate with the date, as shown below.
You can restrict users from entering values in a date field that already appear in other records within
the application, making each date field value unique.
You can encrypt date fields. For more information about encrypting fields, see Encrypting Data.
Specialized options
l Default Date Value. If this option is enabled, you can select a default value for date fields. You
set the default date value when you create the record in the application; editing the record does
not affect the value. When configuring the default value, you can select to display the date of
record creation, a date that is a specific number of days after the date of record creation, or a
static, specific date. You can also select to display no default value in the date field.
l Calculated Field. If this option is enabled, you can specify a formula for dynamically computing
the value of the field. For example, you could create the following formula to populate the Date
field with the current date: TODAY(). The calculated field would display as read-only for all
application users, and its value would be updated each time the field was recalculated.
Add a date field

1. Go to the Fields tab of the application to which you want to add a date field.



2. Click Add New.

l To add a new field, click Create a new Field from scratch and click Date from the Basic
Field Type list.
l To add a field from an existing field, click Copy an existing Field and select the date field you
want to copy.
Encrypting Data.
5. Click OK.
8. In the Display Control section, select the option for displaying the date and time.
Display Control Description
Text Box - Date Only Displays a date in a text box or dropdown list by date or by date
Text Box - Date and and time.
Time
Dropdown - Date Only
Dropdown - Date and
Time
behavior.
Option Action
application.

Option Action
Bulk
Update

Inline Edit
application.

Option Action

10. In the Configuration section, select the option for setting the default value of the field.


Option Description
Default Specifies the default date value of the date field when a user adds a new record in
Value the application. The default date is set at record creation. Record edits do not affect
this date The following options are available:
date field.
l Future Date. Select Future Date to display a default date value that is a specific
number of days after the date of record creation. Then enter the specific number
of days in the field to the right.
for the date field, and enter the date in the field to the right or click the Calendar
icon to select the date from a calendar dialog box.

Adding Discussion Fields

The Discussion field allows users to participate in discussion forums related to specific records.
When configuring this field type, you can select to create an individual forum for each record
created in an application or to link all records within an application to one or more existing
discussion forums created manually through the Discussion Forums feature. Forums built through the
Discussion field type have all of the characteristics and properties of a regular discussion forum.

Discussion field formats

The following table describes Discussion field formats.
Type Description
Forum Selecting this option causes the field to generate a new discussion forum for each record
Popup created within the application. The discussion forum displays in a pop-up window. You
can capture comments and dialogue from a variety of users centered on the content of a
specific record. For example, if you have a record concerning password requirements,
users could access the forum to discuss changes or additions to the requirements. A link to
the record-specific forum is displayed in both the view and edit modes of a record. This
option also allows you to specify administrators for the forum and configure edit options
for users.
Static Selecting this option allows you to embed links to existing discussion forums within each
Forum record in an application. Users cannot add or edit links in the field. By including links to
Link established discussion forums, you can direct users to forums where they can participate
in a large-scale discussion relating to the entire application. Links for the selected
discussion forums display in both view and edit modes of every record in the application.
You can add a discussion field to an application or questionnaire.

1. Go to the Fields tab of the application or questionnaire to which you want to add a Discussion
field.

2. Click Add New.

l To add a new field, click Create a new Field from scratch and click Discussion from the
Advanced Field Types list.
l To add a field from an existing field, click Copy an existing Field and select the discussion
4. Click OK.


Display
Description
Control
Forum Forum Popup: Displays a pop-up list that contains a discussion forum for each
Popup record created in the application. In this view, users can only access the forum
Status when viewing or editing a record. the record is not displayed in a discussion forum.
Forum Status Forum Link: Displays one or more read-only links to existing discussion
Link forums in every record of the application.
8. In the Configuration section, specify the rules for posting and edit discussions in a discussion
forum.
Configuration options for applications

Option Description
Forum Designates the administrators for the forum and specifies the edit options that end
Popup users have in the forum.
l Edit Own Posts. Allows users to edit their own posts in the forum.
l Edit All Posts. Allows users to edit all posts in the forum.
l Forum Administrators. From the Available list, select the users and groups to
which you want to grant forum administrator rights. As an application owner, you
are listed by default as a forum administrator. To revoke forum administrator
rights for a user or group, click to the right of the user or group name in the
Selected list.
Static Specifies the forums to which you want to provide links.

Forum Discussion Forums. From the Available list, select the discussion forums that you
Link want to include a link to within in every record of the application.
To remove a link to a discussion forum, click to the right of the discussion forum
name in the Selected list.

Configuration options for questionnaires

The following table describes configuration options.
Option Description
Edit Own Posts Allows users to edit only their own discussion forum posts.
Edit All Posts Allows users to edit all discussion forum posts.

Adding External Links Fields

The External Links field type allows users to enter named links that reference web pages and email
addresses. To enter an external link, specify the link protocol and the target URL. You can also
specify link text (a name) for the link, for example, "Google".
Supported link types:
l HTTP
l HTTPS
l FTP
l Mailto
l News
l Relative
l File
Note: The Mailto, FTP, and News protocols are not supported for embedded URL iViews.
Each time that you enter a link in an external links field and click Apply, the new link is displayed in
a list below the field. Edit the properties of a list item by clicking to the right of the link. The
properties of that link are displayed in the Link Manager and can be edited.
You can delete a link in the list by clicking to the right of the link.
You can add an external link field to an application or questionnaire.
1. Go to the Fields tab of the application or questionnaire to which you want to add an External
Links field.
a. From the menu bar, click

.
2. Click Add New.

l To add a new field, click Create a new Field from scratch and click External Links from the
l To add a field from an existing field, click Copy an existing Field and select the external links
4. Click OK.
behavior.
Option Action
application.

Option Action
8. In the Configuration section, specify the minimum and maximum number of external links that a
user can add.
Option Description
Minimum Sets the minimum number of links the user can select in the external links field.
Links
Maximum Sets the maximum number of links the user can select in the external links field.
Links
Protocols Specifies the protocol types that a user can configure in the Protocols field. Please
note that the Mailto, FTP, and News protocols are not supported for embedded
URL iViews.
l HTTP l News
l HTTPS l Relative
l FTP l File
l Mailto

Adding First Published Date Fields

The First Published Date field type automatically populates based on the date a record is created.
When configuring the properties of a first published date field, you can select whether to display the
contents of the field within individual records, in the record header, or both. You can also select to
display time and user information along with the date value.

1. Go to the Fields tab of the application to which you want to add a first published date field.

2. Click Add New.

l To add a new field, click Create a new Field from scratch and click First Published Date from
the System Field Type list.
l To add a field from an existing field, click Copy an existing Field and select the first
published date field you want to copy.
5. Click the Options tab, and select the options for including the field in search results and for
displaying information about the field.
Option Action
Time Displays time information (hours, minutes and the AM or PM designation) along
Information with the date value.
User Displays the name of the user who published the record along with the date
Information value.
Header Displays date first published or last published in the page header of records by
Display default. To remove it from display, clear the Page Header Display checkbox.


Adding History Log Fields

The History Log field type tracks field-level changes for individual records in an application. You
can select to embed the history log in a record in grid (table) format, or include a link to a record
history log for viewing the history log in a separate window.
When configuring the properties of a history log field, select the fields that are tracked by the history
log. Not all field types can be included in the history log. All other fields in an application can be
included in this history log.
In addition to selecting the fields to include in the history log, you can select to limit the number of
modifications that display on the History Log page. If a large number of users have rights to edit
records in an application, the history log for a record in that application may include thousands of
changes. If this is the case, you can limit the number of modifications displayed in the history log to
improve its load time.
Field types that cannot be included in the history log

The following table provides a list of field types that cannot be included in the history log.
l Cross-Application Status l Scheduler
Tracking l Sub-Form
l Discussion l Tracking ID
l First Published Date l Voting
l Last Updated Date l Record Permissions configured with the Inherited
l Multiple Reference Display Permissions option
Control l "Other Text" values associated with a Values List field
l Record Status
Additional information about the History Log field type

l Field permissions are enforced, allowing users to track only the history of fields for which they
have access.
l Prior to adding a history log field to an application, the history of field-level changes in that
application is not tracked.
l Deleting a history log field deletes the history associated with the field. This data cannot be
restored.
l Published changes and content review changes are tracked in the history log.
l When copying a history log field, the capture and retention policy configurations for the settings
you have chosen - either field data, advanced workflow data, or both - are copied.
l Copying a record does not copy the history of that record.

l When a History Log field is configured to retain data from an advanced workflow process, the
advanced workflow process data is retained according to the retention policy configured in the
Advanced Workflow Designer.
Add a history log field

1. Go the Fields tab of the application or questionnaire that you want to add a History Log field.

d. Click the Fields tab .
2. Click Add New.

3. In the Creation Methods section, select one of the following
l To add a new field, click Create a new Field from scratch and click History Log from the
l To add a field from an existing field, click Copy an existing Field and select the history log
4. Click OK.
6. Click the Options tab and select the option for displaying the field content.
Display
Description
Control
Grid Displays historical information in a fixed-width table or presents a hyperlink for

Link displaying historical information in a separate window.
7. In the Options section, select the options for including the field in search results and rules for

displaying the field.

Option Action
Default not prevent users from removing the field from the Search Results page. Users can
Field click Modify in the toolbar and remove the field from the Fields to Display section
of the application Search Records page.
Microsoft Excel, PDF, Text, and .CSV. If a user does not have access to the field
but the field is configured to allow keyword searching, the field is still searched
but not included in the search results.
User Determines whether to include only the activity entered by a user when a field is
History added or updated. History is displayed for general, administrator, and data feed
users.
8. In the Configuration section, select one or both types of data to be tracked in the history log field.
Sub-
Option Description
Option
Display Enables signature auditing in the history log field.

Signature
Tracking
Display Enables advanced workflow auditing in the history log field.

Workflow
Tracking Important: If this option is selected, but Enable Workflow Auditing in
the Advanced Workflow builder is not selected, advanced workflow
audit information will not appear in the History Log field.
Note: The retention policy for advanced workflow auditing can be set
in the Workflow Designer when Building Advanced Workflows.

Sub-
Option Description
Option
Display Enables field value change auditing in the history log field.
Field
You must select the options for setting the number of days or entries
Tracking
for retaining the historical data and whether to track all fields or only
specific fields.

Sub-
Option Description
Option
Retention Specifies whether the history log field is retained for a specified
Policy number of days or entries.
l By Days. Enter the number of days of the entries for the fields
being tracked and retained.
l By Entries. Enter the number of entries for the fields being tracked
and retained.
A history log field is also created when a work flow is created. By
default, this field is configured to retain all history for all fields
indefinitely.
As records move through content review stages, a detailed history of

all content modifications is electronically maintained by person, date
and time. If this history log is configured to purge its contents, the
work flow information could be lost along with other historical
information. An application can include other history log fields.
If an application has multiple history log fields, the history log with the
longest retention period takes precedent over the other. For example:
The following table describes a scenario in which both history log
fields are configured by days.
History log fields 1 and 2 are both configured by days.
Scenario 1 1 has a retention period of 7 days.
2 has a retention period of 14 days.
Results Records are retained 14 days.
The following table describes a scenario in which both history log

fields are configured by entries.
History log fields 1 and 2 are both configured by entries.
Scenario 2 1 has a retention period of 10 entries.
2 has a retention period of 20 entries.
Results The 20 most recent entries are retained.

Sub-
Option Description
Option
The following table describes a scenario in which one history log field
is configured by days and the other history log field is configured by
entries.
History log field 1 is configured by days and History log
Scenario field 2 is configured by entries.
3 1 has a retention period of 7 days.
2 has a retention period of 20 entries.
The 20 most recent records are retained regardless of

Results their age, and all entries younger than 7 days are retained
regardless of the count.
Field Determines which fields are tracked for history logging:

Tracking l All. Select this option if you want the history log to track all fields
in the application. In addition to all current fields, fields added in
the future will also be automatically added to the tracked fields list
if you select this option.
l Selected. Select this option to specify one or more fields to track.
To include a field, click the field from the Available list. You must
select at least one field for the history log to track.
After selecting the field, specify which format edits to the field are
displayed in detail, record version, or both.
To move the fields in the order you want the fields displayed, use
at the bottom of the Selected list.

Adding Image Fields

The Image field type allows users to upload and display one or more image files. You can set the
display height and width for each image field, and whether to encrypt data. The system supports a
maximum value of 2000 x 2000 pixels. When an image does not match the defined height or width, it
resizes using a locked aspect ratio until both dimensions meet the display criteria.

File size limitations for image files
When determining the maximum file size of an attachment or image field, also consider the
restriction limits set in the web.config file and Microsoft Internet Information Services (IIS). If a file
exceeds either restriction, the following occurs during the upload:
l If an attachment file is larger than the designated file size in IIS, a 404 error appears. The host
server, not RSA Archer, generates this message. The IIS setting outranks RSA Archer setting.
l If the attachment file meets the restrictions in IIS but exceeds the maximum file size of the
attachment or image field, a message appears, stating that the file exceeds the limitations. If this
condition occurs, the user must upload a file that is smaller than the maximum file size. If the
attachment file includes more than one file and the total size exceeds the maximum file size, the
user can upload the files individually, up to the maximum size limitation.
Add an image field

1. Go to the Fields tab of the application or questionnaire to which you want to add an image field.

2. Click Add New.

l To add a new field, click Create a new Field from scratch and click Image from the Basic
Field Type list.
l To add a field from an existing field, click Copy an existing Field and select the image field
you want to copy.
Encrypting Data.
5. Click OK.
7. Click the Options tab and select the options for including the field in search results and setting its
behavior.


Option Action
application.

Option Action

8. In the Configuration section, specify the minimum and maximum attachments and image size.
Option Description
Display Specifies the width and height in pixels for images displayed in this field.
Width and
Display
Height
Maximum Specifies the maximum size, up to 100 MB, that you want to allow for each
Size file uploaded to the Image field. This setting does not restrict the total size of
all files uploaded to the field.


Adding IP Address Fields

The IP Address field type enables users to store an IP address in either the IPv4 or IPv6 format. You
can specify the format when you create the field and you cannot change it later. The IPv4 format
consists of four adjoining sub-fields that must contain a numeric value between 0 and 255. The IPv6
format consists of eight adjoining sub-fields that display to the user using either the full syntax or the
shorthand syntax.
You can add an IP address field to an application or questionnaire.
You can encrypt IP address fields. For more information about encrypting fields, see Encrypting
Data.
Add an IP address field

1. Go to the Fields tab of the application or questionnaire to which you want to add an IP Address
field.

c. Select the application or Questionnaire.
2. Click Add New.

l To add a new field, click Create a new Field from scratch and click IP Address from the
l To add a field from an existing field, click Copy an existing Field and select the IP address
Encrypting Data.
5. Click OK.
8. In the Display Control section, select the version for the IP address.


Display
Description
Control
IP Address Displays the IP Address in either version 4 or version 6. You cannot change
Version 4 the format after you save.
IP Address
Version 6
behavior.
Option Action
application.

Option Action
application.


10. Do one of the following based on the display control you selected in step 8:
l If you selected IP Address Version 4, go to the next step.
l If you selected IP Address Version 6, specify the values for the IP address version 6 format in
the Configuration section.
Option Description
Control Specifies the display syntax. This option only affects how the address displays to
the user when viewing a record. It does not impact how the address displays when
adding or editing a record, nor does it change how the address is stored in the
database:
l Full. Displays the full syntax of the address to the user when viewing records
with this field.
l Short-Hand. Displays the shorthand syntax of the address to the user when
viewing records with this field.

Adding Last Updated Date Fields

The Last Updated Date field type is automatically populated each time changes are saved to a
record. When configuring the properties of a last updated date field, you can select whether to
display the contents of the field in individual records or in the record header. You can also select to
display time and user information along with the date value.
You can add a last updated date field to an application or questionnaire.
Note: If you add a new related record in a cross-reference field, the Last Updated Date field does
not update when the related record field is on the layout.
1. Go to the Fields tab of the application or questionnaire to which you want to add a last updated
date field.


2. Click Add New.

l To add a new field, click Create a new Field from scratch and click Last Updated Field from
the System Field Type list.
l To add a field from an existing field, click Copy an existing Field and select the last updated
date field you want to copy.
4. Click OK.
6. Click the Options tab and select the options for including the field in search results and for
displaying information about the field.
Option Action
Time Displays time information (hours, minutes and the AM or PM designation) along
Information with the date value.
User Displays the name of the user who published the record along with the date
Information value.
Header Displays date first published or last published in the page header of records by
Display default. To remove it from display, clear the Page Header Display checkbox.


Adding Matrix Fields

The Matrix field type provides the ability to display a two-dimensional array of checkboxes,
allowing users to plot or rank responses relative to two factors. For example, create a matrix to
assist in analyzing a broad set of characteristics across your physical assets. The columns of the
matrix represent characteristics, such as maintenance burden, portability, and power consumption,
while the rows might represent ranking levels, such as high, medium, and low.
You can add a matrix field to an application or questionnaire.
1. Go to the Fields tab of the application or questionnaire to which you want to add a matrix field.

2. Click Add New.

3. In the Methods section, do one of the following:
l To add a new field, click Create a new Field from scratch and click Matrix from the
Advanced Field Type list.
l To add a field from an existing field, click Copy an existing Field and select the matrix field
you want to copy.
4. Click OK.

7. In the Options section, select the behaviors of the field.

Option Action
application.
8. In the Configuration section, specify the rules for selections and lists.
Option Description
control.
control.
Minimum Specifies whether the axis is based on a row or column and the minimum number
Selection of selections that a user can select.
Axis

Option Description
Maximum Specifies whether the axis is based on a row or column and the maximum number
Selection of selections that a user can select.
Axis
Column Specifies the global values list that populates this column in the matrix. When
Values adding a field to a records, users can select an alternate global values list.
List
Row Specifies the global values list that populates this row in the matrix. When adding
Values a field to a records, users can select an alternate global values list.
List
If any records are saved in the application with column or row values from the
specified global values lists, do not select a different the global values on the
Column Values or Row Values tabs. If you select a different global values list
after users have saved records with value selections from the original global
values list, the values from this global values list are permanently lost and the
matrix field shows no selections.
9. Click the Column Values tab and enter the values for the columns in the Values section.
10. Click the Row Values tab and enter the values for the row in the Values section.
Adding Multiple Reference Display Control Fields

Use the MRDC field type to display data of cross-reference and related-record field using a single
control rather than displaying multiple cross-reference or related-record fields in the layout of a
record.
Example: Using MRDC fields for displaying content of cross-reference and related-
record fields
You could have a Devices application with separate cross-reference fields that link to the Facilities
and Service-Level Agreements applications. From the MRDC field, users could select the record for
the facility that houses the device from the related Facilities application, and they can select the
record for the service-level agreement for the device from the related Service-Level Agreements
application. Both of these selections would be displayed in the same field.

You can then set this field to display a single reference, allowing users to select one referenced
application for display in the field, or to display multiple references, allowing users to select more
than one reference for display in the field.
Note: After an MRDC field is saved with the Multiple References option selected, the Single
Reference option is no longer available. However, you can change the setting from Single Reference
to Multiple References.
For each cross-reference or related-record field that you select to display in an MRDC field, you
can suppress the field from end-user functions. By selecting the Suppress option, you can hide
existing cross-reference or related-record fields from a record layout, conserving record "real
estate."
An advanced option for the MRDC field type provides the ability to reference the field in a
calculated field formula using the COUNT or ISEMPTY function. You can use the COUNT
function to return the number of referenced records within the field. Using the ISEMPTY function,
you can determine whether the MRDC field contains selections.
Example: Results of calculated field used to determine the number of records ref-
erenced in an MRDC field
COUNT([Facility and Service Agreement])

The following formula would return True if the Facility and Service Agreement multi-reference field
contained no selections:
IF(ISEMPTY([Facility and Service Agreement]), "True", "False")
Add a multiple reference display control field

You can add an MRDC field to an application or questionnaire.
1. Go to the Fields tab of the application or questionnaire to which you want to add a MRDC field.

2. Click Add New.

l To add a new field, click Create a new Field from scratch and click Multiple Reference
Display Control from the Advanced Field Type list

l To add a field from an existing field, click Copy an existing Field and select the MRDC field
you want to copy.
4. Click OK.
7. In the Options section, select whether the field is included in search results and other behaviors.
Option Action
application.
8. In the Configuration section, specify the selection rules for the MRDC field.
Option Description
Selected Specifies the references that you want to display in the MRDC field. As an
References administrator, you can still view the suppressed fields on the Layout tab of the
Manage Applications page, but the individual fields are hidden from end users. If
you do not select the Suppress checkbox for a field and that field is included on
the page layout for the application, both the original field and the MRDC field
displays to end users, causing duplication of data on the page.

Option Description
Reference Specifies whether users can select one or more references.

Type l Allow users to select only one reference: Select this option if you want users
to select related records from only one application in the MRDC field. Users
can select the application that houses the records they want to reference, and
they can select multiple records from that application. However, they cannot
select related records from more than one application.
l Allow users to select any number of references: Select this option if you want
users to be able to select related records from more than one application
within the MRDC field. Users can select the applications that house the
records they want to reference (by clicking the Add New link above the field
to select additional applications), and they can select multiple records within
those applications.
Note: If you select the MRDC option and save the field, you cannot change
the setting to Single Reference.

Adding Numeric Fields

The Numeric field type allows only numeric-value entries. Numeric fields accept both positive and
negative values of any size. A numeric field can also be a calculated or trended field.
When configuring a numeric field, you can apply minimum or maximum value constraints to the
field. You can also specify the number of decimal places permitted for the value.
Note: A value of None allows any number of decimal places (0-6) to be entered. A value of 0 (zero)
does not allow any decimal places to be entered.
Numeric fields can also be encrypted. For more information about encrypting fields, see Encrypting
Data.
Add a numeric field
1. Go to the Fields tab of the application to which you want to add a Numeric field.


2. Click Add New.

l To add a new field, click Create a new Field from scratch and click Numeric from the Basic
Field Type list.
l To encrypt this field, select the Encrypt Field Data checkbox. For more information, see
Encrypting Data.
l To add a field from an existing field, click Copy an existing Field and select the numeric field
you want to copy.
4. Click OK.
6. Click the Options tab and select the options for including the field in search results and other
behaviors.
Option Action
application.

Option Action
Bulk
Update

Inline Edit

l Days = 1 day
l Months = 30 days
l Years = 365 days
to the Options tab.
application.

Option Action
Sum Field Provides a total of all values entered in the field on the Search Results page for
an application or leveled application. The sum is only shown on Column-
Hierarchical and Column-Flat report format types.
When this option is selected, the total value appears in the last row of Numeric
Field column. The summation value represents a grand total and displays on each
page.
Numeric Allows users to filter search results in the application based on specific ranges of
Ranging values in the numeric field. When you select this option, you must define the
numeric range and its values after the numeric field is configured.
Format Formats the value using thousand separators.

Option Action

7. In the Configuration section, specify the format for the numeric field.
Option Description
Decimal Specifies the number of decimal places required for values entered in the field
Places (maximum 6). Entering a value in the numeric field with fewer decimal places
than the required number pads the value with zeros.
For example, if you require 3 decimal places and you then enter a value of "4.1" in
the field, the value displays as "4.100" when you save the record.
On the other hand, if you enter a value in the field with more decimal places than
the required number, you must limit the number of decimal places in the value to
fit the field requirements before you can save the record.
Negative Specifies how the negative numbers display. Options include:

Display l (1234.56) font color = red; default option
l -1234.56 font color = red
l (1234.56) font color = black
l -1234.56 font color = black
Minimum Specifies the minimum values users must enter in the numeric field within a

Option Description
Maximum Specifies the maximum values users must enter in the numeric field within a
example, entering "miles" labels the field value as a measurement of distance. For
the tracking ID, you enter "XYZ" in this field. The tracking ID value for a record
displays "123456XYZ."
Increment Specifies the value by which the number is to increase or decrease. Available
By options are .01, .1, 1, 10, 100, 1000, or No Increment.

Define numeric ranges of a numeric field

When adding a numeric field, you can select to display a filter option on the Search Records page
that allows users to search the field based on a range of values. For each named range that you
create, you must define a beginning and ending value. For example, a range named "High" might
contain the values 8 through 10.
1. Go to the Fields tab of the application that you want to update.

2. Choose the numeric field for which you want to define numeric ranges.
3. Click the Options tab and select Numeric Ranging.
4. Click Save and return to the Fields tab of the Manage Applications page.
5. In the Field Type column of the numeric field, click the Numeric Ranges link.
6. Click Add New.

7. In the Name field, enter the name of the numeric range.

8. In the Beginning Value and Ending Value fields, select the numeric values that define the range.
9. Repeat steps 6 - 8 to define other numeric ranges.
Adding Questionnaire Reference Fields

The Questionnaire Reference field type is available only if your organization has licensed one or
more use cases that contain questionnaires. The Questionnaire Reference field type enables you to
see all questionnaire records that are related to an application record. For example, if you are
working with a third party record within a Third Party Profile application, you can see the
assessments that are in progress or have been completed for that third party.
This field type is only available for applications selected as the target for one or more
questionnaires. If the application is the target of multiple questionnaires, you can select any number
of those questionnaires to include in the field.
You can also select the fields of information that you want to display in the questionnaire reference
field. Only the system-generated questionnaire fields are available for selection.
Add a questionnaire reference field

1. Go to the Fields tab of the application to which you want to add a questionnaire reference field.

2. Click Add New.

l To add a new field, click Create a new Field from scratch and click Question Reference from
l To add a field from an existing field, click Copy an existing Field and select the questions
4. Click OK.
5. In the General Information section, enter the name and description.


7. In the Options section, select whether this field is the default search field.
Option Action
Microsoft Excel, PDF, Text, and .CSV. If a user does not have access to the field
but the field is configured to allow keyword searching, the field is still searched
but not included in the search results.
Calculated Designates the field as a calculated field determined by a formula that computes a
Field value dynamically for this field. If you select this option, the field is read-only for
all users, and the defined formula computes its value.
8. In the Configuration section, specify the rules for the questionnaire reference field.
Option Description
Questionnaire Specifies number of those questionnaires to include in the questionnaire

reference field when an application is the target of multiple questionnaires.
Not applicable for attachment questions.
Display Specifies the system-generated questionnaire fields that display in the

Fields questionnaire reference field. Questions and custom questionnaire fields are
not available for display in a questionnaire reference field. Only system-
generated questionnaire fields may be displayed.


Adding Record Status Fields

The Record Status field type is automatically populated based on the current status of the record and
only contains one of two values: New or Updated.
You can add a record status field to an application or questionnaire.
1. Go to the Fields tab of the application or questionnaire to which you want to add a record status
field.

2. Click Add New.

l To add a new field, click Create a new Field from scratch and click Record Status from the
l To add a field from an existing field, click Copy an existing Field and select the record status
4. Click OK.
Option Action


Adding Record Permissions Fields

Use a record permissions field to control user access at the record level.
You can add a record permissions field to an application or questionnaire.
1. Go to the Fields tab to which you want to add the record permissions field.

2. Click Add New.

l To add a new field, click Create a new Field from scratch and click Record Permission from
l To add a field from an existing field, click Copy an existing Field and select the record
permission field you want to copy.
4. Click OK.

7. In the Display Control section, select the control for displaying the record permissions field.
Display
Description
Control
Buttons
Boxes
8. In the Options section, select the behavior and validation rules for the record permissions field.
Option Action
application.

Option Action
Bulk
Update

Inline Edit
9. In the Configuration section, set the minimum and maximum selection values.
Option Description
Field Specifies the height of the field in lines and is specific to a Listbox or Text Area
Height display control. If more values are available for selection in the field than the
number of lines you specified, a vertical scroll bar appears in the field to enable
users to view all available values.
Column Specifies the number of columns for the Radio Buttons or Checkboxes display
Layout control options.
control.
control.


Adding Scheduler Fields

Create a scheduler field in the resource application so that users can see all of the appointments to
which they have been scheduled, regardless of the parent application.
Use the triangular reference in searches, calculations, and inherited record permissions.
You can add a scheduler field for an application or questionnaire.
Note: You cannot use the Scheduler field as a filter, in a data-driven event, or a rule for a data-
driven event.
Note: After you create a scheduler field, you cannot edit the Display Control or Configuration
options. You must delete the scheduler field, which removes the triangular relationships. After
creating the scheduler field, you must add it to the application layout.
Task 1: Add the scheduler field
1. Go to the Fields tab of the application or questionnaire to which you want to add the Scheduler
field.

2. Click Add New.

l To add a new field, click Create a new Field from scratch and click Scheduler from the
l To add a field from an existing field, click Copy an existing Field and select the scheduler
4. Click OK.
7. In the Display Control section, select the display format.


Display
Description
Control
Schedule Schedule Grid: Displays appointments in a Gantt-like chart with the resource along
Grid the left side and the appointments in segmented columns based on start and end
Resource dates. In this view, you can see all assigned resources for each parent record. To
Grid assign resources to any parent application, you must configure a scheduler field
with the schedule view and add it to the layout of that application. Any module with
the scheduler field is considered a parent application.
Resource Grid: Displays appointments in a list grouped by parent applications for
all resources or the appointments for a particular resource when viewed by that
user. In this view, your users can see all appointments assigned to them through
this view regardless of the application to which they are assigned. Users can also
see any appointments that are not assigned to a resource.
8. In the Configuration section, select the applicable available reference.

Option Description
Available Designates the application to which a relationship is created when the

Reference appointment is viewed in the schedule view. This designation creates a triangular
relationship among this application.
For example, if you are creating the Scheduler field in the Engagements
application with the schedule view, it becomes the parent application. You can
then specify Contacts as its resource, which creates a triangular relationship
between Engagements and Contacts applications and the Appointment application.
If you select the Resource Grid as the Display Control, this designation
automatically establishes a relationship between the current module and the
Appointment application.
Option Action

Option Action

l If you selected Resource Grid as the display control, go to the next step.
l If you selected Schedule Grid as the display control, complete the following:
a. (Optional) In the Record Lookup Configuration section, define the selection and sorting
criteria for displaying records from the related application from which you want users to

select from Record Lookup.

Options Description
Display Specifies the fields of data from the relationship application that are
Fields displayed on the Record Lookup page for users when they select related
records in the Scheduler field.
To select fields for display, click in the Display Fields field and select
the fields that you want to display from the Available list.
order of fields in the Selected list will be the left-to-right order of fields in
the Record Lookup page.
Filters Determines the filtering criteria for selecting records for display on the
Record Lookup page.
To set filters for the records to be displayed in the field, select the values for
the following fields:
l Field to Evaluate
l Operator
l Values
You can also create a dynamic filter for filtering record lookup.
Sorting Specifies the fields by which referenced records are sorted in the Record
Lookup page.
b. In the Schedule Display Configuration, select the resource fields that you want to display.


Option Description
Display Defines the columns of data that display in the Resource column of the
Fields schedule view.
Use the below the Selected list to arrange fields. The top-to-bottom
order of fields in the Selected list displays as the left-to-right order of fields in
the Related Record Field table.
11. Click Apply.
Task 2: Add the scheduler field to the application or questionnaire layout

1. Click the Layout tab.
2. Move the scheduler field from the Available Fields list to the location on the layout where you
want the Schedule or Resource object to appear.
3. Click Save.
Adding Sub-Form Fields

The Sub-Form field type enables you to embed a predefined sub-form in an application. Any
application owner can use a sub-form in any application. Sub-forms collect data within individual
records and display the data in a scrollable grid. Each time a user adds or edits a record in an
application, the user can make an entry in the sub-form and view entries that other users have made.
For example, if an application contains a sub-form designed to collect user comments, each user
who accesses a record in the application can submit a comment in the sub-form and view comments
submitted by other users.
To add a sub-form field in an application, you must first create the sub-form that you want to include
in the application. After creating the sub-form, you can then select it for an application though the
sub-form field.
You can add a sub-form field to an application or questionnaire.
1. Go to the Fields tab of the application or questionnaire to which you want to add a sub-form
field.



2. Click Add New.

l To add a new field, click Create a new Field from scratch and click Sub-Form from the
l To add a field from an existing field, click Copy an existing Field and select the sub-form
4. Click OK.
7. In the Options section, select behaviors and validation rules for the sub-form field.
Option Action
application.

Option Action
for editing.
8. In the Grid Display Properties, select the fields that you want to display for the sub-form field.
Option Action
Display You can define the fields of data that display in the Sub-Form field grid of sub-form
Fields
records. To select fields for display, click in the Display Fields field and select
of fields in the Selected list display as the left-to-right order of fields in the Sub-
Form field table.
Sorting Create one or more conditions:

1. In the Order column, select the order in which you want the results to be
displayed.
To create additional conditions, click Add New.
2. In the Grouping column, select whether you want to enable or disable sorting for
the user.
If you created more than one condition, you can apply advanced logic to your search
criteria.

9. In the Configuration section, select the selection and display rules.

Option Description
Minimum Specifies the minimum number of selections (from none to 20 selections) that
Selections a user can select in the Dropdown, Checkboxes, Listbox, or Values Popup
display control.
Maximum Specifies the maximum number of selections (from none to 20 selections) that
Selections a user can select in the Dropdown, Checkboxes, Listbox, or Values Popup
display control.
Field Edit Specifies whether users can edit and delete all records or only the records
Settings that they entered in the sub-form field.
l Edit Own Records - Allows users to edit or delete entries that they have
made in the sub-form field.
l Edit All Records - Allow users to edit or delete any entry in the sub-form
field, regardless of who enter it.
Field Designates specific users and groups as field administrators for the sub-form
Administrators or voting field, enabling them to edit and delete any entry made in the field,
you must select those users and groups.
To select the user and groups, click and from the Available list, and then
select the users and groups that you want to designate as field administrators
for the sub-form field.
The create, read, update, and delete rights available to a field administrator
are dependent on the rights that are in place for the parent object, such as an
application or a questionnaire.
If the parent object has only create and read rights, for example, the sub-form
field in that object is restricted to those same rights.
Default Determines the number of cross-referenced records that display in the grid
Records and is only available when the display control is set to Grid. If this option is
Display selected, only the first designated number of records are displayed. For
example, when this option is set to 10, only the first 10 records display in the
grid. If the number of records exceeds the default display number, a View All
link is displayed. A user can click this link to view all of the associated
records.


Adding Text Fields

The Text field type accepts both alphabetic and numeric entries. It can display to users as either a
one-line text field or a multi-line (scrolling) text area. If the field is a text area, you can specify the
height (in lines) for the control. In addition, a text field with the text field display control (not text
area) can display to end users as a masked text field, allowing them to enter data in a defined
format.
By default, entries in the text field are not restricted. However, when configuring this field type, you
can choose to set a maximum character length for entries. In addition, you can restrict users from
entering a value in the text field that is identical to a value entered in another record within the
application, thereby ensuring that all values in the text field are unique.
A text field can also be configured as a calculated field. When this option is enabled, you can
specify a formula for dynamically computing the value of the field.
Example: Using a text field as a calculated field

Create the following formula to populate the Text field with the value "High Risk" or "Low Risk"
depending on another value of the field within the record:
IF([Exposure Rating] >=10, "High Risk", "Low Risk")
The calculated field displays as read-only for all application users, and its value updates each time
the field recalculates.
You can encrypt text fields. For more information about encrypting fields, see Encrypting Data.
Add a text field

1. Go to the Fields tab of the application to which you want to add a text field.

2. Click Add New.


l To add a new field, click Create a new Field from scratch, and click Text from the Basic
Field Type list.
l To add a field from an existing field, click Copy an existing Field and select the text field you
want to copy.
Encrypting Data.
5. Click OK.
8. In the Display Control section, select the display options for the text field.
9. In the Options section, determine the behavior and validation rules of the text field.
10. In the Configuration section, specify the format and default value for the text field.

Adding Tracking ID Fields

The Tracking ID field type is automatically populated with a value that uniquely identifies a record.
By default, the tracking ID is a numeric value. You can also specify a static prefix and/or suffix
string to be used in conjunction with the system-generated tracking ID number. For example, if you
specify "ABC-" for the prefix and "-XYZ" for the suffix, the application could generate the
following tracking ID number: ABC-447632-XYZ.
The following table describes Tracking ID field type configuration options.
Option Description
System ID A sequential tracking ID that is generated based on the number of records in all
applications.
Application A sequential tracking ID that is generated based on the number of records in the
ID application. If you select this option, the tracking ID values for individual records is
based on the order in which they were added.

Example: Tracking ID field configured with Application ID

You have two applications, each with this option enabled, and add four records, two for each
application. The tracking ID values represent the order in which a record was added to the individual
application, not the order in which it was added to RSA Archer database.
With the tracking ID configured with Application ID, it is possible for records in separate
applications to have matching tracking ID values.
l If you select this option for Tracking ID fields in leveled applications, the tracking ID value is
based on the order the record was added in the context of the entire application, not a specific
level. For example, if you were to add a record to the top-level application, add a record to the
second-level and then add another record to the top-level application, the records in the top level
have tracking ID values of 1 and 3 respectively.
l If you select this option for Tracking ID fields in sub-forms, the tracking ID value is based
relative to the individual sub-form field.
Example: Tracking ID configured for sub-forms

For example if you have one sub-form that is referenced by sub-form fields from separate
applications, each sub-form field in an application generates its own series of tracking ID values, as
shown in the following figure.

Add a tracking ID field

You can add a tracking ID field to an application or questionnaire.
1. Go to the Fields tab of the application or questionnaire to which you want to add a tracking ID
field.

2. Click Add New.

l To add a new field, click Create a new Field from scratch and click Tracking ID from the
l To add a field from an existing field, click Copy an existing Field and select the tracking ID
Option Action
Key Designates the field as the key field of a record. You must designate one field in the
Field application as the key field, but can only designate one field as the key field. You
can select the key field values in search results, and users can click the values to
open individual records. A key field must be on the page layout of the application.
After saving the field, you can only clear this checkbox by selecting another field as
the key field in the application. Selecting this option automatically selectsthe

6. In the Configuration section, select the options for generating identification numbers and whether
the ID has a prefix or suffix.
Option Description
example, entering "miles" labels the field value as a measurement of distance.
For the tracking ID, you enter "XYZ" in this field. The tracking ID value for a
record displays "123456XYZ."
System ID Specifies whether the tracking ID is generated based on the number of records in
all applications.
Application Specifies that the tracking ID is generated based on the number of records in the
ID application.
You can change the tracking ID type later; however, the keyword search index
for all records in the application must then be rebuilt.
During the index rebuild, keyword search results may be inaccurate, and frequent
index rebuilds can impact system performance. For more information on
rebuilding the keyword search index, see "Rebuild All Indexes" in the
RSA Archer Control Panel Help.

Adding User/Groups List Fields

The User/Groups List field type is a specialized values list field that allows users to select users or
groups. You must select at least one user or group to display in the values list for the user/groups list
field. The users and groups from which you can choose are those that have been defined in the
Access Control feature.

You can grant record-level permissions and populate the field with users and groups. It is, however,
important to remember that you can:
l Restrict the list of groups that display as available selections in the field by selecting the Auto
Restrict Groups option. This option limits the groups that are available for selection to only those
groups for which the user is a member.
Example: Restricting groups from selection lists
You select the Sales, Marketing, and Management groups as available selections in the field. If a
user adds a record in the application and that user is a member of only the Marketing group, the
Marketing group is the only group available to that user for selection in the User/Groups List
field.
l Exclude inactive users from selection so they do not appear in a user or group list.
Note: You can convert a user/groups list field to a record permissions field to limit record access to
only those users or groups selected in the field.
You can add a user/groups list field to an application or questionnaire.
Add a user/group list field

1. Go to the Fields tab of the application or questionnaire to which you want to add a user/groups
list field.

2. Click Add New.

l To add a new field, click Create a new Field from scratch and click User/Groups List from
the Basic Field Type list.
l To add a field from an existing field, click Copy an existing Field and select the user/groups
list field you want to copy.
4. Click OK.

7. In the Display Control section, select the option for displaying the field.
Display
Description
Control
Buttons
Boxes
8. In the Options section, select the behavior and validation rules for the user/groups list field.
Option Action
application.

Option Action
Bulk
Update

Inline Edit
9. In the Configuration section, specify the values for the minimum and maximum number of
selections.
Option Description
control.
control.
10. In the Field Population section, select the users and/or groups for populating the user/groups list
field.


Option Description
Available Selects the groups or users that you want to place in a field.
Users/Groups l Record Creator. Adds the user who is adding or editing the record.
l Individual Groups and Users. Adds individual groups and users.

l All Groups. Adds all groups from the Available List.
l All Users. Adds all users from the Available List.
l Find Bar. Searches for users or groups.
Show Users Enables the end-use to expand groups within a field to view the users in that
group.
Default Designates a group or record creator as the default value for a field. When
users add new records, the default values are automatically selected in the
field.
Cascade Applies group selections to sub-groups in the User/Groups list. If Cascade is

selected for a group that contains sub-groups, those sub-groups will be
available for selection in the User/Groups List field.
If a user selects only the parent group, sub-groups nested beneath that parent
group are not included in the selection. Only individual users who are members
of the selected parent group are included in the selection.
Auto-Restrict Limits the groups that are available for selection to only those groups for which
Groups the user is a member.
For example, you select the Sales, Marketing, and Management groups as
available selections in the field. If a user adds a record in the application and
that user is a member of only the Marketing group, the Marketing group will be
the only group available to that user for selection in the User/Groups List field.
Default to Includes only the groups for which the default selection is the record creator.
Creator Only groups that are defined as available values for this field can be selected
Groups by default.
Exclude Excludes inactive users whose user status is no longer active and whose
Inactive access is revoked.
Users


Adding Values List Fields

Values lists include the values that users are allowed to select from in a values list, matrix, or cross-
application status tracking field.
1. Go to the Fields tab of the application to which you want to add a Values List field.

2. Click Add New.

l To add a new field, click Create a new Field from scratch and click Values List from the
l To add a field from an existing field, click Copy an existing Field and select the values list
4. Click OK.
7. In the Display Control section, select the option for displaying the field:

Display
Description
Control
Buttons

Display
Description
Control
Boxes
behavior:
Options

Option Action
application.
Bulk
Update

Option Action

Inline Edit

l Days = 1 day
l Months = 30 days
l Years = 365 days
to the Options tab.
9. In the Configuration section, specify the minimum and maximum number of selections a user can
make.


Option Description
control.
control.

Adding Voting Fields

The Voting field type allows users to rank a record in two ways. A Total Votes tally allows users to
vote for or against a content record. Each vote is assigned a weight as determined by the field
administrator. The field shows the total votes for the record. An Average Votes tally allows user to
rate the record based on a range of 1 to 5. All votes are averaged to determine the overall rating,
which is reflected in the field.
By configuring voting reset rules, you can determine when the votes in the voting field should be
reset, if at all. Both field options provide the ability for a defined set of users. You can allow Field
Administrators to view a detailed report when each user voted on the content along with the rating
provided. This field provides access to the Voting Field Detail report. This report lists the user,
email address, date, and rating for the field.
You can add a voting field to an application or questionnaire.
1. Go to the Fields tab of the application or questionnaire to which you want to add a voting field.

.
2. Click Add New.

l To add a new field, click Create a new Field from scratch and click Voting from the Basic
Field Type list.
l To add a field from an existing field, click Copy an existing Field and select the voting field
you want to copy.
4. Click OK.
7. In the Options section, select the options for including the field in search results and behavior
rule.
Option Action
Default not prevent users from removing the field from the Search Results page. Users can
Field click Modify in the toolbar and remove the field from the Fields to Display section
of the application Search Records page.
Validate Designates that a field is validated whenever any value changes in a record. If the
Always Validate Always option is not selected, this field validates only when the value in
that field has changed.
8. In the Configuration section, specify the tally and weight options for the voting field.


Option Description
Vote Tally Specifies whether the results should display a total number of votes cast or an
average of the ratings provided by end users.
Vote Weight Specifies how much each vote is worth. For example, if the Vote Weight is
"10" and ten users have submitted a vote, the total value displayed would be
"100."
Field Designates specific users and groups as field administrators for the sub-form
Administrators or voting field, enabling them to edit and delete any entry made in the field,
you must select those users and groups.
To select the user and groups, click and from the Available list, and then
select the users and groups that you want to designate as field administrators
for the sub-form field.
The create, read, update, and delete rights available to a field administrator
are dependent on the rights that are in place for the parent object, such as an
application or a questionnaire.
If the parent object has only create and read rights, for example, the sub-form
field in that object is restricted to those same rights.
9. In the Voting Reset Rules section, enter the rules for purging recorded votes. If you do not set
the voting reset rules, votes are never purged.
The following table describes filter criteria. Each row represents one set of filter criteria.
Option Description
Field to Specifies values to create a condition by selecting the field to evaluate.

Evaluate
Operator Provides the filter that evaluates the field in the creation of a condition. The
available operators depend on the type of field selected in Field to Evaluate.
Value(s) Opens the Record Lookup, which enables users to choose which value or values
to add to the condition.
Relationship Connects two or more conditions together. If you add more than one condition,
you can apply advanced logic to your search criteria.
Actions Removes all data inputted when is clicked.

Option Description
Advanced Forms relationships between two or more conditions.

Operator
Logic

Adding Field-Level Help

Field-level Help provides additional guidelines and instructions to ensure users enter appropriate
information in the field. This Help text displays for users when they add, edit, and view records in
the application where the field resides. Configure field-level Help to display above or below the
field, as a tool tip (mouse over), or in a pop-up window that users can open by clicking .
The following table describes how the Help is displayed based on the mode the user is in when
accessing it.
Mode Description
Edit Help is displayed for users when they add or edit a record in the application where
the field resides.
View Help is displayed for users when they view a saved record in the application where
the field resides.
Edit and Help is displayed for users when they add, edit, or view a record in the application
View where the field resides.
Help is displayed for users when they add, edit, or view a record in the application
where the field resides.
Note: You can also create field-level Help using text boxes in an application layout. Text boxes
provide instructions or additional information that appears above, below, or beside a field when users
add, edit, or view records in an application.

Field-level help text

Field-level help text contains the actual text that is displayed for the field. Consider the following
general guidelines when writing field-level Help:
l Use short, concise instructions that direct the user to take a specific action. For example, "Enter
your name" is preferable to "This field is used to enter your name."
l Use complete sentences whenever possible.
l Avoid jargon (unless terms are critical and are familiar to your users).
l Consider the technical aptitude of your audience, and author your help text at a corresponding
level.
l Use “you” and “your” as if you are speaking directly to the user.
l Consider posing Help text in the form of a question, for example, "What is your level of interest?"
View and edit display options

The View Display Options and Edit Display Options determine where the help text appears in the
View and Edit modes.
The following table describes display options.
Options Description
None Help text does not display.
Above Help displays above the field in edit and view modes.
Below Help displays below the field in edit and view modes.
Tooltip Help displays as a tool tip (mouse over) on the field name in edit and view modes.

Options Description
Icon Help icon displays beside the field in edit and view modes. Click this icon to display
the field Help. The application dynamically sizes of the Help box based on the number
of characters in the text.
Add field-level help

1. Click the Help Text tab of the field you are updating.

e. Select the field.
f. Click the Help Text tab.
2. In the Help Text field, enter instructional and descriptive text for the field.
3. In View Display Options, select the behavior for displaying the help in View mode. See View
and edit display options.
4. In Edit Display Options, select the behavior for displaying the help in Edit mode. See View and
edit display options.
5. Click Apply.
Assigning Access Rights to a Field

Access rights determine whether all users or only select users or groups have access to the field.
The following table describes public and private permissions.
Option Description
Public Public fields are available to all end users. If a certain field is configured as private,
users who do not have rights to the field cannot view it when adding, editing, or viewing
records in the application.
Private Private fields are only available to the users and groups to which you grant access rights.

1. Go to the Fields tab of the application, questionnaire, or sub-form that contains a field to which
you want to assign an access role.

b. Under Application Builder, click Applications, Questionnaires, or Sub-Forms.
2. Click the field to which you want to assign an access role.

3. Click the Access tab.
4. In Permissions, select Public or Private.
l If you selected Public, go to step 8.
l If you selected Private, continue at the next step.
6. In the Available list, select the groups and user to which you want to assign field-specific
permissions.
7. In the Selected list, do one or more of the following:
l Click the Full Access checkbox for the user or group to grant full access rights (read and edit)
for the field to a user or group.
l Clear the Full Access checkbox for the user or group to limit access to a read-only status.
l Click the Cascade checkbox for the user or group to extend access rights to sub-groups of a
selected group.
Identifying Field IDs
Identifying the Field ID of a field

For Archer Error logs, it is important to know the Field ID referenced in the error.
1. From the menu bar, click .

2. Under Application Builder, click Applications.
3. Click on the application in which you want to obtain the Field ID.

4. Select the Fields tab.

5. Hover your mouse over the field in which you want the Field ID.
6. Note the Field ID in the bottom right of the screen.
Identifying the Field GUID of a field

A Field GUID is a unique identifier that distinguishes the field from every other object in the
system, regardless of type. Some processes in RSA Archer require you to know the Field GUID.

2. Under Application Builder, click Applications.
3. Click on the application in which you want to obtain the Field GUID.
4. Select the Fields tab.
5. Click on the field in which you want the Field GUID.
6. In the ID field, note the Field GUID.
Identifying the Field GUID of all fields in an application

2. Under Integration, select Obtain API Resources.
3. Click Generate API Code.
4. In the Application drop-down, select the application in which you want to obtain the Field
GUIDs.
5. Note the Field GUIDs. For example:
public static readonly Guid Application_ID = new Guid("xxxxxxxx-xxxx-xxxx-xxxx-
xxxxxxxxxxxx");
Changing the Field Status to Inactive

When a field is no longer needed but you do not want to delete it, you can change its status from
active to inactive.

The following table describes active and inactive field statuses.

Field
Description
Value
Active Active fields display when users add, edit, and view records in the application.
Active fields can be referenced in record searches, calculated field formulas, and data
driven events.
By default, the field status is Active.
Inactive Inactive fields are not displayed in any application record and cannot be referenced by
other options in RSA Archer.
Change the field status to Inactive

1. Go to the Fields tab of the field you want to inactive.

2. Select the field you want to inactivate and go to the General Information section under the
General tab.
3. In the Status field, select Inactive.
Deleting Fields
You can delete a basic or advanced field type from an application. Deleting a field also deletes all
data previously stored in that field. You cannot delete the key field from an application. To delete a
field designated as the application key field, you must first designate another field as the key field.
When you delete a field that has trending enabled, all trending data associated with the field is
deleted. An asynchronous cleanup job that runs once per day removes both expired trended data and
any trended data for fields that the user has disabled trending. After deleting the field, the trending
chart related to the field is replaced with a Placeholder layout object with the same span properties
on the application layout.

Note: When you delete a system field type (First Published Date, Last Updated Date, Record
Status, Related Records, or Tracking ID), the field is deleted but the data is still stored in
RSA Archer.
Note: You cannot delete a field that is used in an advanced workflow.
1. Go to the Fields tab of the application in which you want to delete a field.

2. Click the row and view the description of the field that you want to delete.
3. Click for that field. A Warning dialogue box opens.
Note: Some fields in RSA Archer applications may be locked, allowing administrators limited
access. If no is displayed, that field is locked and cannot be deleted. RSA strongly advises
against deleting a Tracking ID field even if is displayed. By default, a Tracking ID is the key
field for a record, and deleting it could impact related records.
4. Click OK.
Enabling Fields for On-Demand Bulk Actions

For on-demand bulk actions, fields must be individually enabled for bulk actions. Depending on the
field type, you can enable a field for bulk update, bulk create reference, or both.
Note: Scheduled bulk actions do not require that you enable fields in advance.
You can enable the following field types for on-demand bulk updates:
l Text
l Date / Time
l User / Group
l Values List
l Numeric
l Cross-Reference / Related Record

You can enable the following field types for on-demand bulk create references:
l Cross-Reference
l Related Record
Enable fields for bulk actions

1. Go to the Options tab of the field that you want to update.

e. Select the field that you want to update.

o To allow users to update the field in bulk, select Enable Bulk Update.
o To allow users to create new referenced records from the field in bulk, do the following:
a. Select Enable Bulk Create.
A Bulk Create Configuration section displays below.
b. In the Bulk Create Configuration section, select which fields should be displayed when a
user initiates an on-demand bulk create from the search results.
Note: For leveled applications, you must select which fields to display for each level.
Note: Required fields from the referenced application are displayed automatically and
cannot be removed.
3. Save the field.

4. Save the application.

Encrypting Data
RSA Archer allows you to encrypt the following field types in an application:
l Attachment
l Date
l IP Address
l Image
l Numeric
l Text
The purpose of encryption is to protect sensitive data in the database and the file repository.
Encrypted field data is stored in the Encrypted folder in the file repository. When you encrypt a field,
all data in that field, whether in the record or through a data feed or import, is encrypted in the
database. Encrypted fields display data in the record as normal text. Files and images associated
with encrypted attachment and image fields are decrypted when downloaded. You can encrypt new
and existing fields.
The following table shows how encrypted fields affect other functionality in the application or
RSA Archer.
Related
Impact
Area
Calculations You cannot reference encrypted fields in a calculated field.

You can calculate encrypted fields.
Data If the incoming data targets an encrypted field, the data will be stored in the
feeds/imports database in an encrypted format. Archer to Archer data feeds support encrypted
attachments and images. When encrypted files are exported from an instance, they
are unencrypted. If the target instance has encryption enabled, the files are
encrypted. If the target instance does not have encryption enabled, the files are not
encrypted.
History log History logs are kept for encrypted fields.
Search Encrypted fields are not supported.

(global
search)
Advanced Encrypted fields support only Equals and Does Not Equal filters. Encrypted fields
search filters cannot perform statistical search operations, for example Group By and Count.
Layout rule Encrypted fields are supported for all standard field filter options in a layout rule.
filters

Related
Impact
Area
Record Only the filter options Equals, Does Not Equal, Field Value Match, and Field
Lookup Value Does Not Match are available for encrypted fields.
Configuration
RSA Archer Encrypted fields are not supported.

Mobile
application
RSA Archer Encrypted fields are not supported.

BCM mobile
application
Offline sync You cannot sync an application with encrypted fields offline.
Subscription Only the filter options Equals, Does Not Equal, Field Value Match, and Field
Notification Value Does Not Match are available for encrypted fields.
filters
Enable field encryption at the instance level

You must enable field encryption at the instance level in the RSA Archer Control Panel. For more
information, see "Enable Field Encryption for an Instance" in the RSA Archer Control Panel Help.
Note: If you do not first enable field encryption at the instance level, users receive the following
message when they try to encrypt a field:
Field encryption must be enabled in the RSA Archer Control Panel.

Troubleshooting field encryption

The following table describes how to troubleshoot field encryption.
Issue Cause Resolution
Encrypted fields do not display the The Key Encryption Verify whether the KEK is present
data. Key (KEK) for one on each of your Web Servers and
or more of your Services Servers and add the KEK
When a user logs in, the following instances is missing. wherever it is missing. For
message appears: Configuration instructions, see "Enable Field
error, some of the data may be Encryption for an Instance" in the
blank. Please contact your RSA Archer Control Panel Help.
administrator.
When the system administrator logs

in, the following message appears:
The encryption key is missing.
Please provide a new key in the
system. Dismiss?
The following message appears in

the error logs: Either Key
Encryption Key is missing or
inaccessible.
When editing an encrypted field,

you receive an unexpected error.
When the Configuration Service is

starting, the following message
appears: Key Encryption Key for
the following instances were either
missing or could not be accessed:
Instance1, Instance2.

Managing Field Encryption

Use this page to add a Key Encryption Key (KEK) in conjunction with encrypting the following
RSA Archer field types:
l Attachment
l Date
l IP address
l Image
l Numeric
l Text
Note: This feature is available only if you have selected Hardware Security Module as the key
store.
You can either upload a key that you have previously obtained, or you can generate the key within
RSA Archer.
Add a Key Encryption Key

1. Go to the Field Encryption page.

b. Under Field Encryption, click Key Management.
2. Click the KEK Expiration Date Calendar icon, and then select an expiration date from the
calendar.
l Click Generate KEK to generate the key within RSA Archer.
l Click Upload KEK, and then navigate to the key file for uploading.
4. After you have generated or uploaded the key, it appears in the Manage Keys grid.
Note: Only one key is valid at a time. If you create another key, RSA Archer disables the
previous valid one.

Calculated Fields
Calculated fields eliminate the tedious and potentially error-prone process of manually calculating
values. A calculated field is a configuration option that enables you to specify a formula for
dynamically computing a value for a text, numeric, date, or values list field. Calculated fields are
read-only for all users. RSA Archer populates the value of a calculated field based on the formula
that you build for a specific field. You must have ownership rights of the application, questionnaire,
or sub-form to create a calculated field.
Important: Dates and times are converted to Coordinated Universal Time (UTC) in the RSA
Archer database. As a result, dates and times in calculations are returned in UTC.
Essential terminology
The following table defines essential terminology for working with calculations.
Term Definition
Always A property of a calculated field that specifies that the field is always recalculated
(calculate) whenever content changes.
Asynchronous A process that runs independently in the background. Most calculations are
queued for re-calculation in an asynchronous job instead of inline on content save.
Content is updated when the job runs instead of immediately.
Calculate The means to update a calculated field inline while viewing or editing a record
Immediately that has a calculated field.
Execution The means of calculating the value of a calculated field. Calculations can be
executed inline or asynchronously.
Formula A built-in formula editor that contains a library of functions and operators. Use
Builder this tool to create formulas for calculated fields.
Marked Any content that has an outstanding calculation that needs to be recalculated. This
Content content is ‘marked’ for recalculation.
Examples of how your organization might use a calculated field:

l Calculating custom threat and severity ratings
l Comparing the values of two fields
l Creating custom tracking IDs
l Displaying the number of days remaining before a critical deadline
l Performing a calculation to be used in the calculation of another field

l Performing complex risk calculations based on the results of values in other fields
l Producing weighted risk scores for risk assessments
Example: Formula using the DATEDIF function

The following formula is used to determine the number of days between the date a record was last
updated and the date of a critical deadline:
DATEDIF([Last Updated Date],[Project Deadline])
When you use the DATEDIF function in your formula and reference the Last Updated Date and
Deadline fields in an application, the formula returns a value of 15 days in the calculated field for a
record if the Last Updated Date value for that record is 1/1/2015 and the Deadline value is
1/15/2015.
General behaviors
Formulas of calculated fields are allowed unrestricted access to data in all private fields, regardless
of the access rights configured for those fields.
Calculations are executed in the order that they are defined. Calculations that are dependent on other
calculations may not produce the intended results if they are not correctly sequenced. Consider the
calculation order to ensure correct calculations. The calculation order can be rearranged.
Calculations execute when a record is saved. RSA Archer determines whether changes in the record
warrant a recalculation of any associated calculated fields. If the update to the record does not
impact a specific calculated field, RSA Archer does not recalculate the value of that field. This
evaluation optimizes system performance and eliminates unnecessary calculations.
If no changes are committed to a record, calculated values in that record are not updated. At times,
though, business requirements may dictate that date-sensitive formulas be recalculated on a daily
basis. To meet this demand, RSA Archer facilitates recalculations through a recalculation scheduler.
Once an application has been placed on a recalculation schedule, RSA Archer automatically
refreshes the values of all calculated fields each day at the specified time. You can however
recalculate a specific field in an application, even if the changes in the record do not lead to an
updated calculated value.
Calculation behaviors in notifications

Notifications are not sent if changes only affect a calculated field when saved. If content changes
are made to other fields, notifications are sent.
Changes must be detected and recognized for notifications to be sent. For example, Field A is a
numeric field with the value of 5. A user changes this field to a value of 10, and then back to a value
of 5, and then saves. In this case, the notification is not sent because the actual value of the field did
not change. The original and ending field value is 5.

Use cases for calculated fields

The following table provides examples that show how calculated fields can be used to meet a variety
of business requirements.
Business
Description
Requirement
ID Generation Requirement: Create a unique record ID that combines a threat-type code, the
current date, and a counter value that is automatically incremented with each
new record. Always express the counter value using five digits; pad zeroes on
the value when necessary. Example: WORM-05232005-00019
Solution: Create a calculated text field that uses the following formula:
[Type Code] & “-“ & DATEFORMAT(TODAY( ), “mmddyyyy”) & “-“ &
NUMERFORMAT(CONTENTID( ), 0000#)
Scoring Requirement: Using key impact indicators, assign a priority score to a security
violation report. Do not display a raw numeric score. Instead, determine whether
the score falls within the High or Low priority range. Display a text value
indicating the final priority score. Example: High
Solution: Create a calculated Numeric field to compute the raw priority score.
Suppress the display of this field by removing it from the application layout, then
create a calculated text field that maps the raw score to a priority range. Display
the corresponding range name (High or Low) in the calculated text field. Use the
following formulas:
l Numeric Field: SUM([Current Impact], [Potential Impact], [LOB Impact]) *
[Violation Potential])
l Text Field: IF([Raw Score] <= 15, “Low”, “High”)
Date Requirement: Compute and display the number of days remaining before a
Countdown trouble ticket record reaches its promised resolution deadline. Example: 5 Days
Remaining
Solution: Create a calculated Text field that uses the following formula:
([Due Date] - TODAY( )) & “Days Remaining”
Complex/nested formulas
The formula for a calculated field can be dependent on the results of other calculations. It is very
likely that you may require complex and nested formulas. Use the following guidelines for these
cases:

Use the Always option of the Recalculation rules when a formula contains the NOW( ) or TODAY(
) functions, or user first name, last name, and middle name (Editor) parameters. When this option is
selected, fields are recalculated whenever content is saved regardless of content change. This option
adds processing overhead and can slow performance if used unnecessarily.
Using the Always option for any other purpose may result in cycles. This condition makes it more
difficult to find and to troubleshoot.
When using the DATEADD or DATEDIF function, the functions error when the Date field is
empty.
Adding Calculated Fields

The calculation formula is managed and configured as a field property of a numeric, text, date, or
values list field. You can build a formula for a calculated field that dynamically computes the field
value in individual records. Formula builder provides a library of functions (for example, IF,
ROUND, AVERAGE) and operators (for example, +, -, <=, and others) that you can use to build a
formula.
When you add a field to your formula, the field name is surrounded by brackets, for example, [field
name]. When a field is referenced in a formula, the value in that field is used to compute the
calculated field value in each record.
You can control the frequency of calculations and how error messages are communicated to end
users through calculation properties. These properties minimize unnecessary system activity. If an
update to a record does not impact a specific calculated field, the field is not recalculated.
Considerations when creating or modifying a formula for a calculated field

l Calculated-field formulas are allowed unrestricted access to data in all private fields, regardless
of the access rights configured for those fields.
l If a formula previously defined for a calculated field is altered, the user is prompted whether to
recalculate the field when saving the record.
l Values list fields that are configured to allow multiple selections can only be referenced in
formulas with the ISEMPTY, CONTAINS, and COUNT functions. If a formula uses functions
other than ISEMPTY, CONTAINS, or COUNT to reference a multi-select Values List field with
a Maximum Value setting greater than 1, the formula fails validation.
l If a comparison operator (=, <, >, <=, >=, <>) references a values list field that is configured to
allow multiple selections, the formula fails validation.
l Formulas for calculated fields that reside in a sub-form only are permitted to reference other
fields in the same sub-form. Calculated fields in a sub-form cannot reference fields that reside in
the parent application.

Task 1: Add a calculated field

1. Complete the process for adding a date, numeric, text, cross-reference, or values list field.
l Adding Cross-Reference Fields
2. In the Options section, select Calculated Field to display the Calculation Properties section.
Important: If you select Calculated Field and save this change for a field in which user-entered
values have already been entered, all values written to that field are deleted across all records in
the application and are replaced with calculated values. Conversely, if you clear the Calculated
Field checkbox for a field in which calculated values have already been saved, those calculated
values are retained in the database.
Task 2: Build the formula

Do one of the following based upon the type of calculated field you are adding:
Non Cross-Referenced Calculated fields

You can edit a formula directly in the Formula field or the function and operations to insert the
proper syntax.
1. In the Calculation Properties section, click Add Formula.
2. Scroll down to Functions & Operators, select the functions and operators (one at a time) that you
want to use in the formula.
l To include a field reference as a parameter for the formula, click the field in the Available
Fields list.
l To include a field-value reference from a Values List field as a parameter for the formula,
expand the appropriate field node in the Available Fields list and select the value. The value
is added to your formula within the "VALUEOF" function.
Note: If you select a field value to reference in your formula and that value is later modified
in the values list, the field-value reference in your formula is automatically updated to reflect
the modified value.

4. When you finish creating the formula, click Validate in the top-right corner of the formula.
If the validation process encounters an error in the formula, a message displays that describes
the error or alerts you that the formula contains an unknown error. The validation process only
identifies one error at a time, even if the formula contains multiple errors. If you get an error
message, correct the error and click Validate again. If you get another error message, correct
that error as well. Continue this process until the formula passes the validation process.
5. Click OK.
6. Click Apply.
Calculated Cross-Reference fields

Calculated cross-reference Matching Filters use dynamic filters to complete comparisons between
cross-reference records and related records. The calculation option is only available for those fields
that point to a questionnaire, a flat application, or a single level of a leveled application. For more
information, see the following topics.
l Dynamic Filters for Cross-Reference Fields
l Creating Dynamic Filters for Cross-Reference Fields
Consider the following when creating filters for calculated cross-references:

l Once you save a cross-reference field, you cannot change its calculated state. For example, a
cross-reference field cannot be changed to a calculated cross-reference after clicking the Apply
button.
l To save the field, there must be at least one filter defined in Matching Filters.
l Matching Filters and Additional Related Filters are defined on the cross-reference field. To add
or update calculations for the related record, you must edit the filters on the cross-reference field.
l Related records evaluate using the filters defined by their associated cross-reference record.
l Dynamic Filters for Cross-Reference Fields are used in Matching Filters to make comparisons.
l Additional Related Filters use non-field comparison operators, such as equals, contains, and
greater than. These filters refine Matching Filters using AND operational logic
l To learn more about the specific operators, see Report Object Operator Types for more
information.
Add a formula for a calculated cross-reference by following these steps:

1. Expand the Calculation Properties section.
2. In the Matching Filters section, use dynamic filters to compare fields from the cross-reference
record to the related record.

3. (Optional) Use Advanced Operator Logic to refine Matching Filters.

4. (Optional) In the Additional Related Filters section, refine the related records displayed.
5. (Optional) Use Advanced Operator Logic to refine Additional Related Filters.
6. Click Apply.
Task 3: Define the behavior and error handling rules for non cross-reference cal-
culated fields
Perform this step for calculated fields that do not include cross-references.
1. Go to the Calculation Properties section.
2. In the Recalculation field, select behavior for recalculating field values.
Field Description
As Formulas are recalculated when a dependent field in the formula changes.

Needed
Always Formulas are recalculated every time content is saved even though a field is not
referenced in the formula. Formulas that contain NOW ( ) and TODAY ( ) functions,
or user first name, last name, and middle name (Editor) parameters are recalculated
regardless of content change.

3. In the Error Handling field, select rules for handling errors.

Field Description
Display Displays the word Error as a link when a calculation error occurs. Users with the
Error appropriate access privileges can click the link to open the Calculation Error page
where the error is explained.
Use No Saves an empty value in the field when a calculation error occurs.
Value
Use Saves a specific value in the field when a calculation error occurs
Specific
4. Click Save.
Calculation Process
Formulas of calculated fields are recalculated whenever there is a change in the content of a field,
related field, or sub-form. Calculations are executed either through administrative or user functions.
The following table describes the administrative and user functions.
Function Action Execution
Administrative Calculations Administrator updates a formula of a calculated field and queues

queued in an an asynchronous job. This job runs during normal processing
asynchronous based on the number of jobs in the queue.
job
Calculations 1. Administrator schedules an asynchronous job to run a full

scheduled in module recalculation. The job is queued with all fields in the
an module for calculation.
asynchronous 2. Administrator schedules an asynchronous job for recalculation
job to run at a specified time. When job runs, all formulas with
NOW ( ) and TODAY ( ) functions and any calculated fields
set to Always recalculate are calculated.
User Calculations 1. User clicks the Recalculate button while viewing a record.
recalculated Content ‘marked’ for recalculation is recalculated.
inline 2. User clicks the Apply button without making a change.
Content ‘marked’ for recalculation is recalculated.
3. User clicks the Save button after making a change. Content is
saved and ‘marked’ content is recalculated.

Recalculation process
The following table describes how recalculations are processed. Recalculations are processed imme-
diately or through an asynchronous job.
Type Description
Immediate Calculations are triggered by a user saving a record that is either 'marked' or
changing a field that is used by a calculated field in the same level. 'Marked'
content is changed to an ‘unmarked’ status when a user saves that content.
An immediately applied calculation can be performed in a cross-referenced
application one level away.
For example, Application A is dependent on a calculated field in Application B.
Application B has a cross-reference relationship with Application A. When a
record is updated in Application B, its related record in Application A can be
recalculated immediately when the user returns to Application A and clicks Apply
or Save.
Related records are updated when a user initiates the recalculation or the
recalculation is updated through an asynchronous job.
l When updated by the user, the Last Updated field contains the identification of
the user who updated the record.
l When updated by an asynchronous job, the Last Updated field is not updated.

Type Description
Asynchronous Queued asynchronous jobs run based on the number of jobs in the job queue.
jobs Scheduled asynchronous jobs run at a specified time regardless of any current
activity on the record.
Calculations are queued in an asynchronous job in various ways.
l Change the formula of a calculated field, and select Yes to recalculate the
field.
l Change the weight of a question field.
l Change the order of calculations.
l Change the Recalculation option of a calculated field, and select Yes to
recalculate the field.
l Change the Error Handling option of a calculated field, and select Yes to
recalculate the field.
l Change the input mask on a text field that is referenced by a calculated field.
l Change the numeric attribute of a value in a Values List field that is referenced
by a calculated field.
l Change the Other text attribute of a value in a Values List field that is
referenced by a calculated field.
l Change the Correctness attribute of a value in a Questions Values List field
that is referenced by a calculated field.
Example: Triggers for recalculating
The following table describes example scenarios of triggers for recalculating.

1. Edit a record by changing a field that is tied to a calculated field in an application.
Scenario
2. Save the record.
1
Results: Any calculated field dependent on that change is recalculated immediately.
1. Edit a record that has a dependent field in a related application.

2. Drill into a cross-reference application.
Scenario 3. Change the dependent field in a related record.
2 4. Save the record.
Results: Recalculations for the dependent fields are queued in an asynchronous job and
is processed based on the number of jobs in the job queue.

Asynchronous job processing

When you change the formula of a calculated field and schedules the recalculation in an
asynchronous job, the content affected by this change has a status of ‘marked’ for recalculation.
When this condition exists, the following occurs:
l The asynchronous job is queued with all fields ‘marked’ for recalculation.
l The content is ‘marked’ for recalculation and can be recalculated immediately in View or Edit
mode.
l Any calculated field in the same level with the content status of ‘marked’ is reset and is no longer
‘marked’ for recalculation.
When you change the formula of a calculated field but does not schedule the recalculation in an
asynchronous job, the contents in this application affected by this change is not ‘marked’. When this
condition exists, the content status is updated by a user saving the change or by the asynchronous
job.
However, if you change one or more fields and only schedule an asynchronous job for one of the
fields, all fields ‘marked’ for recalculation are included in the asynchronous job.
Example: Asynchronous Job Queued
The following table describes an example scenario of an Asynchronous Job Queued.

There are four fields: Risk, Criticality, Controls, and Rating.
Risk is dependent on the value of Criticality.
Scenario SUM([Risk], [Criticality]).
Field Controls is dependent on the value of Rating.
IF(CONTAINS[Rating] “10”, RANK(REF([Controls] “5”)))
Administrator updates both formulas of the calculated fields and schedules an

Action 1
asynchronous job to recalculate the fields.
Formulas are updated in the applications.

Results
[Risk] and [Controls] are ‘marked’ for recalculation.
User with Read and Update permissions views the record in View mode.
Action 2
User notices message that content is not up to date and clicks Recalculate.
[Risk] is recalculated immediately, and the updated value is displayed.

Results
[Controls] is recalculated immediately, and the updated value is displayed.

Example: Asynchronous Job Not Queued
The following table describes an example of an Asynchronous Job Not Queued.

There are four fields: Risk, Criticality, Controls, and Rating. Risk is dependent on the
Scenario value of Criticality. SUM([Risk], [Criticality]). Field Controls is dependent on the value
of Rating. IF(CONTAINS[Rating] “10”, RANK(REF([Controls] “5”)))
Administrator updates both formulas of the calculated fields and does not schedule an
Action 1
asynchronous job to recalculate the fields.
Formulas are updated in the applications. [Risk] and [Controls] are not ‘marked’ for
Results
recalculation.
User with Read and Update permissions views the record in View mode. User is not
Action 2
notified that content is not up to date.
Results Contents of [Risk] and [Controls] are not updated.
Functions and Operators for Calculated Field Formulas

RSA Archer provides a library of functions and operators that you can use to build a formula.
l Date Functions
l Financial Functions
l Logical Functions
l Math Functions
l Statistics Functions
l System Functions
l Text Functions
l Arithmetic Operators
l Comparison Operators
l Text Concatenation
Date Functions
Important: Dates and times are converted to Coordinated Universal Time (UTC) in RSA Archer
database. As a result, dates and times in calculations are returned in UTC.
The following date functions produce dynamic values and to manipulate date information.

DATEADD Function
The DATEADD function increases or decreases a date/time value by a given number of date/time
units, such as days, hours or minutes.
Dates and times are converted to Coordinated Universal Time (UTC) in the RSA Archer database.
As a result, dates and times in calculations are returned in UTC.
Important: DATEADD always considers time, even if the referenced Date field is not configured
to show time information. If a literal date string is supplied that does not contain time, midnight will
be assumed.
Return Type: Date with time

Syntax: DATEADD(datetime_unit, increment, datetime)
In the above syntax, parameters in bold are required.
The following table describes DATEADD function parameters.
Parameter Description
datetime_ The date/time part that should be used as the interval for increasing or decreasing
unit the datetime parameter’s value. This parameter can be entered as DAY, HOUR or
MINUTE.
increment The number of date/time units that should be added to the datetime parameter’s
value. This parameter must be formatted as a positive or negative integer greater
than or equal to 1. (Decimal places are not supported.) If a positive number is
provided, the function adds the specified number of date/time units to the datetime
parameter’s value. If a negative number is provided, the function performs a
subtraction.
datetime The date/time value that should be increased or decreased by the specified number
of date/time units. This parameter should be formatted as a Date-field reference, for
example, [field name].
Examples:
The following table provides example formulas of the DATEADD function.
Formula Result
DATEADD(DAY, 10, [First Published]) 8/20/2010 7:21 AM

where the value of First Published is 8/10/2010 7:21 AM
DATEADD(HOUR, 6, [First Published]) 8/10/2010 1:21 PM


Formula Result
DATEADD(MINUTE, 30, [First Published]) 8/10/2010 7:51 AM

DATEDIF Function
The DATEDIF function calculates the number of days between two dates.
Important: DATEDIF always considers time in the comparison, even if the referenced Date field is
not configured to show time information. If a literal date string is supplied that does not contain time,
midnight will be assumed.
Return Type: Numeric

Syntax: DATEDIF(start_date, end_date, datetime_unit)
The following table describes DATEDIF function parameters.
start_date The starting date of the period. This date can be entered as a hard-coded value, for
example, 10/21/2010, or as a Date-field reference, for example, [date field name]. If
a hard-coded value is supplied, it must be wrapped in the DATETIMEVALUE
function. If time is supplied to DATETIMEVALUE in a date string, it must be in
24-hour clock format, for example, 14:25 represents 2:45 PM.
end_date The ending date of the period. This date can be entered as a hard-coded value (for
example, 10/21/2004) or as a Date-field reference (for example, [date field name]).
If a hard-coded value is supplied, it must be wrapped in the DATETIMEVALUE
function. If time is supplied to DATETIMEVALUE in a date string, it must be in
24-hour clock format, for example, 14:25 represents 2:45 PM.
datetime_ The granularity of the time information to be returned. This parameter can be
unit entered as DAY, HOUR or MINUTE. If the datetime_unit parameter is omitted,
DAY will be assumed. If DAY is specified, the difference will be calculated based
on 24 hour periods, rather than the day portion of the date value.

Examples:
The following table provides example formulas of the DATEDIF function.
Formula Result
DATEDIF(DATETIMEVALUE("10/21/2010"), [First Published]) 36

where the value in the First Published field for the record is 11/26/2010.
DATEDIF([First Published], [Last Updated], DAY) 0

where the value in the First Published field for the record is 11/26/2010 11:59 PM and the
value in the Last Updated field is 11/27/2010 12:01 AM.
In this example, the day difference is zero (0) because the two dates are not 24 hours
apart.
DATEDIF([First Published], [Last Updated], HOUR) 50

where the value in the First Published field for the record is 10/1/2010 8:05 AM and the
DATEDIF([First Published], [Last Updated], MINUTE) 147

where the value in the First Published field for the record is 10/1/2010 8:05 AM and the
DATEFORMAT Function
The DATEFORMAT function returns the supplied date in the format specified by the date mask.
Important: DATEFORMAT always permits full date and time formatting for the given Date field,
even if that field is not configured to display time information.
Return Type: Text

Syntax: DATEFORMAT(date, date_mask)
The following table describes DATEFORMAT function parameters.
date The starting date of the period. This date can be entered as a hard-coded value, for
example, 10/21/2010) or as a Date-field reference, for example, [field name].

date_mask The mask used for formatting the returned date. The date_mask parameter must be
enclosed in quotes.
Date masks used with the DATEFORMAT function can contain any combination of
the date elements.
The following table provides examples of possible

date part combinations.
Date Mask Return Example
M-d-yy h:mm tt 8-2-10 9:30 AM
MM.dd.yyyy 08.02.2010
MMMM d, yyyy HH:mm August 2, 2010 09:30
yyyy-MM-dd 2010-08-02
MMddyy 080210
The following separator characters are supported for date masks:

l space
l forward slash (/)
l hyphen (-)
l period (.)
l comma (,)
l colon (:)
Examples:
The following table provides example formulas of the DATEFORMAT function.
Formula Result
DATEFORMAT([First Published], "M/d/yyyy h:mm tt") 8/20/2010 7:21 AM

where the date-time value of First Published is 8/2010 7:21 AM.
DATEFORMAT([Last Updated], "M/d/yyyy HH:mm") 12/19/2010 14:51

where the date-time value of Last Updated is 12/19/2010 2:51 PM.

Formula Result
DATEFORMAT(NOW(), "h:mm tt") 5:12 AM

where the date-time value of NOW( ) is 8/6/2010 5:12 AM.
DATEFORMAT([Start], "hh:mm t") 06:48 P

where the date-time value of Start is 9/19/2010 6:48 PM.
DATEFORMAT([Stop], "H") 19
where the date-time value of Stop is 4/8/2010 7:00 PM.
DATEFORMAT([Logged], "m") 57
where the date-time value of Logged is 12/29/2010 3:57 PM.
DATETIMEVALUE Function
The DATETIMEVALUE function converts a literal date/time string to a serial number. The serial
number represents the number of whole and partial days that have elapsed since January 1, 1900.
Important: Dates and times are converted to Coordinated Universal Time (UTC) in the RSA
Return Type: Number (serial number representing date and time)

Syntax: DATETIMEVALUE(datetime_string)
This function only accepts dates in the US format (MM/DD/YYYY). In the above syntax,
parameters in bold are required.
The following table describes the DATETIMEVALUE function parameter.
datetime_ The literal date/time string value to be converted. This cannot be a field
string reference.
Examples:
The following table provides example formulas of the
DATETIMEVALUE function.
Formula Result
DATETIMEVALUE("10/02/2010") 40453
DATETIMEVALUE("10/02/2010 01:50") 40453.08

DAY Function
The DAY function returns an integer between 1 and 31, which represents the day of the month for
the specified date value.
Important: Dates and times are converted to Coordinated Universal Time (UTC) in the
RSA Archer database. As a result, dates and times in calculations are returned in UTC.

Syntax: DAY(date)
The following table lists the DAY function parameter.
date The date value to be evaluated in determining the day of the month. This parameter
should be formatted as a Date-field reference, for example, [field name].
Example:
The following table provides an example formula of the DAY function.
Formula Result
DAY([Logged]) 13
where the value in the Logged field is 7/13/2010 10:45 AM.
HOUR Function
The HOUR function returns an integer between 0 and 23, which represents the hour of the day for
the specified date value. Formula validation will fail for this function if the Time Information option
is not enabled for the Date field referenced in the date parameter.
Syntax: HOUR(date)
The following table describes the HOUR function parameter.
date The date value to be evaluated in determining the hour of the day. This parameter
Example:

The following table provides an example formula of the

HOUR function.
Formula Result
HOUR([Logged]) 14
where the value in the Logged field is 7/13/2006 2:45 PM.
MINUTE Function
The MINUTE function returns an integer between 0 and 59, which represents the minute of the hour
for the specified date value. Formula validation will fail for this function if the Time Information
option is not enabled for the Date field referenced in the date parameter.

Syntax: MINUTE(date)
The following table describes the MINUTE function parameter.
date The date value to be evaluated in determining the minute of the hour. This parameter
Examples:
The following table provides example formulas of the MINUTE function.
Formula Result
MINUTE([Logged]) 45
MINUTE([Patch Date]) 0
where the Patch Date field is a Date field that is not configured to accept time entry.
MONTH Function
The MONTH function returns an integer between 1 and 12, which represents the month of the year
for the specified date value.


Syntax: MONTH(date)
The following table describes the MONTH function parameter.
date The date value to be evaluated in determining the month of the year. This parameter
Example:
The following table provides an example formula of the MONTH
function.
Formula Result
MONTH([Logged]) 7
MONTHNAME Function
The MONTHNAME function returns the name of the month for the supplied date value. The return
value is the full name, not an abbreviation.

Syntax: MONTHNAME(date)
The following table describes the MONTHNAME function parameter.
date The date value to be evaluated in determining the month of the year. This parameter
Example:


MONTHNAME function.
Formula Result
MONTHNAME([Due Date]) July

where the value in the Due Date field is 7/13/2010 2:45 PM.
NOW Function
The NOW function returns the current date/time. Each time a record is recalculated, the calculated
field displays an updated date/time value. The full timestamp is stored for the calculated Date field
even if the field is not configured to display time. If the Time Information option is later enabled for
the field, the time will be displayed as it was originally computed.
Internally, the NOW function returns a serial number that represents the number of whole and partial
days that have elapsed since January 1, 1900. From the user perspective, the value returned by the
NOW function displays differently depending on the type of field to which the value will be
returned.
Return Type: Varies based upon the type of field receiving the return value. See the examples
below.
Syntax: NOW( )
This function does not have any parameters.
Examples:
The following table provides example formulas of the NOW function. For these
examples, assume that the current date and time is October 2, 2010 at 1:46 a.m.
Field Type Formula Result
Numeric NOW( ) 40453.073611111
Date NOW( ) 10/02/2010 1:46 AM
Text DATEFORMAT(NOW( ),"M/d/yyyy h:mm tt") 10/02/2010 1:46 AM
QUARTER Function
The QUARTER function returns an integer between 1 and 4, which represents the calendar quarter
in which the specified date value falls.


Syntax: QUARTER(date)
The following table describes the QUARTER function parameter.
date The date value to be evaluated in determining the calendar quarter. This parameter
Example:
QUARTER function.
Formula Result
QUARTER([Due Date]) 4
where the value in the Due Date field is 12/15/2010 8:00 PM.
TODAY Function
The TODAY function returns the date value for the current date. Each time a record is recalculated,
the calculated field will display an updated date.
Internally, the TODAY function returns a serial number that represents the number of whole days
that have elapsed since January 1, 1900. From the user perspective, the value returned by the
TODAY function will display differently depending on the type of field to which the value will be
returned.
Return Type: Varies based upon the type of field receiving the return value. See the examples
below.
Syntax: TODAY( )
Examples:


TODAY function. For these examples, assume that the current date
and time is October 2, 2010 at 1:46 a.m.
Field Type Formula Result
Numeric TODAY( ) 40453
Date TODAY( ) 10/02/2010
Text DATEFORMAT(TODAY( ),"M/d/yyyy") 10/02/2010
WEEKDAY Function
The WEEKDAY function returns the day of the week for the supplied date value. The return value
is the full name, not an abbreviation.
Return Type: Text

Syntax: WEEKDAY(date)
The following table describes the WEEKDAY function parameter.
date The date value to be evaluated in determining the day of the week. This parameter
Example:
WEEKDAY function.
Formula Result
WEEKDAY([Due Date]) Wednesday

where the value in the Due Date field is 12/15/2010 8:00 p.m.
WEEKNUMBER Function
The WEEKNUMBER function returns a number that indicates the week in which a given date falls
for a calendar year beginning on January 1.


Syntax: WEEKNUMBER(date, week_start)
The following table describes WEEKNUMBER function parameters.
date The date value to be evaluated in determining the day of the week. This parameter
week_start Accepts the keyword SUNDAY or MONDAY to specify whether weeks should be
treated as beginning on Sunday or on Monday.
If no value is passed for this parameter, SUNDAY will be assumed.
Examples:
The following table provides example formulas of
WEEKNUMBER function.
Formula Result
WEEKNUMBER([Due Date]) 38
where the value in the Due Date field is 9/14/2008 (a Sunday).
WEEKNUMBER ([Due Date], SUNDAY) 38

WEEKNUMBER ([Due Date], MONDAY) 37

YEAR Function
The YEAR function returns the year corresponding to a date.

Syntax: YEAR(date)

The following table describes the YEAR function parameter.

date The date of the year that you want to find. This parameter can be entered as a hard-
coded date value, for example, "1/2/2010" or as a date-field reference, for example,
[date field name].
Example:
YEAR function.
Formula Result
YEAR([First Published]) 2010

where the value in the First Published field is 11/26/2010.
Date format descriptions

The following table describes date elements.
Date
Return Example
Element
M Displays the month as a number without a leading zero (Example: 1)
MM Displays the month as a number with a leading zero (Example: 01)
MMMM Displays the month as a full month name (Example: January)
d Displays the day as a number without a leading zero (Example: 5)
dd Displays the day as a number with a leading zero (Example: 05)
dddd Displays the day as a full name (Example: Monday)
yy Displays the year as a two-digit number (Example: 06)
yyyy Displays the year as a four-digit number (Example: 2006)
h Displays the hour as a one-digit or two-digit number based on a 12-hour clock format
(Example: 9)
hh Displays the hour as a two digit number (with a leading a leading zero, if necessary)
based on a 12-hour clock format (Example: 09)
H Displays the hour as a one-digit or two-digit number based on a 24-hour clock format
(Example: 13)

Date
Return Example
Element
HH Displays the hour as a two-digit number based on a 24-hour clock format (Example:
13)
m Displays the minute as a number without leading zeros (Example: 5)
mm Displays the minute as a number with leading zeros (Example: 05)
t Displays the one-letter AM/PM designator appropriate for the given time, regardless of
whether the time is based on a 12-hour or 24-hour clock. (Example: 1:00 P for 12-hour
clock; 13:00 P for 24-hour clock)
tt Displays the two-letter AM/PM designator appropriate for the given time, regardless
of whether the time is based on a 12-hour or 24-hour clock. (Example: 1:00 PM for 12-
hour clock; 13:00 PM for 24-hour clock)
Financial Functions
The following financial functions execute common calculations associated with the financial
industry.
DB Function
The DB function returns the depreciation of an asset for a specified period using the fixed-declining
balance method.
Syntax: DB(cost,salvage,life,period,month)
The following table describes the DB function parameters.
cost The initial cost of the asset.
salvage The value at the end of the depreciation (sometimes called the salvage value of the
asset).
life The number of periods over which the asset is being depreciated (sometimes called
the useful life of the asset).
period The period for which you want to calculate the depreciation. Period must use the
same units as life.

month The number of months in the first year. If month is omitted, it is assumed to be 12.
Examples:
The following table provides example formulas of the DB function.
Formula Result
DB([Initial Cost],[Salvage Value],[Lifetime in Years],[Period in Years], Depreciation in first

[Month]) year, with only 7
Where the value in the Initial Cost field is 1,000,000, the value in the months calculated
Salvage Value field is 100,000, the value in the Lifetime in Years field is (186,083.33)
6, the value in the Period in Years field is 1, and the value in the Month
field is 7.
DB([Initial Cost],[Salvage Value],[Lifetime in Years],[Period in Years], Depreciation in

[Month]) second year
Where the value in the Initial Cost field is 1,000,000, the value in the (259,639.42)
Salvage Value field is 100,000, the value in the Lifetime in Years field is
field is 7.
DB([Initial Cost],[Salvage Value],[Lifetime in Years],[Period in Years], Depreciation in third

[Month]) year (176,814.44)
Where the value in the Initial Cost field is 1,000,000, the value in the
field is 7.
DB([Initial Cost],[Salvage Value],[Lifetime in Years],[Period in Years], Depreciation in fourth

[Month]) year (120,410.64)
field is 7.

Formula Result
DB([Initial Cost],[Salvage Value],[Lifetime in Years],[Period in Years], Depreciation in fifth

[Month]) year (81,999.64)
field is 7.
DB([Initial Cost],[Salvage Value],[Lifetime in Years],[Period in Years], Depreciation in sixth

[Month]) year (55,841.76)
Ehere the value in the Initial Cost field is 1,000,000, the value in the
field is 7.
DB([Initial Cost],[Salvage Value],[Lifetime in Years],[Period in Years], Depreciation in

[Month]) seventh year, with
Where the value in the Initial Cost field is 1,000,000, the value in the only 5 months
Salvage Value field is 100,000, the value in the Lifetime in Years field is calculated (15,845.10)
field is 7.
DDB Function
The DDB function returns the depreciation of an asset for a specified period using the double-
declining balance method or some other method that you specify. The double-declining balance
method computes depreciation at an accelerated rate. Depreciation is highest in the first period and
decreases in successive periods. DDB uses the following formula to calculate depreciation for a
period:
Min( (cost - total depreciation from prior periods) * (factor/life), (cost - salvage - total depreciation
from prior periods) )
Use the VDB function to switch to the straight-line depreciation method when depreciation is
greater than the declining balance calculation.
Return Type: Numeric. The results are rounded to two decimal places.
Syntax: DDB(cost,salvage,life,period,factor)

The following table describes DDB function parameters.

cost The initial cost of the asset. Must be a positive number.
asset). This value can be 0. Must be a positive number.
life The number of periods over which the asset is being depreciated (sometimes called
the useful life of the asset). Must be a positive number.
period The period for which you want to calculate the depreciation. Period must use the
same units as life. Must be a positive number.
factor The rate at which the balance declines. If factor is omitted, it is assumed to be 2
(the double-declining balance method). Change factor if you do not want to use the
double-declining balance method. Must be a positive number.
Examples:
The following table provides example formulas of the DDB function.
Formula Result
DB([Initial Cost],[Salvage Value],[Lifetime in Years],[Period in First day depreciation. Archer

Years]) automatically assumes that
where the value in the Initial Cost field is 2400, the value in the factor is 2. (1.32)
Salvage Value field is 300, the value in the Lifetime in Years
field is 10, and the value in the Period in Years field is 1.
DB([Initial Cost],[Salvage Value],[Lifetime in Months],[Period in First month depreciation

Months],[Factor]) (40.00)
where the value in the Initial Cost field is 2400, the value in the
Salvage Value field is 300, the value in the Lifetime in Months
field is 120, the value in the Period in Months field is 1, and the
value in the Factor field is 2.
DB([Initial Cost],[Salvage Value],[Lifetime in Years],[Period in First year depreciation

Years],[Factor]) (480.00)
where the value in the Initial Cost field is 2400, the value in the
Salvage Value field is 300, the value in the Lifetime in Years
field is 10, the value in the Period in Years field is 1, and the
value in the Factor field is 2.

Formula Result
DB([Initial Cost],[Salvage Value],[Lifetime in Years],[Period in Second year depreciation

Years],[Factor]) using a factor of 1.5 instead
where the value in the Initial Cost field is 2400, the value in the of the double-declining
Salvage Value field is 300, the value in the Lifetime in Years balance method (306.00)
field is 10, the value in the Period in Years field is 2, and the
value in the Factor field is 1.5.
DB([Initial Cost],[Salvage Value],[Lifetime in Years],[Period in Tenth year depreciation.

Years]) Archer automatically
where the value in the Initial Cost field is 2400, the value in the assumes that factor is 2
Salvage Value field is 300, the value in the Lifetime in Years (22.12)
field is 10, and the value in the Period in Years field is 10.
FV Function
The FV function returns the future value of an investment based on periodic, constant payments and
a constant interest rate.
Syntax: FV(rate,nper,pmt,pv,type)
The following table describes FV function parameters.
rate The interest rate per period.
nper The total number of payment periods in an annuity.
pmt The payment made each period; it cannot change over the life of the annuity.
Typically, pmt contains principal and interest but no other fees or taxes. If pmt is
omitted, you must include the pv argument.
pv The present value, or the lump-sum amount that a series of future payments is worth
right now. If pv is omitted, it is assumed to be 0 (zero), and you must include the
pmt argument.
type The number 0 or 1 and indicates when payments are due. If type is omitted, it is
assumed to be 0.
l Set type equal to 0 if payments are due at the end of the period.
l Set type equal to 1 if payments are due at the beginning of the period.

Note: Be consistent about the units that you use for specifying rate and nper. If you make monthly
payments on a four-year loan at 12 percent annual interest, use 12%/12 for rate and 4*12 for nper. If
you make annual payments on the same loan, use 12% for rate and 4 for nper.
For all of the arguments, cash you pay out, such as deposits to savings, is represented by negative
numbers; cash you receive, such as dividend checks, is represented by positive numbers.
Examples:
The following table provides example formulas of the FV function.
Formula Result
FV([Annual Rate],[Number of Payments],[Payment Amount],[Present Future value of an

Value],[Payment Due Indicator]) investment with
where the value in the Annual Rate field is .06/12, the value in the Number of the given terms
Payments field is 10, the value in the Payment Amount field is -200, the value (2581.40)
in the Present Value field is -500, and the value in the Payment Due Indicator
field is 1.
The annual interest rate is divided by 12 because it is compounded monthly.
FV([Annual Rate],[Number of Payments],[Payment Amount]) Future value of an

where the value in the Annual Rate field is .12/12, the value in the Number of investment with
Payments field is 12, and the value in the Payment Amount field is the given terms
-1000. (12,682.50)
FV([Annual Rate],[Number of Payments],[Payment Amount], ,[Payment Due Future value of an

Indicator]) investment with
where the value in the Annual Rate field is .11/12, the value in the Number of the given terms
Payments field is 35, the value in the Payment Amount field is -2000, and the (82,846.25)
value in the Payment Due Indicator field is 1.
FV([Annual Rate],[Number of Payments],[Payment Amount],[Present Future value of an

Value],[Payment Due Indicator]) investment with
where the value in the Annual Rate field is .06/12, the value in the Number of the above terms
Payments field is 12, the value in the Payment Amount field is -100, the value (2301.40)
in the Present Value field is -1000, and the value in the Payment Due
Indicator field is 1.

IPMT Function
The IPMT function returns the interest payment for a given period for an investment based on
periodic, constant payments, and a constant interest rate.
Syntax: IPMT(rate,per,nper,pv,fv,type)
The following table describes IPMT function parameters.
per The period for which you want to find the interest and must be in the range 1 to
nper.

For all of the arguments, cash you pay out, such as deposits to savings, is
represented by negative numbers; cash you receive, such as dividend checks, is
represented by positive numbers.
right now.
For all of the arguments, cash you pay out, such as deposits to savings, is
represented by negative numbers; cash you receive, such as dividend checks, is
represented by positive numbers.
fv The future value, or a cash balance you want to attain after the last payment is
made. If fv is omitted, it is assumed to be 0 (the future value of a loan, for example,
is 0).
assumed to be 0.
l Set type equal to 0 if payments are due at the end of the period.
Note: Make sure that you are consistent about the units that you use for specifying rate and nper. If
you make monthly payments on a four-year loan at 12 percent annual interest, use 12%/12 for rate
and 4*12 for nper. If you make annual payments on the same loan, use 12% for rate and 4 for nper.
Examples:

The following table provides example formulas of the IPMT function.

Formula Result
IPMT([Rate],[Period],[Years of Loan],[Present Value]) Interest due in the first month for a

where the value in the Rate field is .10/12, the value in the loan with the terms given (-66.67)
Period field is 1, the value in the Years of Loan field is
3*12, and the value in the Present Value field is 8000.
The interest rate is divided by 12 to get a monthly rate. The
years the money is paid out is multiplied by 12 to get the
number of payments.
IPMT([Rate],[Period],[Years of Loan],[Present Value]) Interest due in the last year for a

where the value in the Rate field is .10, the value in the loan with the terms given, where
Period field is 3, the value in the Years of Loan field is 3, payments are made yearly (-292.45)
and the value in the Present Value field is 8000.
IRR Function
The IRR function returns the internal rate of return for a series of cash flows represented by the
numbers in values. These cash flows do not have to be even, as they would be for an annuity.
However, the cash flows must occur at regular intervals, such as monthly or annually. The internal
rate of return is the interest rate received for an investment consisting of payments (negative values)
and income (positive values) that occur at regular periods.
Syntax: IRR(values,guess)
The following table describes IRR function parameters.
values A reference (using the REF function) to fields that contain numbers for which you
want to calculate the internal rate of return. Note the following:
l Values must contain at least one positive value and one negative value to
calculate the internal rate of return.
l IRR uses the order of values to interpret the order of cash flows. Be sure to enter
your payment and income values in the sequence you want.
l If a reference field contains text, logical values, or empty cells, those values are
ignored.

guess A number that you guess is close to the result of IRR. Note the following:
l Archer uses an iterative technique for calculating IRR. Starting with guess, IRR
cycles through the calculation until the result is accurate within 0.00001 percent.
If IRR cannot find a result that works after 20 tries, an error value is returned.
l In most cases you do not need to provide guess for the IRR calculation. If guess
is omitted, it is assumed to be 0.1 (10 percent).
l If the result is not close to what you expected, try again with a different value for
guess.
IRR is closely related to NPV, the net present value function. The rate of return calculated by IRR
is the interest rate corresponding to a 0 (zero) net present value. The following formula demonstrates
how NPV and IRR are related:
NPV(IRR(B1:B6),B1:B6)
equals 3.60E-08 [Within the accuracy of the IRR calculation, the value 3.60E-08 is effectively 0
(zero).]
Examples:
The following table provides example formulas of the IRR function.
Formula Result
IRR([REF([Related Yearly Results],[Net Income])) Investment internal rate of

where Related Yearly Results is a cross-reference field to another return after five years (-
application. The other application has a field called Net Income 2%).
which contains the values -70,000, 12,000, 15,000, 18,000, 21,000
and 26,000.
IRR([REF([Related Yearly Results],[Net Income]),[Guess]) To calculate the internal

where Related Yearly Results is a cross-reference field to another rate of return after two
application. The other application has a field called Net Income years, you need to include
which contains the values -70,000, 12,000 and 15,000, and the value a guess (-44%).
in the Guess field is 0.10.
ISPMT Function
The ISPMT function calculates the interest paid during a specific period of an investment. This
function is provided for compatibility with Lotus 1-2-3.
For additional information about financial functions, see the PV function.

Syntax: ISPMT(rate,per,nper,pv)
The following table describes ISPMT function parameters.
rate The interest rate for the investment.
per The period for which you want to find the interest and must be in the range 1 to
nper.

Make sure that you are consistent about the units that you use for specifying rate and
nper. If you make monthly payments on a four-year loan at an annual interest rate of
12 percent, use 12%/12 for rate and 4*12 for nper. If you make annual payments on
the same loan, use 12% for rate and 4 for nper.
pv The present value of the investment. For a loan, pv is the loan amount.
The cash that you pay out, such as deposits to savings or other withdrawals, is
represented by negative numbers; the cash that you receive, such as dividend checks
and other deposits, is represented by positive numbers.
Examples:
The following table provides example formulas of the ISPMT function.
Formula Result
ISPMT([Rate],[Period],[Number of Years],[Loan Amount]) Interest paid for the first

where the value in the Rate field is 0.10/12, the value in the monthly payment of a loan
Period field is 1, the value in the Number of Years field is 3*12, with the given terms (-
and the value in the Loan Amount field is 8,000,000. 64814.8)
The interest rate is divided by 12 to get a monthly rate. The years

the money is paid out is multiplied by 12 to get the number of
payments.
ISPMT([Rate],[Period],[Number of Years],[Loan Amount]) Interest paid in the first year

where the value in the Rate field is 0.10, the value in the Period of a loan with the given terms
field is 1, the value in the Number of Years field is 3, and the (-533333)
value in the Loan Amount field is 8,000,000.
MIRR Function
The MIRR function returns the modified internal rate of return for a series of periodic cash flows.

MIRR considers both the cost of the investment and the interest received on reinvestment of cash.
MIRR uses the order of values to interpret the order of cash flows. Be sure to enter your payment
and income values in the sequence that you want and with the correct signs (positive values for cash
received, negative values for cash paid).
Syntax: MIRR(values,finance_rate,reinvest_rate)
The following table describes MIRR function parameters.
values A reference (using the REF function) to fields that contain numbers. These numbers
represent a series of payments (negative values) and income (positive values)
occurring at regular periods. Note that:
l Values must contain at least one positive value and one negative value to
calculate the modified internal rate of return. Otherwise, MIRR returns an error
value.
l If a reference argument contains text, logical values, or empty cells, those values
are ignored; however, cells with the value zero are included.
finance_ The interest rate that you pay on the money used in the cash flows.
rate
reinvest_ The interest rate that you receive on the cash flows as you reinvest them.
rate
Example:
The following table provides an example formula of the MIRR function.
Formula Result
MIRR(REF([Related Results],0.10,0.12)) Investment

where Related Yearly Results is a cross-reference field to another modified rate of
application. The other application has a field called Net Income which return after five
contains the values -120,000, 39,000, 30,000, 21,000, 37,000 and 46,000. years (13%)
NPER Function
The NPER function returns the number of periods for an investment based on periodic, constant
payments and a constant interest rate.
For a more complete description of the arguments in NPER and for more information about annuity
functions, see the PV function.


Syntax: NPER(rate, pmt, pv, fv, type)
The following table describes NPER function parameters.
pmt The payment made each period; it cannot change over the life of the annuity.
Typically, pmt contains principal and interest but no other fees or taxes.
right now.
fv The future value, or a cash balance that you want to attain after the last payment is
is 0).
type The number 0 or 1 and indicates when payments are due.

l Set type equal to 0 or omitted if payments are due at the end of the period.
Examples:
The following table provides example formulas of the NPER function.
Formula Result
NPER([Rate],[Payment],[Present Value],[Future Value], Periods for the investment with

[Payment Due]) the given terms (60)
where the value in the Rate field is 0.12/12, the value in the
Payment field is -100, the value in the Present Value field is -
1000, the value in the Future Value field is 10000, and the value
in the Payment Due field is 1.
NPER([Rate],[Payment],[Present Value],[Future Value]) Periods for the investment with

where the value in the Rate field is 0.12/12, the value in the the given terms, except
Payment field is -100, the value in the Present Value field is - payments are made at the
1000, and the value in the Future Value field is 10000. beginning of the period (60)

Formula Result
NPER([Rate],[Payment],[Present Value]) Periods for the investment with

where the value in the Rate field is 0.12/12, the value in the the given terms, except with a
Payment field is -100, and the value in the Present Value field is future value of 0 (-9.578)
-1000.
NPV Function
The NPV function calculates the net present value of an investment using a discount rate and a
series of future payments (negative values) and income (positive values).
The NPV investment begins one period before the date of the value1 cash flow and ends with the
last cash flow in the list. The NPV calculation is based on future cash flows. If your first cash flow
occurs at the beginning of the first period, the first value must be added to the NPV result, not
included in the values arguments.
NPV is similar to the PV function (present value). The primary difference between PV and NPV is
that PV allows cash flows to begin either at the end or at the beginning of the period. Unlike the
variable NPV cash flow values, PV cash flows must be constant throughout the investment. For
information about annuities and financial functions, see the PV function.
NPV is also related to the IRR function (internal rate of return). IRR is the rate for which NPV
equals zero: NPV(IRR(...), ...) = 0. See the IRR function.
Syntax: NPV(rate,value1,value2, ...)
The following table describes NPV function parameters.
rate The rate of discount over the length of one period.

value1,value2,... 1 to 254 arguments representing the payments and income. Note that:
l Value1, value2, ... must be equally spaced in time and occur at the end of
each period.
l NPV uses the order of value1, value2, ... to interpret the order of cash flows.
Be sure to enter your payment and income values in the correct sequence.
l Arguments that are numbers, empty cells, logical values, or text
representations of numbers are counted; arguments that are error values or
text that cannot be translated into numbers are ignored.
l If an argument is a reference, only numbers in that reference are counted.
Empty cells, logical values, or text in the reference are ignored.
Examples:
The following table provides example formulas of the NPV function.
Formula Result
NPV([Rate],[Values]) Net present value of this investment (1,188.44)

where the value in the Rate field is 0.10 In this example, you include the initial $10,000 cost
and the values in the Values field are - as one of the values, because the payment occurs at
10,000, 3,000, 4,200 and 6,800. the end of the first period.
NPV([Rate],[Values]) + (-40,000) Net present value of this investment (1,922.06)

where the value in the Rate field is 0.08 In this example, you do not include the initial
and the values in the Values field are $40,000 cost as one of the values, because the
8,000, 9,200, 10,000, 12,000 and 14,500. payment occurs at the beginning of the first period.
NPV([Rate],[Values],-9,000) + (-40,000) Net present value of this investment, with a loss in

where the value in the Rate field is 0.08 the sixth year of 9000 (-3,749.47)
and the values in the Values field are In this example, you do not include the initial
8,000, 9,200, 10,000, 12,000 and 14,500. $40,000 cost as one of the values, because the
payment occurs at the beginning of the first period.
PMT Function
The PMT function calculates the payment for a loan based on constant payments and a constant
interest rate. The payment returned by PMT includes principal and interest but no taxes, reserve
payments, or fees sometimes associated with loans.

Note: To find the total amount paid over the duration of the loan, multiply the returned PMT value by
nper.

Syntax: PMT(rate,nper,pv,fv,type)
The following table describes PMT function parameters.
rate The interest rate for the loan.
nper The total number of payment periods for the loan.
pv The present value, or the total amount that a series of future payments is worth now;
also known as the principal.
made. If fv is omitted, it is assumed to be 0 (zero), that is, the future value of a loan
is 0.
assumed to be 0.
Note: Make sure that you are consistent about the units you use for specifying rate and nper. If you
make monthly payments on a four-year loan at an annual interest rate of 12 percent, use 12%/12 for
rate and 4*12 for nper. If you make annual payments on the same loan, use 12 percent for rate and 4
for nper.
Examples:
The following table provides example formulas of the PMT function.
Formula Result
PMT([Rate],[Number of Payments],[Amount of Monthly payment for a loan with the given

Loan]) terms (-1,037.03)
where the value in the Rate field is 0.08/12, the
value in the Number of Payments field is 10, and the
value in the Amount of Loan field is 10000.

Formula Result
PMT([Rate],[Number of Payments],[Amount of Monthly payment for a loan with the given

Loan],[Future Value],1) terms, except payments are due at the
where the value in the Rate field is 0.08/12, the beginning of the period (-1,030.16)
value in the Number of Payments field is 10, the
value in the Amount of Loan field is 10000, and the
value in the Future Value field is 0.
PMT([Rate],[Years to Save],[Present Value],[Goal Amount to save each month to have 50,000

Amount]) at the end of 18 years (-129.08)
where the value in the Rate field is 0.06/12, the Note: The interest rate is divided by 12 to
value in the Years to Save field is 18*12, the value get a monthly rate. The number of years the
in the Present Value field is 0, and the value in the money is paid out is multiplied by 12 to get
Goal Amount field is 50000. the number of payments.
PPMT Function
The PPMT function returns the payment on the principal for a given period for an investment based
on periodic, constant payments and a constant interest rate.
Syntax: PPMT(rate,per,nper,pv,fv,type)
The following table describes PPMT function parameters.
rate The interest rate for the period.
per Specifies the period and must be in the range 1 to nper.
pv The present value— the total amount that a series of future payments is worth now.
made. If fv is omitted, it is assumed to be 0 (zero), that is, the future value of a loan
is 0.

assumed to be 0.
Note: Make sure that you are consistent about the units that you use for specifying rate and nper. If
you make monthly payments on a four-year loan at an annual interest rate of 12 percent, use 12%/12
for rate and 4*12 for nper. If you make annual payments on the same loan, use 12% for rate and 4
for nper.
Examples:
The following table provides example formulas of the PPMT function.
Formula Result
PPMT([Rate],[Period],[Number of Years of Loan], Payment on principle for the first month of

[Amount of Loan]) loan (-75.62)
where the value in the Rate field is 0.10/12, the Note: The interest rate is divided by 12 to
value in the Period field is 1, the value in the get a monthly rate. The number of years the
Number of Years of Loan field is 2*12, and the money is paid out is multiplied by 12 to get
value in the Amount of Loan field is 2000. the number of payments.
PPMT([Rate],[Period],[Number of Years of Loan], Principal payment for the last year of the
[Amount of Loan]) loan with the given terms (-27,598.05)
where the value in the Rate field is 0.08, the value
in the Period field is 10, the value in the Number of
Years of Loan field is 10, and the value in the
Amount of Loan field is 200,000.
PV Function
The PV function returns the present value of an investment. The present value is the total amount
that a series of future payments is worth now. For example, when you borrow money, the loan
amount is the present value to the lender.
Note: Make sure that you are consistent about the units you use for specifying rate and nper. If you
make monthly payments on a four-year loan at 12 percent annual interest, use 12%/12 for rate and
4*12 for nper. If you make annual payments on the same loan, use 12% for rate and 4 for nper.

The following functions apply to annuities:

l FV
l IPMT
l PMT
l PPMT
l PV
l RATE
An annuity is a series of constant cash payments made over a continuous period. For example, a car
loan or a mortgage is an annuity. For more information, see the description for each annuity function.
In annuity functions, cash you pay out, such as a deposit to savings, is represented by a negative
number; cash you receive, such as a dividend check, is represented by a positive number. For
example, a $1,000 deposit to the bank would be represented by the argument -1000 if you are the
depositor and by the argument 1000 if you are the bank.
Syntax: PV(rate,nper,pmt,fv,type)
The following table describes PV function parameters.
rate The interest rate per period. For example, if you obtain an automobile loan at a 10
percent annual interest rate and make monthly payments, your interest rate per
month is 10%/12, or 0.83%. You would enter 10%/12, or 0.83%, or 0.0083, into the
formula as the rate.
nper The total number of payment periods in an annuity. For example, if you get a four-
year car loan and make monthly payments, your loan has 4*12 (or 48) periods. You
would enter 48 into the formula for nper.
pmt The payment made each period and cannot change over the life of the annuity.
Typically, pmt includes principal and interest but no other fees or taxes. For
example, the monthly payments on a $10,000, four-year car loan at 12 percent are
$263.33. You would enter -263.33 into the formula as the pmt. If pmt is omitted, you
must include the fv argument.

is 0). For example, if you want to save $50,000 to pay for a special project in 18
years, then $50,000 is the future value. You could then make a conservative guess at
an interest rate and determine how much you must save each month. If fv is omitted,
you must include the pmt argument.
assumed to be 0.
Example:
The following table provides an example formula of the PV function.
Formula Result
PV([Rate],[Years Money Will Present value of an annuity with the terms above (-59,777.15).
Pay],[Payment], ,0) The result is negative because it represents money that you would
where the value in the Rate pay, an outgoing cash flow. If you are asked to pay (60,000) for
field is 0.08/12, the value in the annuity, you would determine this would not be a good
the Years Money Will Pay investment because the present value of the annuity (59,777.15) is
field is 20*12, and the value in less than what you are asked to pay.
the Payment field is 500.
Note: The interest rate is divided by 12 to get a monthly rate. The
years the money is paid out is multiplied by 12 to get the number
of payments.
RATE Function
The RATE function returns the interest rate per period of an annuity. RATE is calculated by
iteration and can have zero or more solutions. If the successive results of RATE do not converge to
within 0.0000001 after 20 iterations, RATE returns an error.
Syntax: RATE(nper,pmt,pv,fv,type,guess)

The following table describes RATE function parameters.

Note: Make sure that you are consistent about the units you use for specifying guess
and nper. If you make monthly payments on a four-year loan at 12 percent annual
interest, use 12%/12 for guess and 4*12 for nper. If you make annual payments on
the same loan, use 12% for guess and 4 for nper.
pmt The payment made each period and cannot change over the life of the annuity.
Typically, pmt includes principal and interest but no other fees or taxes. If pmt is
omitted, you must include the fv argument.
pv The present value — the total amount that a series of future payments is worth now.
is 0).
assumed to be 0.
guess Your guess for what the rate will be.

If you omit guess, it is assumed to be 10 percent.
If RATE does not converge, try different values for guess. RATE usually converges
if guess is between 0 and 1.
Note: Make sure that you are consistent about the units that you use for specifying
guess and nper. If you make monthly payments on a four-year loan at 12 percent
annual interest, use 12%/12 for guess and 4*12 for nper. If you make annual
payments on the same loan, use 12% for guess and 4 for nper.
Examples:

The following table provides example formulas of the RATE function.

Formula Result
RATE([Years of Loan],[Monthly Payment],[Amount of Loan]) Monthly rate of the loan with

where the value in the Years of Loan field is 4*12, the value in the the given terms (1%)
Monthly Payment field is -200, and the value in the Amount of
Loan field is 8000.
RATE([Years of Loan],[Monthly Payment],[Amount of Loan])*12 Annual rate of the loan with

where the value in the Years of Loan field is 4*12, the value in the the given terms (0.09241767
Monthly Payment field is -200, and the value in the Amount of or 9.24%)
Loan field is 8000.
SLN Function
The SLN function returns the straight-line depreciation of an asset for one period.
Syntax: SLN(cost,salvage,life)
The following table describes SLN function parameters.
asset).
life The number of periods over which the asset is depreciated (sometimes called the
useful life of the asset).
Example:
The following table provides an example formula of the SLN function.
Formula Result
SLN([Cost],[Salvage Value],[Years of Useful Life]) The depreciation

where the value in the Cost field is 30,000, the value in the Salvage allowance for each year
Value field is 7,500, and the value in the Years of Useful Life field is (2,250)
10.

SYD Function
The SYD function returns the sum-of-years' digits depreciation of an asset for a specified period.
Syntax: SYD(cost,salvage,life,per)
The following table describes SYD function parameters.
asset).
per The period and must use the same units as life.
Examples:
The following table provides example formulas of the SYD function.
Formula Result
SYD([Initial Cost],[Salvage Value],[Lifespan in Years],1) Yearly depreciation

where the value in the Initial Cost field is 30,000, the value in the allowance for the first year
Salvage Value field is 7,500, and the value in the Lifespan in Years (4,090.91)
field is 10.
SYD([Initial Cost],[Salvage Value],[Lifespan in Years],10) Yearly depreciation

where the value in the Initial Cost field is 30,000, the value in the allowance for the tenth
Salvage Value field is 7,500, and the value in the Lifespan in Years year (409.09)
field is 10.
VDB Function
The VDB function returns the variable declining balance of an asset for a specified period, including
partial periods. This function uses the double-declining balance method, or another method if you
specify.
Syntax: VDB(cost,salvage,life,start_period,end_period,factor,no_switch)

The following table describes VDB function parameters.

asset).
start_period The starting period for which you want to calculate the depreciation.
Note: The start_period must have the same units as the life parameter.
end_period The ending period for which you want to calculate the depreciation.
Note: The end_period must have the same units as the life parameter.
factor The rate at which the balance declines. If no factor is specified, the function will
assume a value of 2 (the double-declining balance method).
no_switch A logical value specifying whether to switch to straight-line depreciation when

depreciation is greater than the declining balance calculation.
If the value is "TRUE" the function will not switch to straight-line depreciation. If
the value is "FALSE" the function will switch to straight-line depreciation when the
depreciation is greater than the declining balance calculation.
Examples:
The following table provides example formulas of the VDB function.
Formula Result
VDB([Cost],[Salvage Value],[Years of Useful Life],0,1) 6000

where the value in the Cost field is 30,000, the value in the Salvage This is the first year
Value field is 7,500, and the value in the Years of Useful Life field is depreciation.
10.
VDB([Cost],[Salvage Value],[Years of Useful Life],2,3) 3840

where the value in the Cost field is 30,000, the value in the Salvage This is the depreciation
Value field is 7,500, and the value in the Years of Useful Life field is between years two and
10. three.
Logical Functions
The following logical functions evaluate an expression and return a specific result.

AND Function
The AND function evaluates logical conditions. If all of its conditions are TRUE, the function will
return TRUE. If one or more of its conditions is FALSE, the function will return FALSE. The AND
function must be used in conjunction with an IF function.
Return Type: TRUE or FALSE
Syntax: AND(logical1, logical2,...)
The following table describes AND function parameters.
logical1, Conditions that can be evaluated to TRUE or FALSE. This condition can be written
logical2, with any comparison operator (=, <, >, <=, >=, <>). An example of how this
and so on parameter might be formatted is [Field 1]>20.
Examples:
The following table provides example formulas of the AND function.
Formula Result
IF(AND([Age] > 1, [Age] < 50)) TRUE

where the value in the Age field is 35.
IF(AND([Severity] = 10, [Impact] > 7)) FALSE

where the value in the Severity field is 10 and the value in the Impact field is 3.
IF Function
The IF function evaluates a logical condition, and if the condition is TRUE, one value is returned. If
the condition is FALSE, another value is returned. The IF function can also be nested to construct
more elaborate tests, as shown in the following example:
IF([Rating]>15,"A", IF([Rating]>10,"B", IF([Rating]>5," C")))
For more information on nesting IF functions, see the fourth example in the "Examples" section
below.
Return Type: Text, numeric, date or a Values List field selection, depending on the type of data
supplied for the value_if_true and value_if_false parameters
Syntax: IF(logical_test, value_if_true, value_if_false)

The following table describes IF function parameters.

logical_test Any condition that can be evaluated to TRUE or FALSE. This condition can be
written with any comparison operator (=, <, >, <=, >=, <>). An example of how this
parameter might be formatted is [Field 1]>20.
value_if_ The value that is returned if the logical_test parameter is TRUE. This parameter can
true be formatted as a text string, such as "High Risk", or as a Values List field
selection, such as VALUEOF("Urgent"). The parameter can also be formatted as
another formula, such as SUM([Field 1],[Field 2]).
value_if_ The value that is returned if the logical_test parameter is FALSE. This parameter
false can be formatted as a text string, such as "Low Risk", or as a Values List field
selection, such as VALUEOF("Not Urgent"). The parameter can also be formatted
as another formula, such as SUM([Field 1],[Field 3]). If this parameter is omitted
from the formula and the logical_test parameter evaluates to FALSE, the calculated
field will return empty (no value).
Examples:
The following table provides example formulas of the IF function.
Formula Result
IF([Days Since Last Virus Scan] > 1, "High risk", "Low risk") High
where the value in the Days Since Last Virus Scan field is 3. risk
IF([Rating] = 10, "Follow up") The

where the value in the Rating field is 7. field
will
return
empty.
IF([Severity] >= 10, VALUEOF("Urgent"), VALUEOF("Not Urgent")) Urgent

where the value in the Severity field is 10.

Formula Result
IF([Rating] > 15, "A", IF([Rating] > 10, "B", IF([Rating] > 5, "C"))) B
where the value in the Rating field is 12.
Note: In this example of nested IF statements, the second IF statement serves as the
value_if_false parameter to the first IF statement, and the third IF statement serves as
the value_if_false parameter to the second IF statement. Because the value of the Rating
field in this example is 12, the first IF statement does not prove TRUE, so the second IF
statement is evaluated and, in this case, proves TRUE. If the value of the Rating field
were 8, the second IF statement would also prove FALSE, and the third IF statement
would be evaluated.
NOT Function
The NOT function evaluates a logical condition. If the condition is TRUE, the function returns the
value of FALSE. If the condition is FALSE, the function returns the value of TRUE. Use the NOT
function when you want to ensure that a value is not equal to one particular value.
Syntax: NOT(logical_test)
The following table describes the NOT function parameter.
logical_test Any condition that can be evaluated to TRUE or FALSE. This condition can be
written with any comparison operator (=, <, >, <=, >=, <>). An example of how this
parameter might be formatted is [Field 1]>20.
Examples:
The following table provides example formulas of the NOT function.
Formula Result
NOT([Rating] = 10) FALSE

where the value in the Rating field is 10.
NOT([Number of Clients in Attendance] > 20) TRUE

where the value in the Number of Clients in Attendance field is 12.

OR Function
The OR function evaluates logical conditions. If any of the condition evaluates to TRUE, the
function returns the value of TRUE. If none of conditions evaluate to TRUE, the function returns the
value of FALSE.
Syntax: OR(logical1, logical2,...)
The following table describes OR function parameters.
logical1, Conditions that can be evaluated to TRUE or FALSE. This condition can be written
logical2, with any comparison operator (=, <, >, <=, >=, <>). An example of how this
and so on parameter might be formatted is [Field 1]>20.
Examples:
The following table provides example formulas of the OR function.
Formula Result
OR([Risk] = 4, [Criticality] = 7) True (because one of the two parameters

where the value in the Risk field is 4 and the value in evaluated TRUE)
the Criticality field is 2.
OR([Risk] = 4, [Criticality] = 7) False (because both of the parameters

where the value in the Risk field is 9 and the value in evaluated FALSE)
the Criticality field is 5.
Math Functions
The following math functions manipulate numeric values through a variety of options.
ABS Function
The ABS function returns the absolute value of a number. The absolute value of a number is the
distance of a number from zero.
Syntax: ABS(number)

The following table describes the ABS function parameter.

number The number for which you want to return the absolute value.
Examples:
The following table provides example formulas of the ABS function.
Formula Result
ABS(-8) 8
ABS([Yearly Profit]) 1234

where Yearly Profit is a Numeric field with a value of -1234.
ACOS Function
The ACOS function returns the arccosine (inverse cosine) of an angle. The returned value is
expressed in radians.
Syntax: ACOS(number)
The following table describes the ACOS function parameter.
Number The cosine of the angle for which you want to determine the arccosine. The value
for this parameter must be between -1 and 1.
Examples:
The following table provides example formulas of the ACOS function.
Formula Result
ACOS(.5) 1.047198
ACOS([Angle Cosine]) .785398

where Angle Cosine is a Numeric field with a value of .707107.
ACOSH Function
The ACOSH function returns the inverse hyperbolic cosine of a number.

Syntax: ACOSH(number)
The following table describes the ACOSH function parameter.
Number The number for which you want to determine the inverse hyperbolic cosine. The
value for this parameter must be greater than or equal to 1.
Examples:
ACOSH function.
Formula Result
ACOSH(1) 0
ACOSH([Number]) 2.292432
where Number is a Numeric field with a value of 5.
ASIN Function
The ASIN function returns the arcsine (inverse sine) of an angle. The returned value is expressed in
radians.
Syntax: ASIN(number)
The following table describes the ASIN function parameter.
Number The sine of the angle for which you want to determine the arcsine. The value for
this parameter must be between -1 and 1.
Examples:
ASIN function.
Formula Result
ASIN(.5) .523599
ASIN([Angle Sine]) 1.570796

where Angle Sine is a Numeric field with a value of 1.

ASINH Function
The ASINH function returns the inverse hyperbolic sine of a number.
Syntax: ASINH(number)
The following table describes the ASINH function parameter.
Number The number for which you want to determine the inverse hyperbolic sine. The value
for this parameter must be greater than or equal to 1.
Examples:
ASINH function.
Formula Result
ASINH(1) .881374
ASINH([Number]) 2.312438
where Number is a Numeric field with a value of 5.
ATAN Function
The ATAN function returns the arctangent (inverse tangent) of an angle. The returned value is
expressed in radians.
Syntax: ATAN(number)
The following table describes the ATAN function parameter.
Number The tangent of the angle for which you want to determine the arctangent.
Examples:
The following table provides example formulas of the ATAN function.
Formula Result
ATAN(.5) .463648

Formula Result
ATAN([Angle Tangent]) .785398

where Angle Tangent is a Numeric field with a value of 1.
ATAN2 Function
The ATAN2 function returns the arctangent (inverse tangent) of a specified set of x/y coordinates.
The returned value is expressed in radians.
Syntax: ATAN2(x_number, y_number)
The following table describes ATAN2 func-
tion parameters.
x_number The x coordinate of a point.
y_number The y coordinate of a point.
Examples:
The following table provides example formulas of the ATAN2 function.
Formula Result
ATAN2(2,2) .785398
ATAN2([X Point],[Y Point]) 1.373401

where X Point and Y Point are Numeric fields with values of 1 and 5, respectively.
ATANH Function
The ATANH function returns the inverse hyperbolic tangent of a number.
Syntax: ATANH(number)

The following table describes the ATANH function parameter.

Number The number for which you want to determine the inverse hyperbolic tangent. The
value for this parameter must be between -1 and 1.
Examples:
ATANH function.
Formula Result
ATANH(.5) .549306
ATANH([Number]) -.25541
where Number is a Numeric field with a value of
-.25.
CEILING Function
The CEILING function rounds a number, away from zero, to the nearest multiple of significance.
Syntax: CEILING(number, significance)
The following table describes CEILING function parameters.
number The number you want to round. This parameter can be formatted as a Numeric-field
reference (e.g., [field name]) or as another formula that results in a numeric value,
such as SUM([field 1],[field 2]) where field 1 and field 2 are Numeric fields.
significance The multiple to which you want to round.
Example:
The following table provides example formulas of the CEILING function.
Formula Result
CEILING([Score], 1) 3
where the value in the Score field is 2.5
CEILING(SUM([Risk],[Criticality]), 5) 20
where the sum of the values in the Risk and Criticality fields is 17.10

COMBIN Function
The COMBIN function returns the number of combinations for a given number of items. Use
COMBIN to determine the total possible number of groups for a given number of items.
Note: A combination is any set or subset of items, regardless of their internal order. Combinations
are distinct from permutations, for which the internal order is significant.

Syntax: COMBIN(number,number_chosen)
The following table describes COMBIN function parameters.
number The number of items. Numeric arguments are truncated to integers.
Note: If nonnumeric, if number < 0 or if number < number_chosen, COMBIN

returns an error.
number_ The number of items in each combination. Numeric arguments are truncated to
chosen integers.
Note: If nonnumeric, if number_chosen < 0 or if number < number_chosen,

COMBIN returns an error.
Example:
The following table provides an example formula of the COMBIN function.
Formula Result
COMBIN([Candidates],[Team Size]) 28
where the value in the Candidates field is 8 and the value in the Team Size field is 2.
COS Function
The COS function returns the cosine of the given angle.
Syntax: COS(number)

The following table describes the COS function parameter.

number The angle in radians for which you want the cosine.
If the angle is in degrees, either multiply the angle by PI()/180 or use the RADIANS
function to convert the angle to radians.
Examples:
COS function.
Formula Result
=COS(1.047) Cosine of 1.047 radians (0.500171)
=COS(60*PI()/180) Cosine of 60 degrees (0.5)
=COS(RADIANS(60)) Cosine of 60 degrees (0.5)
COSH Function
The COSH function returns the hyperbolic cosine of a number.
Syntax: COSH(number)
The following table describes the COSH function parameter.
number Any real number for which you want to find the hyperbolic cosine.
Examples:
The following table provides example formulas of the COSH function.
Formula Result
COSH(4) Hyperbolic cosine of 4 (27.30823)
=COSH(EXP(1)) Hyperbolic cosine of the base of the natural logarithm (7.610125)
DEGREES Function
The DEGREES function converts radians into degrees.

Syntax: DEGREES(angle)
The following table describes the DEGREES function para-
meter.
angle The angle, in radians, that you want to convert.
Example:
The following table provides an example for-
mula of the DEGREES function.
Formula Result
DEGREES(PI()) Degrees of pi radians (180)
EVEN Function
The EVEN function returns the number rounded up to the nearest even integer. You can use this
function for processing items that come in twos. For example, a packing crate accepts rows of one
or two items. The crate is full when the number of items, rounded up to the nearest two, matches the
crate capacity.
Syntax: EVEN(number)
The following table describes the EVEN function parameter.
number The value to round. If number is non-numeric, EVEN returns an error. Regardless of
the sign of number, a value is rounded up when adjusted away from zero. If number
is an even integer, no rounding occurs.
Examples:
EVEN function.
Formula Result
EVEN(1.5) Rounds 1.5 up to the nearest even integer (2)
EVEN(3) Rounds 3 up to the nearest even integer (4)

Formula Result
EVEN(2) Rounds 2 up to the nearest even integer (2)
EVEN(-1) Rounds -1 up to the nearest even integer (-2)
EXP Function
The EXP function returns e raised to the power of number. The constant e equals 2.71828182845904,
the base of the natural logarithm.
Syntax: EXP(number)
The following table describes the EXP function parameter.
number The exponent applied to the base e. To calculate powers of other bases, use the
exponentiation operator (^). EXP is the inverse of LN, the natural logarithm of
number.
Examples:
The following table provides example formulas of the EXP function.
Formula Result
EXP(1) Approximate value of e (2.718282)
EXP(2) Base of the natural logarithm e raised to the power of 2 (7.389056)
FACT Function
The FACT function returns the factorial of a number. The factorial of a number is equal to
1*2*3*...* number.
Syntax: FACT(number)
The following table describes the FACT function parameter.
number The non-negative number for which you want the factorial. If number is not an
integer, it is truncated.

Examples:
The following table provides example formulas
of the FACT function.
Formula Result
FACT(5) Factorial of 5, or 1*2*3*4*5 (120)
FACT(1.9) Factorial of the integer of 1.9 (1)
FACT(0) Factorial of 0 (1)
FACT(-1) Negative numbers return an error.
FACT(1) Factorial of 1 (1)
FLOOR Function
The FLOOR function rounds a number down toward zero, to the nearest multiple of significance.
Syntax: FLOOR(number, significance)
The following table describes FLOOR function parameters.
number The number that you want to round down to the nearest integer. This parameter can
be formatted as a Numeric-field reference, for example, [field name]), or as another
formula that results in a numeric value, such as SUM([field 1],[field 2]) where field
1 and field 2 are Numeric fields.
significance The multiple to which you want to round.
Examples:
The following table provides example formulas of the FLOOR function.
Formula Result
FLOOR([Score], 1) 2
where the value in the Score field is 2.5.
FLOOR(SUM([Risk], [Criticality]), 5) 15
where the sum of the values in the Risk and Criticality fields is 17.10.

INT Function
The INT function rounds a number down to the nearest integer.
Syntax: INT(number)
The following table describes the INT function parameter.
number The real number you want to round down to an integer.
Examples:
The following table provides
example formulas of the
INT function.
Formula Result
INT(8.9) Rounds 8.9 down (8)
INT(-8.9) Rounds -8.9 down (-9)
LN Function
The LN function returns the natural logarithm of a number. Natural logarithms are based on the
constant e (2.71828182845904).
Syntax: LN(number)
The following table describes the LN function parameter.
number The positive real number for which you want the natural logarithm. LN is the
inverse of the EXP function.
Examples:
The following table provides example formulas of the LN function.
Formula Result
LN(86) Natural logarithm of 86 (4.454347)

Formula Result
LN(2.7182818) Natural logarithm of the value of the constant e (1)
LN(EXP(3)) Natural logarithm of e raised to the power of 3 (3)
LOG Function
The LOG function returns the logarithm of a number to the base that you specify.
Syntax: LOG(number,base)
The following table describes LOG function parameters.
number The positive real number for which you want the logarithm.
base The base of the logarithm. If base is omitted, it is assumed to be 10.
Examples:
LOG function.
Formula Result
LOG(10) Logarithm of 10 (1)
LOG(8, 2) Logarithm of 8 with base 2 (3)
LOG(86, 2.7182818) Logarithm of 86 with base e (4.454347)
LOG10 Function
The LOG10 function returns the base-10 logarithm of a number.
Syntax: LOG10(number)
The following table describes the LOG10 function parameter.
number The positive real number for which you want the base-10 logarithm.

Examples:
LOG10 function.
Formula Result
LOG10(86) Base-10 logarithm of 86 (1.934498451)
LOG10(10) Base-10 logarithm of 10 (1)
LOG10(1E5) Base-10 logarithm of 1E5 (5)
LOG10(10^5) Base-10 logarithm of 10^5 (5)
MOD Function
The MOD function returns the remainder after number is divided by divisor. The result has the same
sign as divisor.
Syntax: MOD(number,divisor)
The following table describes MOD function parameters.
number The number for which you want to find the remainder.
divisor The number by which you want to divide the number.
Note: If divisor is 0, MOD returns an error.
Examples:
The following table provides example formulas of the MOD function.
Formula Result
MOD(3,2) Remainder of 3/2 (1)
MOD(-3, 2) Remainder of -3/2. The sign is the same as divisor (1).
MOD(3, -2) Remainder of 3/-2. The sign is the same as divisor (-1).
MOD(-3, -2) Remainder of -3/-2. The sign is the same as divisor (-1).
ODD Function
The ODD function returns number rounded up to the nearest odd integer.


Syntax: ODD(number)
The following table describes the ODD function parameter.
number The value to round.
Note: If number is non-numeric, ODD returns an error. Regardless of the sign of

number, a value is rounded up when adjusted away from zero. If number is an odd
integer, no rounding occurs.
Examples:
ODD function.
Formula Result
ODD(1.5) Rounds 1.5 up to the nearest odd integer (3)
ODD(3) Rounds 3 up to the nearest odd integer (3)
ODD(2) Rounds 2 up to the nearest odd integer (3)
ODD(-1) Rounds -1 up to the nearest odd integer (-1)
ODD(-2) Rounds -2 up to the nearest odd integer (-3)
PI Function
The PI function returns the number 3.14159265358979, the mathematical constant pi, accurate to 15
digits.
Syntax: PI()
Examples:
The following table provides example formulas of the PI function.
Formula Result
PI() Pi (3.14159265358979)
PI()/2 Pi/2 (1.570796327)

Formula Result
PI()*(3^2) Area of a circle, with the radius given (28.27433388)
POWER Function
The POWER function returns the result of a number raised to a power.
Note: The "^" operator can be used instead of POWER to indicate to what power the base number is
to be raised, such as in 5^2.

Syntax: POWER(number,power)
The following table describes POWER function parameters.
number The base number. It can be any real number.
power The exponent to which the base number is raised.
Examples:
The following table provides example formulas of the POWER
function.
Formula Result
POWER(5,2) 5 squared (25)
POWER(98.6,3.2) 98.6 raised to the power of 3.2 (2401077)
POWER(4,5/4) 4 raised to the power of 5/4 (5.656854)
PRODUCT Function
The PRODUCT function multiplies all the numbers given as arguments and returns the product. The
PRODUCT function is useful when you need to multiply many fields together.
Syntax: PRODUCT(number1,number2,...)

The following table describes PRODUCT function parameters.

number1 The number or range that you want to multiply.
Note: If an argument is a reference, only numbers in the reference are multiplied.

Empty fields, logical values, and text in the reference are ignored.
number2,... Additional numbers or ranges that you want to multiply, up to a maximum of 255
arguments.
Examples:
The following table provides example formulas of the PRODUCT function.
Formula Result
PRODUCT( REF( [Data Set], [Values])) 2250

where Data Set is a cross-reference field and the values in the Values field are 5, 15,
and 30.
PRODUCT( REF( [Data Set], [Values]),2) 4500

where Data Set is a cross-reference field and the values in the Values field are 5, 15,
and 30.
QUOTIENT Function
The QUOTIENT function returns the integer portion of a division by discarding the remainder.
Syntax: QUOTIENT(numerator, denominator)
The following table describes QUOTIENT function parameters.
numerator The number representing the dividend for a division operation.
denominator The number representing the divisor for a division operation.
Examples:

The following table provides example formulas of the QUOTIENT function.

Formula Result
QUOTIENT (42, 5) 8
where 42 / 5 = 8.4.
QUOTIENT (11.5, 2.15) 5

where 11.5 / 2.15 = 5.348837209.
QUOTIENT (-33, 4.08) -8

where -33 / 4.08 = -8.088235294.
QUOTIENT ([Rating], [Rank]) 15

where the value of Rating is 92.68, the value of Rank is 6, and [Rating] / [Rank] =
15.44666667.
RADIANS Function
The RADIANS function converts degrees to radians.
Syntax: RADIANS(angle)
The following table describes the RADIANS function para-
meter.
angle An angle in degrees that you want to convert.
Example:
The following table provides an example formula of the RADIANS
function.
Formula Result
RADIANS(270) 270 degrees as radians (4.712389 or 3π/2 radians)
RAND Function
The RAND function returns an evenly distributed random real number greater than or equal to 0 and
less than 1. A new random real number is returned every time the worksheet is calculated.

To generate a random real number between a and b, use:

RAND()*(b-a)+a
Syntax: RAND()
Examples:
The following table provides example formulas of the RAND function.
Formula Result
RAND() A random number between 0 and 1 (varies).
RAND()*100 A random number greater than or equal to 0 but less than 100 (varies).
ROUND Function
The ROUND function rounds a number to a specified number of digits.
Syntax: ROUND(number, num_digits)
The following table describes ROUND function parameters.
number The number that you want to round. This parameter can be formatted as a Numeric-
field reference, for example, [field name], or as another formula that results in a
numeric value, such as SUM([field 1],[field 2]) where field 1 and field 2 are
Numeric fields.
num_digits Specifies the number of digits to which you want to round the number. If the num_
digits parameter is greater than 0 (zero), the number is rounded to the specified
number of decimal places. If the num_digits parameter is equal to 0, the number is
rounded to the nearest integer. If the num_digits parameter is less than 0, the number
is rounded to the left of the decimal point to the specified number of decimal places.
For example, if the num_digits parameter is -1 and the number is 101.5, the number
would be rounded to 100.
Note: In the case of a tie, the function rounds to the nearest even number. For
example, if the num_digits parameter is 0, 1.5 and 2.5 would both round to 2. If the
num_digits parameter is 2, 3.575 and 3.585 would both round to 3.58.
Examples:

The following table provides example formulas of the ROUND function.

Formula Result
ROUND([Score], 0) 23
ROUND(SUM ([Risk], [Criticality]), 2) 17.08

where the value in the Risk field is 12.725 and the value in the Criticality field is 4.351.
ROUNDDOWN Function
The ROUNDDOWN function rounds a number down, toward zero. ROUNDDOWN behaves like
ROUND, except that it always rounds a number down.
Syntax: ROUNDDOWN(number,num_digits)
The following table describes ROUNDDOWN function parameters.
number Any real number that you want rounded down.
num_digits The number of digits to which you want to round the number.
Note: If num_digits is greater than 0 (zero), the number is rounded down to the
specified number of decimal places. If num_digits is 0, the number is rounded down
to the nearest integer. If num_digits is less than 0, the number is rounded down to
the left of the decimal point.
Examples:
The following table provides example formulas of the ROUNDDOWN function.
Formula Result
ROUNDDOWN(3.2,0) Rounds 3.2 down to zero decimal places (3)
ROUNDDOWN(76.9,0) Rounds 76.9 down to zero decimal places (76)
ROUNDDOWN( Rounds 3.14159 down to three decimal places (3.141)

3.14159,3)
ROUNDDOWN(- Rounds -3.14159 down to one decimal place

3.14159,1) (-3.1)

Formula Result
ROUNDDOWN Rounds 31415.92654 down to 2 decimal places to the left of the

(31415.92654,-2) decimal (31400)
ROUNDUP Function
The ROUNDUP function rounds a number up, away from 0 (zero). ROUNDUP behaves like
ROUND, except that it always rounds a number up.
Syntax: ROUNDUP(number,num_digits)
The following table describes ROUNDUP function parameters.
number Any real number that you want rounded up.
num_digits The number of digits to which you want to round the number.
Note: If num_digits is greater than 0 (zero), the number is rounded up to the

specified number of decimal places. If num_digits is 0, the number is rounded up to
the nearest integer. If num_digits is less than 0, the number is rounded up to the left
of the decimal point.
Examples:
The following table provides example formulas of the ROUNDUP function.
Formula Result
ROUNDUP(3.2,0) Rounds 3.2 up to zero decimal places (4)
ROUNDUP(76.9,0) Rounds 76.9 up to zero decimal places (77)
ROUNDUP(3.14159, 3) Rounds 3.14159 up to three decimal places (3.142)
ROUNDUP(-3.14159, 1) Rounds -3.14159 up to one decimal place (-3.2)
ROUNDUP(31415.92654, Rounds 31415.92654 up to 2 decimal places to the left of the decimal

-2) (31500)
SIGN Function
The SIGN function determines the sign of a number. If the number is positive, the function returns 1,
zero (0) if the number is 0, and -1 if the number is negative.


Syntax: SIGN(number)
The following table describes the
SIGN function parameter.
number Any real number.
Examples:
the SIGN function.
Formula Result
SIGN(10) Sign of a positive number (1)
SIGN(4-4) Sign of zero (0)
SIGN(-0.00001) Sign of a negative number (-1)
SIN Function
The SIN function returns the sine of a given angle.
Syntax: SIN(number)
The following table describes the SIN function parameter.
number The angle in radians for which you want the sine.
Note: If your argument is in degrees, multiply it by PI()/180 or use the RADIANS

function to convert it to radians.
Examples:
The following table provides example formulas of the SIN
function.
Formula Result
SIN(PI()) Sine of pi radians (0, approximately)

Formula Result
SIN(PI()/2) Sine of pi/2 radians (1)
SIN(30*PI()/180) Sine of 30 degrees (0.5)
SIN(RADIANS(30)) Sine of 30 degrees (0.5)
SINH Function
The SINH function returns the hyperbolic sine of a number.
Syntax: SINH(number)
SINH function parameter.
Examples:
the SINH function.
Formula Result
SINH(1) Hyperbolic sine of 1 (1.175201194)
SINH(-1) Hyperbolic sine of -1 (-1.175201194)
You can use the hyperbolic sine function to approximate a cumulative probability distribution. When
a laboratory test value varies between 0 and 10 seconds. An empirical analysis of the collected
history of experiments shows that the probability of obtaining a result, x, of less than t seconds is
approximated by the following equation:
P(x<t) = 2.868 * SINH(0.0342 * t), where 0<t<10
To calculate the probability of obtaining a result of less than 1.03 seconds, substitute 1.03 for t.

The following table provides an example formula of the SINH function to calculate the probability of
obtaining a result of less than 1.03 seconds.
Formula Result
2.868*SINH Probability of obtaining a result of less than 1.03 seconds (0.101049063).

(0.0342*1.03) You can expect this result to occur about 101 times for every 1000
experiments.
SQRT Function
The SQRT function returns a positive square root.
Syntax: SQRT(number)
The following table describes the SQRT function parameter.
number The number for which you want the square root.
Note: If number is negative, SQRT returns an error.
Example:
The following table provides an
example formula of the
SQRT function.
Formula Result
SQRT(16) Square root of 16 (4)
SUM Function
The SUM function adds all of the numbers in the specified parameters. If the SUM function
references a multi-selection values list, it can be used with the SELECTED function to return the
sum of the numeric values for each of the currently selected items.
Syntax: SUM(number1, number2,...)

The following table describes SUM function parameters.

number1, Parameters for which you want the total value. These parameters can be entered as
number2, hard-coded values, for example, 2, or Numeric-field references, for example, [field
name]. Referenced fields can reside within the application or within Sub-Form,
Cross-Reference, or Related Records fields.
Examples:
The following table provides example formulas of the SUM function.
Formula Result
SUM(3, [Risk]) 15
where the value in the Risk field is 12.
SUM([Risk], [Criticality]) 19
where the value in the Risk field is 12 and the value in the Criticality field is 7.
SUM(REF([Orders],[Price])) 202.94
where the value in the Price field within the Orders sub-form are 120.00, 50.19, and
32.75.
SUM(SELECTEDVALUENUMBER([Key Factors])) 25
where Key Factors is a multi-selection Values List field and the numeric values of the
current selections are 3, 8, 4, and 10.
SUMIF Function
SUMIF Function
The SUMIF function sums the values of a specified Numeric field across all records in a Sub-Form,
Cross-Reference, Related Records, or Scheduler field that contain a specific value in a given field.
For example, you can return the sum of all Price field values across all cross-referenced records in
which the Status field is set to “Shipped.”
Syntax: SUMIF(eval_field_ref, criterion, sum_field_ref)

The following table describes SUMIF function parameters.

eval_field_ The reference to the field against which the criterion will be evaluated.
ref
Note: If sum_field_ref is not passed to SUMIF, eval_field_ref will also act as the
field to sum.
criterion The test that will be performed against eval_field_ref to determine whether a given
record will be qualified for the sum operation. The criterion can involve Values List,
User/Groups List, and Record Permissions fields as well as fields containing
numeric, text, and date type values.
l Values Lists. If eval_field_ref is a Values List field, enclose the criterion value
in VALUEOF or supply it as a quoted literal string, for example, "Dallas".
l User/Groups List and Record Permissions Fields. If eval_field_ref is a
User/Groups List or Record Permissions field, enclose the criterion value in
USER or GROUP (as appropriate for the criterion).
l Text, Numeric, or Date Fields. If eval_field_ref is a Text, Numeric, or Date
field, the criterion must be enclosed in quotes, for example, ">56", and the
criterion can involve any of the supported comparison operators (=, <, >, <=, >=,
<>).
Note: The evaluation will always result in no matches if there is a space between
the operator and the test value. For example, if the intent is to sum a given Numeric
field across all sub-form records where a another given field contains a numeric
value greater than 56, a space cannot appear in the formula between the ">" and the
"56"
If a function is used in the criterion, the function must be concatenated to the

comparison operator. For example, the proper criterion syntax for specifying
"greater than today" would be:
">"&TODAY( )
The criterion parameter supports the use of literal dates or a date value derived from
the TODAY function. If a literal date string is specified, it must be wrapped in a
sum_field_ The reference to a Numeric field that will be summed across all qualified records.
ref
field to sum.
Examples:

The following table provides example formulas of the SUMIF function.

Formula Result
SUMIF(REF([Cases], [Status]), VALUEOF(REF([Cases], [Status]), "Open"),REF 832

([Cases], [Time Spent]))
where:
l The name of the Cross-Reference field is Cases.
l The Status Values List field contains the values to be evaluated.
l The criterion for matching on the Status field is the selection “Open”.
l Time Spent is a Numeric field containing the numeric values to be summed.
l The sum of Time Spent across all “Open” cases is 832 minutes.
SUMIF(REF([Items], [Line Item Cost]), ">5.99",REF([Items], [Line Total])) 2378.10

where:
l The name of the Sub-Form field is Items.
l The Line Item Cost Numeric field in the related sub-form contains the data to be
evaluated.
l The criterion for matching on Line Item Cost is values greater than 5.99.
l Line Total is a Numeric field containing the numeric values to be summed.
l The sum of Line Total across all sub-form records where Line Item Cost is greater
than 5.99 is 2378.10.
SUMIF(REF([Properties], [Sale Price]), ">=150000") 2654887

where:
l The name of the Cross-Reference field is Properties.
l The Sale Price Numeric field in the related application contains the data to be
evaluated.
l The criterion for matching on Sale Price is values greater than or equal to 150000.
l The sum of Sale Price across all related records where Line Item Cost is greater than
or equal to 150000 is 1654887.
Note: In this example, the sum_field_ref is not passed to SUMIF. As a result, the
system will use Sale Price for evaluation purposes and for summing.

Formula Result
SUMIF(REF([Properties], [Sale Date]), ">="&DATETIMEVALUE("7/1/2008"),REF 1299000

([Properties], [Sale Price]))
where:
l The Sale Date field in the related application contains the data to be evaluated.
l The criterion for matching on Sale Date is dates greater than or equal to 7/1/2008.
l Sale Price is a Numeric field containing the numeric values to be summed.
l The sum of Sale Price across all related records where Sales Date is greater than or
equal to 7/1/2008 is 1299000.
SUMPRODUCT Function
The SUMPRODUCT function multiplies corresponding components in the given sets of fields, and
returns the sum of those products.
Syntax: SUMPRODUCT(values1,values2,values3, ...)
The following table describes SUMPRODUCT function parameters.
values1, 2 to 255 sets of values whose components you want to multiply and then add.
values2,
values3, ... Note: The respective arguments must have the same dimensions. If they do not,
SUMPRODUCT returns an error. SUMPRODUCT treats field entries that are not
numeric as if they were zeros.
Example:
The following table provides an example formula of the SUMPRODUCT function.
Formula Result
SUMPRODUCT(REF([Data Set],[Values1]),REF Multiplies all the components of the two

([Data Set],[Values2])) arrays and then adds the products — that
where Data Set is a cross-reference field and the is, 3*2 + 4*7 + 8*6 + 6*7 + 1*5 + 9*3.
values in the Values1 field are 3, 4, 8, 6, 1, and 9, (156)
and the values in the Values2 field are 2, 7, 6, 7, 5,
and 3.

SUMSQ Function
The SUMSQ function returns the sum of the squares of the arguments.
Syntax: SUMSQ(number1,number2, ...)
The following table describes SUMSQ function parameters.
number1, 1 to 255 arguments for which you want the sum of the squares. You can also use a
number2, ... reference to an array instead of arguments separated by commas.
Note: Arguments can be numbers, names, or references that contain numbers.

Numbers, logical values, and text representations of numbers that you type directly
into the list of arguments are counted. If an argument is a reference, only numbers in
that reference are counted. Empty cells, logical values, text, or error values are
ignored. Arguments that are error values or text that cannot be translated into
numbers cause errors.
Example:
The following table provides an example formula of
the SUMSQ function.
Formula Result
SUMSQ(3,4) Sum of the squares of 3 and 4 (25)
SUMX2MY2 Function
The SUMX2MY2 function returns the sum of the difference of squares of corresponding values in
two sets of fields.
Syntax: SUMX2MY2(values_x,values_y)
The following table describes SUMX2MY2
function parameters.
values_x The first range of values.
values_y The second range of values.

Note: The arguments should be either numbers, names, or references that contain numbers. If a
reference argument contains text, logical values, or empty cells, those values are ignored; however,
fields with the value zero are included. If values_x and values_y have a different number of values,
SUMX2MY2 returns an error.
Example:
The following table provides an example formula of the SUMX2MY2 function.
Formula Result
SUMX2MY2(REF([Data Set],[Values1]),REF([Data Set], Sum of the difference of

[Values2])) squares of the two sets of
where Data Set is a cross-reference field, the values in the values given (-55)
Values1 field are 2, 3, 9, 1, 8, 7 and 5 and the values in the
Values2 field are 6, 5, 11, 7, 5, 4 and 4.
SUMX2PY2 Function
The SUMX2PY2 function returns the sum of the sum of squares of corresponding values in two sets
of fields. The sum of the sum of squares is a common term in many statistical calculations.
Syntax: SUMX2PY2(values_x,values_y)
The following table describes
SUMX2PY2 function parameters.
values_x The first set of fields.
values_y The second set of fields.
Note: The arguments should be numbers, names, or references that contain numbers. If a reference
argument contains text, logical values, or empty cells, those values are ignored; however, fields with
the value zero are included. If values_x and values_y have a different number of values,
SUMX2PY2 returns an error.
Example:

The following table provides an example formula of the SUMX2PY2 function.

Formula Result
SUMX2PY2(REF([Data Set],[Values1]), REF([Data Set], Sum of the sum of squares

[Values2])) of the two sets of fields
where Data Set is a cross-reference field, the values in the Values1 given (521)
field are 2, 3, 9, 1, 8, 7 and 5 and the values in the Values2 field are
6, 5, 11, 7, 5, 4, and 4.
SUMXMY2 Function
The SUMXMY2 function returns the sum of squares of differences of corresponding values in two
sets of fields.
Syntax: SUMXMY2(values_x,values_y)
SUMXMY2 function parameters.
SUMXMY2 returns an error.
Examples:
The following table provides example formulas of the SUMXMY2 function.
Formula Result
SUMXMY2(REF([Data Set],[Values1]), REF([Data Set],[Values2])) Sum of squares of

where Data Set is a cross-reference field, the values in the Values1 differences of the two
field are 2, 3, 9, 1, 8, 7, and 5, and the values in the Values2 field are arrays given (79)
6, 5, 11, 7, 5, 4, and 4.
SUMXMY2({2, 3, 9, 1, 8, 7, 5}, {6, 5, 11, 7, 5, 4, 4}) Sum of squares of

differences of the two
arrays constants (79)

TAN Function
The TAN function returns the tangent of the given angle.
Syntax: TAN(number)
The following table describes the TAN function parameter.
number The angle in radians for which you want the tangent.
Note: If your argument is in degrees, multiply it by PI()/180 or use the RADIANS

function to convert it to radians.
Examples:
TAN function.
Formula Result
TAN(0.785) Tangent of 0.785 radians (0.99920)
TAN(45*PI()/180) Tangent of 45 degrees (1)
TAN(RADIANS(45)) Tangent of 45 degrees (1)
TANH Function
The TANH function returns the hyperbolic tangent of a number.
Syntax: TANH(number)
TANH function parameter.
Examples:


the TANH function.
Formula Result
TANH(-2) Hyperbolic tangent of -2 (-0.96403)
TANH(0) Hyperbolic tangent of 0 (0)
TANH(0.5) Hyperbolic tangent of 0.5 (0.462117)
TRUNC Function
The TRUNC function truncates a number to an integer by removing the fractional part of the
number.
Syntax: TRUNC(number, num_digits)
The following table describes TRUNC function parameters.
number The number that you want to truncate. This parameter can be formatted as a
Numeric-field reference, for example, [field name], or as another formula that
results in a numeric value, such as SUM([field 1],[field 2]) where field 1 and field 2
are Numeric fields.
num_digits Specifies the precision of the truncation. This parameter is typically omitted;
however, you can include this parameter to truncate a number at a specific decimal
place.
Examples:
The following table provides example formulas of the TRUNC function.
Formula Result
TRUNC([Score]) 3
TRUNC([Score], 1) 3.4

Formula Result
IF(TRUNC([Ship Date-Time]) = TODAY( ), “Shipped Today”, “Not Shipped Today”) Shipped

In this example, the Ship Date-Time field is a Date field set to capture date and time Today
information. Date fields technically contain a serial number representing the literal date
and time. Serial numbers are based on the number of days a date is past January 1, 1900.
For example, if the Ship Date-Time field has a value of 9/3/2010 3:17 PM, the value that
will be returned for use by the enclosed TRUNC function will be the serial number
40424.6368055556.
The TODAY function also returns a serial number, but includes only the date portion of
the serial; the time portion (which falls to the right of the decimal in the serial number)
will be omitted. In this example, TRUNC is being used to trim the time portion of the
serial contained in the Ship Date-Time field. This allows the two dates to be compared
without considering the time portion of the Ship Date-Time field.
Statistics Functions
The following statistics functions to return statistical information.
AVEDEV Function
The AVEDEV function returns the average deviation of a set of values from their mean.
Syntax: AVEDEV(number1, number2,...)
The following table describes AVEDEV function parameters.
number1, Numbers for which you want to determine the average deviation. You can format
number2, these parameters as hard-coded numeric values, for example, 30, Numeric-field
and so on references, for example, [field name], or as another formula that results in a
Numeric fields.
Note: If a field contains no value (is empty), that value will be ignored and not
included in the final computation of the calculation. Values of 0, however, are
included in the calculation.
Examples:

The following table provides example formulas of the AVEDEV function.

Formula Result
AVEDEV[Risk], [Criticality], [Availability]) 2.666667

where the value in the Risk field is 5, the value in the Criticality field is 7, and the
value in the Availability field is 12.
AVEDEV([Risk], [Criticality], 30, 10) 8.5

AVERAGE Function
The AVERAGE function returns the average (arithmetic mean) value in a set of values.
Syntax: AVERAGE(number1, number2,...)
The following table describes AVERAGE function parameters.
number1, Numbers that you want to average. You can format these parameters as hard-coded
number2, numeric values, for example, 30, Numeric-field references, for example, [field
name], or as another formula that results in a numeric value, such as SUM([field 1],
[field 2]) where field 1 and field 2 are Numeric fields.
Examples:
The following table provides example formulas of the AVERAGE function.
Formula Result
AVERAGE([Risk], [Criticality], [Availability]) 8

where the value in the Risk field is 5, the value in the Criticality field is 7, and the value
in the Availability field is 12.
AVERAGE([Risk], [Criticality], 30) 14

where the value in the Risk field is 5 and the value in the Criticality field is 7
AVERAGEA Function
The AVERAGEA function returns the average deviation of a set of values from their mean and
includes text representation of numbers or logical values.

Syntax: AVERAGEA(number1, number2,...)

The following table describes AVERAGEA function parameters.
number1, Numbers for which you want to determine the average deviation. You can format
number2, these parameters as hard-coded numeric values, for example, 30, Numeric-field
references, for example, [field name], or as another formula that results in a
Numeric fields.
Note: If a field contains no value (is empty) that value will be ignored and not
included in the final computation of the calculation. Values of 0, however, are
included in the calculation.
Note: Fields that contain the text "TRUE" will be evaluated as "1". Fields that
contain the text "FALSE" will be evaluated as "0" (zero).
Examples:
The following table provides example formulas of the AVERAGEA function.
Formula Result
AVERAGEA[Risk], [Criticality], [Offshore Facilities]) 4.333333

value in the Offshore Facilities field is "TRUE",
AVERAGEA([Risk], [Criticality], 30, [Offshore Facilities]) 10.5

value in the Offshore Facilities field is "FALSE",
BINOMDIST Function
The BINOMDIST function returns the individual term binomial distribution probability. Use
BINOMDIST in problems with a fixed number of tests or trials, when the outcomes of any trial are
only success or failure, when trials are independent, and when the probability of success is constant
throughout the experiment. For example, BINOMDIST can calculate the probability that two of the
next three babies born are male.
Syntax: BINOMDIST(number_s,trials,probability_s,cumulative)

The following table describes BINOMDIST function parameters.

number_s The number of successes in trials. Truncated to an integer.
Note: If non-numeric, if number_s < 0, or if number_s > trials, BINOMDIST

returns an error.
trials The number of independent trials. Truncated to an integer.
Note: If non-numeric, BINOMDIST returns an error.
probability_ The probability of success on each trial.

s
Note: If non-numeric, if probability_s < 0, or if probability_s > 1, BINOMDIST
returns an error.
cumulative A logical value that determines the form of the function. If cumulative is TRUE,
then BINOMDIST returns the cumulative distribution function, which is the
probability that there are at most number_s successes; if FALSE, it returns the
probability mass function, which is the probability that there are number_s
successes.
Example:
The following table provides an example formula of the BINOMDIST function.
Formula Result
BINOMDIST([Successes], [Trials], [Probability], FALSE) 0.205078

where the value in the Successes field is 6, the value in the Trials field is 10, and the
value in the Probability field is 0.5.
CHIDIST Function
The CHIDIST function returns the one-tailed probability of the chi-squared distribution. The χ2
distribution is associated with a χ2 test. Use the χ2 test to compare observed and expected values.
For example, a genetic experiment might hypothesize that the next generation of plants will exhibit a
certain set of colors. By comparing the observed results with the expected ones, you can decide
whether your original hypothesis is valid. CHIDIST is calculated as CHIDIST = P(X>x), where X is
a χ2 random variable.
Syntax: CHIDIST(x,degrees_freedom)

The following table describes CHIDIST function parameters.

x The value at which you want to evaluate the distribution.
Note: If nonnumeric or if x is negative, CHIDIST returns an error.
degrees_ The number of degrees of freedom.

freedom
Note: If non-numeric, CHIDIST returns an error. If degrees_freedom is not an
integer, it is truncated. If degrees_freedom < 1 or degrees_freedom > 10^10,
CHIDIST returns an error.
Example:
example formula of the
CHIDIST function.
Formula Result
CHIDIST(18.307, 10) 0.050001
CHIINV Function
The CHIINV function returns the inverse of the one-tailed probability of the chi-squared distribution.
If probability = CHIDIST(x,...), then CHIINV(probability,...) = x. Use this function to compare
observed results with expected ones to decide whether your original hypothesis is valid.
Note: Given a value for probability, CHIINV seeks that value x such that CHIDIST(x, degrees_
freedom) = probability. Therefore, precision of CHIINV depends on precision of CHIDIST.
CHIINV uses an iterative search technique. If the search has not converged after 100 iterations, the
function returns the #N/A error value.

Syntax: CHIINV(probability,degrees_freedom)
The following table describes CHIINV function parameters.
probability A probability associated with the chi-squared distribution.
Note: If nonnumeric, if probability < 0, or if probability > 1, CHIINV returns an

error.

degrees_ The number of degrees of freedom.

freedom
Note: If nonnumeric, if degrees_freedom < 1, or if degrees_freedom > 10^10,
CHIINV returns an error. If degrees_freedom is not an integer, it is truncated.
Example:
example formula of the CHIINV
function.
Formula Result
CHIINV(0.50001, 10) 18.3069735
CONFIDENCE Function
The CONFIDENCE function returns a value that you can use to construct a confidence interval for a
population mean. The confidence interval is a range of values. Your sample mean, x, is at the center
of this range and the range is x ± CONFIDENCE. For example, if x is the sample mean of delivery
times for products ordered through the mail, x ± CONFIDENCE is a range of population means. For
any population mean, μ0, in this range, the probability of obtaining a sample mean further from μ0
than x is greater than alpha; for any population mean, μ0, not in this range, the probability of
obtaining a sample mean further from μ0 than x is less than alpha. In other words, assume that we
use x, standard_dev, and size to construct a two-tailed test at significance level alpha of the
hypothesis that the population mean is μ0. Then we will not reject that hypothesis if μ0 is in the
confidence interval and will reject that hypothesis if μ0 is not in the confidence interval. The
confidence interval does not allow us to infer that there is probability 1 – alpha that our next package
will take a delivery time that is in the confidence interval.
Syntax: CONFIDENCE(alpha,standard_dev,size)
The following table describes CONFIDENCE function parameters.
alpha The significance level used to compute the confidence level. The confidence level
equals 100*(1 - alpha)%, or in other words, an alpha of 0.05 indicates a 95 percent
confidence level.
Note: If non-numeric, if alpha ≤ 0, or if alpha ≥ 1, CONFIDENCE returns an error.

standard_ The population standard deviation for the data range and is assumed to be known.
dev
Note: If nonnumeric or if standard_dev ≤ 0, CONFIDENCE returns an error.
size The sample size.
Note: If nonnumeric or if size < 1, CONFIDENCE returns an error. If size is not an

integer, it is truncated.
Example:
The following table provides an example formula of the CONFIDENCE function.
Formula Result
CONFIDENCE([Significance], [Standard Deviation], [Sample Size]) 0.692952

where the value in the Significance field is 0.05, the value in the Standard Deviation
field is 2.5, and the value in the Sample Size field is 50.
CORREL Function
The CORREL function returns the correlation coefficient of two sets of fields. Use the correlation
coefficient to determine the relationship between two properties. For example, you can examine the
relationship between the inside temperature and outside temperature of a location.
Syntax: CORREL(values1,values2)
CORREL function parameters.
values1 A set of fields.
values2 A second set of fields.
Note: If a reference argument contains text, logical values or is empty, those values are ignored;
however, the value zero is included. If values1 and values2 have a different number of data points,
CORREL returns an error. If either values1 or values2 is empty, or if s (the standard deviation) of
their values equals zero, CORREL returns an error.
Example:

The following table provides an example formula of the CORREL function.

Formula Result
CORREL(REF([Facilities],[Inside Temperature]), REF([Facilities],[Outside 0.400075

Temperature]))
where Facilities is a cross-reference field, the values in the Inside Temperature field
are 75, 72, and 77 and the values in the Outside Temperature field are 98, 88, and 91.
COUNT Function
The COUNT function counts the number of fields that contain numbers, and counts numbers within
the list of arguments. Use the COUNT function to get the number of entries in a number field that is
in a range of numbers.
Note that:
l Arguments that are numbers, dates, or a text representation of numbers, for example, a number
enclosed in quotation marks, such as "1", are counted.
l Logical values and text representations of numbers that you type directly into the list of arguments
are counted.
l Arguments that are error values or text that cannot be translated into numbers are not counted.
l If an argument is a reference, only numbers in that reference are counted. Empty fields, logical
values, text, or error values in the reference are not counted.
l To count logical values, text, or error values, use the COUNTA function.
l To count only numbers that meet certain criteria, use the COUNTIF function or the COUNTIFS
function.

Syntax: COUNT(value1, value2, ...)
The following table describes COUNT function parameters.
value1 The first item, cell reference, or range within which you want to count numbers.
value2, ... Up to 255 additional items, cell references, or ranges within which you want to
count numbers.
Examples:

The following table provides example formulas of the COUNT function.

Formula Result
COUNT(Sales, 12/8/2008, , 19, 22.24, TRUE, Counts the number of fields that contain
#DIV/0) numbers (3)
COUNT(19, 22.24, TRUE, #DIV/0) Counts the number of fields that contain
numbers (2)
COUNTA Function
The COUNTA function returns any one of the following values:
l The number of items currently selected in a multi-select Values List or Cross-Reference field
l The number of rows (entries) present in a Sub-Form field
l The number of non-null values for a field within a sub-form across all rows in the Sub-Form field
l The number of non-null values for a given field within a cross-referenced application across all
rows (selections) in a Cross-Reference field
l The number of resources assigned in a Scheduler field configured to display the Schedule view.
Any unassigned resources are not included in the number returned.
Note: The COUNTA function is not valid for a Scheduler field configured to display the
Resource view.
Although supported, referencing a field other than a Values List, Cross-Reference, Sub-Form, or
Scheduler field with the COUNTA function is of little use because the return value will always be
either 1 or 0. (If the field has a value, 1 is returned. If the field is empty, 0 is returned.) However,
with Values List and Cross-Reference fields that are configured to allow multiple selections and
with Sub-Form fields with multiple entries, the COUNTA function counts the number of selections
or entries within those fields.
Note: To confidently count the number of rows present in a Sub-Form field, the formula must
reference the Sub-Form field itself rather than referencing a field within the sub-form. Likewise, to
count the number of rows present in a Cross-Reference field, the formula must reference that Cross-
Reference field and not a field in the related application.

Syntax: COUNTA(field_ref)

The following table describes the COUNTA function parameter.

field_ref A reference to a field in the application, for example,[Order Detail], a field in a

child sub-form, for example, REF([Order Detail], [Back Order Date]), or a field in
a cross-referenced application, for example, REF([Order Detail], [Vendor Name]).
Examples:
The following table provides example formulas of the COUNTA function.
Formula Result
COUNTA([Order Detail]) 12
where Order Detail is a Sub-Form field in the application and the associated sub-form
currently has 12 rows (entries).
COUNTA([Order Detail]) 0
where Order Detail is a Sub-Form field in the application and the associated sub-form
currently has no (0) rows.
COUNTA([Affected Departments]) 8
where Affected Departments is a Values List field in the application and 8 items are
currently selected in the list.
COUNTA([Related Projects]) 3
where Related Projects is a Cross-Reference field in the application and 3 records from
the related application are currently selected in the field.
COUNTA(REF([Order Detail], [Color])) 6

where Order Detail is a Sub-Form field in the application, Color is a non-required field
residing in the associated sub-form and Color is null in 3 out of the 9 sub-form rows
(entries).
COUNTA(REF([Related Projects], [Project Manager])) 2

where Related Projects is a Cross-Reference field in the application, Project Manager is
a non-required field residing in the related application and Project Manager is null in 1 of
3 Cross-Reference field rows.
COUNTBLANK Function
The COUNTBLANK function counts empty fields in a specified range of fields. Fields with
formulas that return "" (empty text) are also counted. Fields with zero values are not counted.

Syntax: COUNTBLANK(field_ref)
The following table describes the COUNTBLANK function parameter.
field_ref The range from which you want to count the blank fields.
Example:
The following table provides an example formula of the COUNTBLANK function.
Formula Result
COUNTBLANK([Range]) 4
where the values in the Range field are empty, 6, empty, 4, empty, =IF(1>0,"",""), 27,
and 34.
COUNTIF Function
The COUNTIF function counts the number of records in a Sub-Form, Cross-Reference, Related
Records, or Scheduler field that contain a specific value in a given field. For example, you can count
the number of cross-referenced records that have the value of "Open" in the Status field.
Syntax: COUNTIF(field_ref, criterion)
The following table describes COUNTIF function parameters.
field_ref The reference to the field that is contained within a Sub-Form, Cross-Reference,
Related Records, or Scheduler field.

criterion The test that will be performed against the referenced child field to determine
whether that field’s values will be included in the count. The criterion can involve
Values List, User/Groups List, and Record Permissions fields as well as fields
containing numeric, text, and date type values.
l Values List Fields. If COUNTIF is being performed against a Values List field,
the criterion value should be enclosed in VALUEOF or supplied as a quoted
literal string, for example, "Dallas").
l User/Groups List and Record Permissions Fields. If COUNTIF is being
performed against a User/Groups List or Record Permissions field, the criterion
value should be enclosed in USER or GROUP (as appropriate for the criterion).
l Text, Date, or Numeric Fields. If COUNTIF is being performed against a Text,
Date, or Numeric field, the criterion must be enclosed in quotes, for example,
">56", and the criterion can involve any of the supported comparison operators
(=, <, >, <=, >=, <>).
Note: The COUNTIF function always returns zero (0) matches if there is a
space between the operator and the test value. For example, if the intent is to
count the number of sub-form records where a given field contains a numeric
value greater than 56, a space cannot appear in the formula between the ">" and
the "56".

"greater than today" would be: ">"&TODAY( ).
Examples:
The following table provides example formulas of the COUNTIF function.
Formula Result
COUNTIF(REF([Cases], [Status]), VALUEOF(REF([Cases], [Status]), "Open")) 15

where the name of the Cross-Reference field is Cases, the name of the referenced
Values List field in the related application is Status, and the number of cross-referenced
records where the value "Open" is selected in the Status field is 15.

Formula Result
COUNTIF(GETGROUPS(REF([Cases], [Business Owner])), GROUP(NAME, 27

"Finance"))
Record Permissions field in the related application is Business Owner, and the number
of cross-referenced records where the group named "Finance" is selected in the
Business Owner field is 27.
COUNTIF(GETUSERS(REF([Cases], [Business Owner])), USER(NAME, "Lawson, 32

Tracy"))
User/Groups List field in the related application is Business Owner, and the number of
cross-referenced records where the user "Lawson, Tracy" is selected in the Business
Owner field is 32.
COUNTIF(REF([Items], [Price]), ">5.99") 4

where the name of the parent Sub-Form field is Items, the name of the child field in the
Sub-Form is Price, and there are 4 records in the sub form with a Price greater than 5.99.
COUNTIF(REF([Patches], [Patch Date]), TODAY( )) 6

where the name of the parent Cross-Reference field is Patches, the name of the field in
the cross-referenced application is Patch Date, and there are 6 cross-referenced records
where Patch Date equals today’s date.
COUNTIF(REF([Patches], [Patch Date]), "<"&TODAY( )) 8

where the name of the parent Cross-Reference field is Patches, the name of the field in
the cross-referenced application is Patch Date, and there are 8 cross-referenced records
where Patch Date is less than today’s date. In this example, the criterion is being formed
by concatenating the "less than" operator (<) to the TODAY function.
COUNTIF(REF([Orders], [Order Date]), ">="&DATETIMEVALUE("7/23/2008")) 5

where the name of the parent Sub-Form field is Orders, Order Date is a Date field
residing in the sub-form, and there are 5 Order Date values greater than or equal to
7/23/2008.
COVAR Function
The COVAR function returns covariance, the average of the products of deviations for each data
point pair. Use covariance to determine the relationship between two data sets. For example, you
can examine whether greater income accompanies greater levels of education.

Syntax: COVAR(values1, values2)

COVAR function parameters.
values1 The first set of integers.
values2 The second set of integers.
Note: The arguments must either be numbers or be names or references that contain numbers. If a
reference argument contains text, logical values or empty fields, those values are ignored; however,
fields with the value zero are included. If values1 and values2 have different numbers of data points,
COVAR returns an error. If either set is empty, COVAR returns an error.
Example:
The following table provides an example formula of the COVAR function.
Formula Result
COVAR(REF([Data Set],[Values1]), REF([Data Set], Covariance, the average of the

[Values2])) products of deviations for each data
where Data Set is a cross-reference field, the values in point pair given (5.2)
Values1 are 3, 2, 4, 5, and 6 and the values in Values2 are
9, 7, 12, 15, and 17.
CRITBINOM Function
The CRITBINOM function returns the smallest value for which the cumulative binomial distribution
is greater than or equal to a criterion value. Use this function for quality assurance applications. For
example, use CRITBINOM to determine the greatest number of defective parts that are allowed to
come off an assembly line run without rejecting the entire lot.
Syntax: CRITBINOM(trials,probability_s,alpha)

The following table describes CRITBINOM function parameters.

trials The number of Bernoulli trials.
Note: If any argument is non-numeric or if trials < 0, CRITBINOM returns an error.

If trials is not an integer, it is truncated.
probability_ The probability of a success on each trial.

s
Note: If any argument is non-numeric, if probability_s is < 0, or if probability_s > 1,
CRITBINOM returns an error.
alpha The criterion value.
Note: If any argument is nonnumeric, if alpha < 0, or if alpha > 1, CRITBINOM

returns an error.
Example:
The following table provides an example formula of the CRITBINOM function.
Formula Result
CRITBINOM([Trials],[Probability of Success], Smallest value for which the cumulative

[Criterion]) binomial distribution is greater than or
where the value in the Trials field is 6, the value in equal to a criterion value (4).
the Probability of Success field is 0.5, and the value
in the Criterion field is 0.75.
DEVSQ Function
The DEVSQ function returns the sum of squares of deviations of data points from their sample
mean.
Syntax: DEVSQ(number1, number2,...)

The following table describes DEVSQ function parameters.

number1, 1 to 255 arguments for which you want to calculate the sum of squared deviations.
number2,... You can also use a reference to a set of fields instead of arguments separated by
commas. Arguments can either be numbers or names, or references that contain
numbers. Logical values and text representations of numbers that you type directly
into the list of arguments are counted. If a reference argument contains text, logical
values, or empty cells, those values are ignored; however, fields with the value zero
are included. Arguments that are error values or text that cannot be translated into
Example:
The following table provides an example formula of the DEVSQ function.
Formula Result
DEVSQ(REF([Data Set],[Values1])) Sum of squares of deviations of data

where Data Set is a cross-reference field and the values given from their sample mean (48).
in the Values1 field are 4, 5, 8, 7, 11, 4, and 3.
EXPONDIST Function
The EXPONDIST function returns the exponential distribution. Use EXPONDIST to model the time
between events, such as how long an automated bank teller takes to deliver cash. For example, you
can use EXPONDIST to determine the probability that the process takes at most 1 minute.
Syntax: EXPONDIST(x,lambda,cumulative)
The following table describes EXPONDIST function parameters.
x The value of the function.
Note: If x or lambda is nonnumeric, or if x < 0, EXPONDIST returns an error.
lambda The parameter value.
Note: If x or lambda is nonnumeric or if lambda ≤ 0, EXPONDIST returns an error.

cumulative A logical value that indicates which form of the exponential function to provide. If
cumulative is TRUE, EXPONDIST returns the cumulative distribution function; if
FALSE, it returns the probability density function.
Examples:
The following table provides example formulas of the EXPONDIST function.
Formula Result
EXPONDIST([Function Value],[Parameter Value],TRUE) Cumulative exponential

where the value in the Function Value field is 0.2 and the distribution function (0.864665)
value in the Parameter Value field is 10.
EXPONDIST([Function Value],[Parameter Value],FALSE) Probability exponential distribution

where the value in the Function Value field is 0.2 and the function (1.353353)
value in the Parameter Value field is 10.
FDIST Function
The FDIST function returns the F probability distribution. You can use this function to determine
whether two data sets have different degrees of diversity. For example, you can examine the test
scores of men and women entering high school and determine if the variability in the females is
different from that found in the males. FDIST is calculated as FDIST=P( F>x ), where F is a random
variable that has an F distribution with degrees_freedom1 and degrees_freedom2 degrees of
freedom.
Syntax: FDIST(x,degrees_freedom1,degrees_freedom2)
The following table describes FDIST function parameters.
x The value at which to evaluate the function.
Note: If x is negative, FDIST returns an error.

degrees_ The numerator degrees of freedom.

freedom1
Note: If degrees_freedom1 or degrees_freedom2 is not an integer, it is truncated. If
degrees_freedom1 < 1, if degrees_freedom1 ≥ 10^10, if degrees_freedom2 < 1, or if
degrees_freedom2 ≥ 10^10, FDIST returns an error.
degrees_ The denominator degrees of freedom.

freedom2
Note: If degrees_freedom1 or degrees_freedom2 is not an integer, it is truncated. If
degrees_freedom1 < 1, if degrees_freedom1 ≥ 10^10, if degrees_freedom2 < 1, or if
degrees_freedom2 ≥ 10^10, FDIST returns an error.
Example:
The following table provides an example formula of the FDIST function.
Formula Result
FDIST(15.20686486,[Numerator Degrees of Freedom],[Denominator F probability distribution

Degrees of Freedom]) for the terms (0.01)
where the value in the Numerator Degrees of Freedom field is 6 and the
value in the Denominator Degrees of Freedom field is 4.
FINV Function
The FINV function returns inverse of the F probability distribution. If p = FDIST(x,...), then FINV
(p,...) = x.
The F distribution can be used in an F-test that compares the degree of variability in two data sets.
For example, you can analyze income distributions in the United States and Canada to determine
whether the two countries have a similar degree of income diversity.
FINV can be used to return critical values from the F distribution. For example, the output of an
ANOVA calculation often includes data for the F statistic, F probability, and F critical value at the
0.05 significance level. To return the critical value of F, use the significance level as the probability
argument to FINV.
Given a value for probability, FINV seeks that value x such that FDIST(x, degrees_freedom1,
degrees_freedom2) = probability. Thus, precision of FINV depends on precision of FDIST. FINV
uses an iterative search technique. If the search has not converged after 100 iterations, the function
returns the #N/A error value.
Syntax: FINV(probability,degrees_freedom1,degrees_freedom2)


The following table describes FINV function parameters.
probability A probability associated with the F cumulative distribution.
Note: If probability < 0 or probability > 1, FINV returns an error.
degrees_ The numerator degrees of freedom.

freedom1
Note: If degrees_freedom1 < 1 or degrees_freedom1 ≥ 10^10, FINV returns an
error. If degrees_freedom1 or degrees_freedom2 is not an integer, it is truncated.
degrees_ The denominator degrees of freedom.

freedom2
Note: If degrees_freedom2 < 1 or degrees_freedom2 ≥ 10^10, FINV returns an
error. If degrees_freedom1 or degrees_freedom2 is not an integer, it is truncated.
Example:
The following table provides an example formula of the FINV function.
Formula Result
FINV([Probability],[Numerator Degrees of Freedom],[Denominator Inverse of the F

Degrees of Freedom]) probability distribution for
where the value in the Probability field is 0.01, the value in the the terms (15.20686486)
Numerator Degrees of Freedom field is 6, and the value in the
Denominator Degrees of Freedom field is 4.
FISHER Function
The FISHER function returns the Fisher transformation at x. This transformation produces a function
that is normally distributed rather than skewed. Use this function to perform hypothesis testing on the
correlation coefficient.
Syntax: FISHER(x)

The following table describes the FISHER function parameter.

x A numeric value for which you want the transformation.
Note: If x is nonnumeric, if x ≤ -1, or if x ≥ 1, FISHER returns an error.
Example:
FISHER function.
Formula Result
FISHER(0.75) Fisher transformation at 0.75 (0.972955)
FISHERINV Function
The FISHERINV function returns the inverse of the Fisher transformation. Use this transformation
when analyzing correlations between ranges or sets of fields. If y = FISHER(x), then FISHERINV
(y) = x.
Syntax: FISHERINV(y)
The following table describes the FISHERINV function parameter.
y The value for which you want to perform the inverse of the transformation.
Note: If y is nonnumeric, FISHERINV returns an error.
Example:
FISHERINV function.
Formula Result
FISHERINV(0.972955) Fisher transformation at 0.972955 (0.75)
FORECAST Function
The FORECAST function calculates, or predicts, a future value using existing values. The predicted
value is a y-value for a given x-value. The known values are existing x-values and y-values, and the
new value is predicted using linear regression. You can use this function to predict future sales,

inventory requirements, or consumer trends.

Syntax: FORECAST(x,known_y's,known_x's)
The following table describes FORECAST function parameters.
x The data point for which you want to predict a value.
Note: If x is nonnumeric, FORECAST returns an error.
known_y's The dependent set of data.
Note: If known_y's and known_x's are empty or contain a different number of data
points, FORECAST returns an error.
known_x's The independent set of data.
Note: If the variance of known_x's equals zero, FORECAST returns an error. If

known_y's and known_x's are empty or contain a different number of data points,
FORECAST returns an error.
Example:
The following table provides an example formula of the FORECAST function.
Formula Result
FORECAST(30, REF([Data Set],[Known Y]), REF([Data Set],[Known Predicts a value for y

X])) given an x value of 30
where Data Set is a cross-reference field, the values in the Known Y (10.60725)
field are 6, 7, 9, 15, and 21 and the values in the Known X field are 20,
28, 31, 38, and 40.
GAMMADIST Function
The GAMMADIST function returns the gamma distribution. You can use this function to study
variables that may have a skewed distribution. The gamma distribution is commonly used in queuing
analysis.
Syntax: GAMMADIST(x,alpha,beta,cumulative)

The following table describes GAMMADIST function parameters.

x The value at which you want to evaluate the distribution.
Note: If x < 0 or if nonnumeric, GAMMADIST returns an error.
alpha A parameter to the distribution.
Note: If nonnumeric, if alpha ≤ 0 or if beta ≤ 0, GAMMADIST returns an error.

When alpha is a positive integer, GAMMADIST is also known as the Erlang
distribution.
beta A parameter to the distribution. If beta = 1, GAMMADIST returns the standard

gamma distribution.
Note: If alpha ≤ 0 or if beta ≤ 0 or if nonnumeric, GAMMADIST returns an error.
GAMMADIST returns the cumulative distribution function; if FALSE, it returns the
probability density function.
Note: For a positive integer n, when alpha = n/2, beta = 2, and cumulative = TRUE,
GAMMADIST returns (1 - CHIDIST(x)) with n degrees of freedom.
Examples:
The following table provides example formulas of the GAMMADIST function.
Formula Result
GAMMADIST([Value to Evaluate Distribution],[Alpha], Probability gamma

[Beta],FALSE) distribution with the terms
where the value in the Value to Evaluate Distribution field is given (.03263913)
10.00001131, the value in the Alpha field is 9, and the value in the
Beta field is 2.
GAMMADIST([Value to Evaluate Distribution],[Alpha], Cumulative gamma

[Beta],TRUE) distribution with the terms
where the value in the Value to Evaluate Distribution field is given (0.068094)
10.00001131, the value in the Alpha field is 9, and the value in the
Beta field is 2.
GAMMAINV Function
The GAMMAINV function returns the gamma cumulative distribution. If p = GAMMADIST(x,...),

then GAMMAINV(p,...) = x.
Syntax: GAMMAINV(probability,alpha,beta)
The following table describes GAMMAINV function parameters.
probability The probability associated with the gamma distribution.
Note: If probability < 0 or probability > 1, GAMMAINV returns an error.
alpha A parameter to the distribution.
Note: If alpha ≤ 0 or if beta ≤ 0, GAMMAINV returns an error.
beta A parameter to the distribution. If beta = 1, GAMMAINV returns the standard

gamma distribution.
Note: If alpha ≤ 0 or if beta ≤ 0, GAMMAINV returns an error.
Note: If any argument is text, GAMMAINV returns the #VALUE! error value.
Given a value for probability, GAMMAINV seeks that value x such that GAMMADIST(x, alpha,
beta, TRUE) = probability. Therefore, precision of GAMMAINV depends on precision of
GAMMADIST. GAMMAINV uses an iterative search technique. If the search has not converged
after 100 iterations, the function returns an error.
Example:
The following table provides an example formula of the GAMMAINV function.
Formula Result
GAMMAINV([Probability],[Alpha],[Beta] Inverse of the gamma cumulative

where the value in the Probability field is 0.068094, the distribution for the terms given
value in the Alpha field is 9, and the value in the Beta (10.00001131)
field is 2.
GAMMALN Function
The GAMMALN function returns the natural logarithm of the gamma function, Γ(x).
Syntax: GAMMALN(x)


The following table describes the GAMMALN function parameter.
x The value for which you want to calculate GAMMALN.
Note: If x is nonnumeric or if x ≤ 0, GAMMALN returns an error. The number e

raised to the GAMMALN(i) power, where i is an integer, returns the same result as
(i - 1)!.
Example:
GAMMALN function.
Formula Result
GAMMALN(4) Natural logarithm of the gamma function at 4 (1.791759)
GEOMEAN Function
The GEOMEAN function returns the geometric mean of a set of positive data. For example, you can
use GEOMEAN to calculate average growth rate given compound interest with variable rates.
Syntax: GEOMEAN(number1,number2,...)
The following table describes GEOMEAN function parameters.
number1, 1 to 255 arguments for which you want to calculate the mean.
number2,...
Logical values and text representations of numbers that you type directly into the list
of arguments are counted. If a reference argument contains text, logical values, or
empty fields, those values are ignored; however, fields with the value zero are
included. Arguments that are error values or text that cannot be translated into
numbers cause errors. If any data point ≤ 0, GEOMEAN returns an error.
Example:

The following table provides an example formula of the GEOMEAN function.

Formula Result
GEOMEAN(REF([Data Set],[Values]) Geometric mean of the data

where Data Set is a cross-reference field and the values in the set given (5.476987)
Values field are 4, 5, 8, 7, 11, 4, and 3.
HARMEAN Function
The HARMEAN function returns the harmonic mean of a data set. The harmonic mean is the
reciprocal of the arithmetic mean of reciprocals.
Syntax: HARMEAN(number1, number2,...)
The following table describes HARMEAN function parameters.
number1, 1 to 255 arguments for which you want to calculate the mean.
number2,...
Note: The harmonic mean is always less than the geometric mean, which is always
less than the arithmetic mean. Arguments can either be numbers, names, or
references that contain numbers. Logical values and text representations of numbers
that you type directly into the list of arguments are counted. If a reference argument
contains text, logical values, or empty fields, those values are ignored; however,
fields with the value zero are included. Arguments that are error values or text that
cannot be translated into numbers cause errors. If any data point ≤ 0, HARMEAN
returns an error.
Example:
The following table provides an example formula of the HARMEAN function.
Formula Result
HARMEAN(REF([Data Set],[Values]) Harmonic mean of the data

where Data Set is a cross-reference field and the values in the set given (5.028376)
Values field are 4, 5, 8, 7, 11, 4, and 3.
HYPGEOMDIST Function
The HYPGEOMDIST function returns the hypergeometric distribution. HYPGEOMDIST returns
the probability of a given number of sample successes, given the sample size, population successes,

and population size. Use HYPGEOMDIST for problems with a finite population, where each
observation is either a success or a failure, and where each subset of a given size is chosen with
equal likelihood.
Syntax: HYPGEOMDIST(sample_s,number_sample,population_s,number_population)
The following table describes HYPGEOMDIST function parameters.
sample_s The number of successes in the sample.
Note: If sample_s < 0 or sample_s is greater than the lesser of number_sample or

population_s, HYPGEOMDIST returns an error. If sample_s is less than the larger
of 0 or (number_sample - number_population + population_s), HYPGEOMDIST
returns an error.
number_ The size of the sample.

sample
Note: If number_sample ≤ 0 or number_sample > number_population,
HYPGEOMDIST returns an error.
population_ The number of successes in the population.

s
Note: If population_s ≤ 0 or population_s > number_population, HYPGEOMDIST
returns an error.
number_ The population size.

population
Note: If number_population ≤ 0, HYPGEOMDIST returns an error.
Note: All arguments are truncated to integers. If any argument is nonnumeric, HYPGEOMDIST
returns an error.

Example:
The following table provides an example formula of the HYPGEOMDIST function.
Formula Result
HYPGEOMDIST([Number of Caramels in Sample],[Sample Size],[Total Hypergeometric

Number of Caramels],[Total Chocolates]) distribution for
where a sampler of chocolates contains 20 pieces. Eight pieces are caramels, sample and
and the remaining 12 are nuts. If a person selects 4 pieces at random, the population
HYPGEOMDIST function returns the probability that exactly 1 piece is a given
caramel. The value in the Number of Caramels in Sample field is 1, the value in (0.363261)
the Sample Size field is 4, the value in the Total Number of Caramels field is 8,
and the value in the Total Chocolates field is 20.
INTERCEPT Function
The INTERCEPT function calculates the point at which a line will intersect the y-axis by using
existing x-values and y-values. The intercept point is based on a best-fit regression line plotted
through the known x-values and known y-values. Use the INTERCEPT function when you want to
determine the value of the dependent variable when the independent variable is 0 (zero). For
example, you can use the INTERCEPT function to predict a metal's electrical resistance at 0° C
when your data points were taken at room temperature and higher.
Syntax: INTERCEPT(known_y's,known_x's)
The following table describes INTERCEPT function parameters.
known_y's The dependent set of observations or data.
Note: If known_y's and known_x's contain a different number of data points or

contain no data points, INTERCEPT returns an error.
known_x's The independent set of observations or data.
Note: If known_y's and known_x's contain a different number of data points or

contain no data points, INTERCEPT returns an error.
Note: The arguments must be either numbers, names, or references that contain numbers. If a
reference argument contains text, logical values, or empty fields, those values are ignored; however,
fields with the value zero are included.

The underlying algorithm used in the INTERCEPT and SLOPE functions is different than the
underlying algorithm used in the LINEST function. The difference between these algorithms can
lead to different results when data is undetermined and collinear. For example, if the data points of
the known_y's argument are 0 and the data points of the known_x's argument are 1:
l INTERCEPT and SLOPE return an error. The INTERCEPT and SLOPE algorithm is designed to
look for one and only one answer, and in this case there can be more than one answer.
l LINEST returns a value of 0. The LINEST algorithm is designed to return reasonable results for
collinear data, and in this case at least one answer can be found.
Example:
The following table provides an example formula of the INTERCEPT function.
Formula Result
INTERCEPT(REF([Data Set],[Y Axis]),REF([Data Set], Point at which a line will intersect the
[X Axis])) y-axis by using the x-values and y-
where Data Set is a cross-reference field, the values in values given (0.0483871)
the Y Axis field are 2, 3, 9, 1, and 8, and the values in the
X Axis field are 6, 5, 11, 7, and 5.
KURT Function
The KURT function returns the kurtosis of a data set. Kurtosis characterizes the relative peakedness
or flatness of a distribution compared with the normal distribution. Positive kurtosis indicates a
relatively peaked distribution. Negative kurtosis indicates a relatively flat distribution.
Syntax: KURT(number1,number2,...)
The following table describes KURT function parameters.
number1, 1 to 255 arguments for which you want to calculate kurtosis. Arguments can either
number2,... be numbers, names, or references that contain numbers. Logical values and text
representations of numbers that you type directly into the list of arguments are
counted. If a reference argument contains text, logical values, or empty cells, those
values are ignored; however, fields with the value zero are included. Arguments that
are error values or text that cannot be translated into numbers cause errors.
Note: If there are fewer than four data points, or if the standard deviation of the
sample equals zero, KURT returns an error.

Example:
The following table provides an example formula of the KURT function.
Formula Result
KURT(REF([Data Set],[Values])) Kurtosis of the data

where Data Set is a cross-reference field and the values in the Values set (-0.1518)
field are 3, 4, 5, 2, 3, 4, 5, 6, 4, and 7.
LARGE Function
The LARGE function returns the k-th largest value in a data set. You can use this function to select
a value based on its relative standing. For example, you can use LARGE to return the highest,
runner-up, or third-place score.
Syntax: LARGE(values,k)
The following table describes LARGE function parameters.
values The set of fields for which you want to determine the k-th largest value.
Note: If the set of fields is empty, LARGE returns an error.
k The position (from the largest) in the set of data to return.
Note: If k ≤ 0 or if k is greater than the number of data points, LARGE returns an

error.
Note: If n is the number of data points in a range, then LARGE(values,1) returns the largest value,
and LARGE(values,n) returns the smallest value.
Examples:
The following table provides example formulas of the LARGE function.
Formula Result
LARGE(REF([Data Set],[Values]),3) 3rd largest number in the

where Data Set is a cross-reference field and the values in the numbers given (5)
Values field are 3, 5, 3, 5, 4, 4, 2, 4, 6, and 7.

Formula Result
LARGE(REF([Data Set],[Values]),7) 7th largest number in the

where Data Set is a cross-reference field and the values in the numbers given (4)
LOGINV Function
The LOGINV function returns the inverse of the lognormal cumulative distribution function of x,
where ln(x) is normally distributed with parameters mean and standard_dev. If p =
LOGNORMDIST(x,...) then LOGINV(p,...) = x. Use the lognormal distribution to analyze
logarithmically transformed data.
Syntax: LOGINV(probability,mean,standard_dev)
The following table describes LOGINV function parameters.
probability A probability associated with the lognormal distribution.
Note: If probability < 0 or probability > 1 or if any argument is nonnumeric,

LOGINV returns an error.
mean The mean of ln(x).
Note: If any argument is nonnumeric, LOGINV returns an error.
standard_ The standard deviation of ln(x).

dev
Note: If standard_dev <= 0 or if any argument is nonnumeric, LOGINV returns an
error.
Example:
The following table provides an example formula of the LOGINV function.
Formula Result
LOGINV Inverse of the lognormal cumulative distribution function for the terms
(0.039084,3.5,1.2) given (4.000014)
LOGNORMDIST Function
The LOGNORMDIST function returns the cumulative lognormal distribution of x, where ln(x) is

normally distributed with parameters mean and standard_dev. Use this function to analyze data that
has been logarithmically transformed.
Syntax: LOGNORMDIST(x,mean,standard_dev)
The following table describes LOGNORMDIST function parameters.
x The value at which to evaluate the function.
Note: If x ≤ 0, if standard_dev ≤ 0, or if any argument is nonnumeric,

LOGNORMDIST returns an error.
mean The mean of ln(x).
Note: If any argument is nonnumeric, LOGNORMDIST returns an error.
standard_ The standard deviation of ln(x).

dev
Note: If x ≤ 0, if standard_dev ≤ 0 or if any argument is nonnumeric,
LOGNORMDIST returns an error.
Example:
The following table provides an example formula of the LOGNORMDIST function.
Formula Result
LOGNORMDIST Cumulative lognormal distribution at 4 with the terms given

(4,3.5,1.2) (0.039084)
MAX Function
The MAX function returns the largest value in a set of values.
Syntax: MAX(value1, value2,...)

The following table describes MAX function parameters.

value1, Values for which you want to find a maximum value. Only Numeric and Date fields
value2, can be evaluated.
Note: When evaluating a Date field, MAX will return a serial number that
represents the largest date (furthest from January 1, 1900); the function will not
return a date string.
Examples:
The following table provides example formulas of the MAX function.
Formula Result
MAX([Risk], [Criticality], [Availability]) 12

MAX(REF([Orders], [Price])) 746.99

where the greatest value in the Price field across all the rows in the Orders Sub-Form
field is 746.99.
MAXA Function
The MAXA function returns the largest value in a list of arguments. Unlike the MAX function, the
MAXA function is not restricted to working with only Date and Numeric fields.
Syntax: MAXA(value1, value2,...)

The following table describes MAXA function parameters.

value1, 1 to 255 values for which you want to find the largest value. Note that:
value2,... l Arguments can be the following: numbers; names or references that contain
numbers; text representations of numbers; or logical values, such as TRUE and
FALSE, in a reference.
l Logical values and text representations of numbers that you type directly into the
list of arguments are counted.
l If an argument is a reference, only values in that reference are used. Empty
fields and text values in the reference are ignored.
l Arguments that are error values or text that cannot be translated into numbers
cause errors.
l Arguments that contain TRUE evaluate as 1; arguments that contain text or
FALSE evaluate as 0 (zero).
l If the arguments contain no values, MAXA returns 0 (zero).
l If you do not want to include logical values and text representations of numbers in
a reference as part of the calculation, use the MAX function.
Example:
The following table provides an example formula of the MAXA function.
Formula Result
MAXA(REF([Data Set],[Values])) Largest of the numbers given.

where Data Set is a cross-reference field and the values in the TRUE evaluates to 1 (1)
Values field are 0, 0.2, 0.5, 0.4 and TRUE.
MEDIAN Function
The MEDIAN function returns the median of the given numbers. The median is the number in the
middle of a set of numbers.
Syntax: MEDIAN(number1, number2,...)

The following table describes MEDIAN function parameters.

number1, 1 to 255 numbers for which you want the median. Note that:
number2,... l If there is an even number of numbers in the set, MEDIAN calculates the
average of the two numbers in the middle. See the second formula in the
example.
l Arguments can be numbers, names or references that contain numbers.
l Logical values and text representations of numbers that you type directly into the
list of arguments are counted.
l If a reference argument contains text, logical values, or empty fields, those
values are ignored; however, fields with the value zero are included.
cause errors.
The MEDIAN function measures central tendency, which is the location of the
center of a group of numbers in a statistical distribution. The three most common
measures of central tendency are:
l Average. The arithmetic mean, and is calculated by adding a group of numbers
and then dividing by the count of those numbers. For example, the average of 2,
3, 3, 5, 7, and 10 is 30 divided by 6, which is 5.
l Median. The middle number of a group of numbers; that is, half the numbers
have values that are greater than the median, and half the numbers have values
that are less than the median. For example, the median of 2, 3, 3, 5, 7, and 10 is
4.
l Mode. The most frequently occurring number in a group of numbers. For
example, the mode of 2, 3, 3, 5, 7, and 10 is 3.
For a symmetrical distribution of a group of numbers, these three measures of

central tendency are all the same. For a skewed distribution of a group of numbers,
they can be different.
Examples:

The following table provides example formulas of the MEDIAN function.

Formula Result
MEDIAN(REF([Data Set],[Values])) Median of the 5 numbers in the list

where Data Set is a cross-reference field and the values in given (3)
the Values field are 1, 2, 3, 4, and 5.
MEDIAN(REF([Data Set],[Values])) Median of all the numbers given, or

where Data Set is a cross-reference field and the values in the average of 3 and 4 (3.5)
the Values field are 1, 2, 3, 4, 5, and 6.
MIN Function
The MIN function returns the smallest value in a set of values.
Syntax: MIN(value1, value2,...)
The following table describes MIN function parameters.
value1, Values for which you want to find a minimum value. Only Numeric and Date fields
value2, can be evaluated.
Note: When evaluating a Date field, MIN will return a serial number that
represents the smallest date (closest to January 1, 1900); the function will not return
a date string.
Examples:
The following table provides example formulas of the MIN function.
Formula Result
MIN([Risk], [Criticality], [Availability]) 5

MIN(REF([Orders], [Price])) 10.62

where the smallest value in the Price field across all the rows in the Orders Sub-Form
field is 10.62.

MINA Function
The MINA function returns the smallest value in the list of arguments.
Syntax: MINA(value1, value2,...)
The following table describes MINA function parameters.
value1, 1 to 255 values for which you want to find the smallest value. Note that:
value2,... l Arguments can be numbers; names or references that contain numbers; text
representations of numbers; or logical values, such as TRUE and FALSE, in a
reference.
l If an argument is a reference, only values in that reference are used. Empty
fields and text values in the reference are ignored.
l Arguments that contain TRUE evaluate as 1; arguments that contain text or
FALSE evaluate as 0 (zero).
cause errors.
l If the arguments contain no values, MINA returns 0.
l If you do not want to include logical values and text representations of numbers in
a reference as part of the calculation, use the MIN function.
Example:
The following table provides an example formula of the MINA function.
Formula Result
MINA(REF([Data Set],[Values])) Smallest of the numbers given.

where Data Set is a cross-reference field and the values in the FALSE evaluates to 0 (0)
Values field are FALSE, 0.2, 0.5, 0.4, and 0.8.
MODE Function
The MODE function returns the most frequently occurring, or repetitive, value in a set of data.
Syntax: MODE(number1,number2,...)

The following table describes MODE function parameters.

number1, 1 to 255 arguments for which you want to calculate the mode.
number2,... Arguments can be numbers, names, or references that contain numbers.
If a reference argument contains text, logical values, or empty fields, those values
are ignored; however, fields with the value zero are included.
Arguments that are error values or text that cannot be translated into numbers cause
errors.
If the data set contains no duplicate data points, MODE returns an error.
The MODE function measures central tendency, which is the location of the center
of a group of numbers in a statistical distribution. The three most common measures
of central tendency are:
l Average. The arithmetic mean, and is calculated by adding a group of numbers
and then dividing by the count of those numbers. For example, the average of 2,
3, 3, 5, 7, and 10 is 30 divided by 6, which is 5.
l Median. The middle number of a group of numbers; that is, half the numbers
have values that are greater than the median, and half the numbers have values
that are less than the median. For example, the median of 2, 3, 3, 5, 7, and 10 is
4.
l Mode. The most frequently occurring number in a group of numbers. For
example, the mode of 2, 3, 3, 5, 7, and 10 is 3.
For a symmetrical distribution of a group of numbers, these three measures of

central tendency are all the same. For a skewed distribution of a group of numbers,
they can be different.
Example:
The following table provides an example formula of the MODE function.
Formula Result
MODE(REF([Data Set],[Values])) Mode, or most frequently

where Data Set is a cross-reference field and the values in the occurring number given (4)
Values field are 5.6, 4, 4, 3, 2, and 4.
NEGBINOMDIST Function
The NEGBINOMDIST function returns the negative binomial distribution. NEGBINOMDIST
returns the probability that there will be number_f failures before the number_s-th success, when the

constant probability of a success is probability_s. This function is similar to the binomial distribution,
except that the number of successes is fixed, and the number of trials is variable. Like the binomial,
trials are assumed to be independent.
For example, you need to find 10 people with excellent reflexes, and you know the probability that a
candidate has these qualifications is 0.3. NEGBINOMDIST calculates the probability that you will
interview a certain number of unqualified candidates before finding all 10 qualified candidates.
Syntax: NEGBINOMDIST(number_f,number_s,probability_s)
The following table describes NEGBINOMDIST function parameters.
number_f The number of failures.
Note: If number_f < 0 or number_s < 1, NEGBINOMDIST returns an error.

Number_f and number_s are truncated to integers. If any argument is nonnumeric,
NEGBINOMDIST returns an error.
number_s The threshold number of successes.
Note: Number_f and number_s are truncated to integers. If any argument is

nonnumeric, NEGBINOMDIST returns an error.
probability_ The probability of a success.

s
Note: If probability_s < 0, if probability > 1, or if any argument is nonnumeric,
NEGBINOMDIST returns an error.
Example:
The following table provides an example formula of the NEGBINOMDIST function.
Formula Result
NEGBINOMDIST(10,5,0.25) Negative binomial distribution for the terms given (0.055049)
NORMDIST Function
The NORMDIST function returns the normal distribution for the specified mean and standard
deviation. This function has a very wide range of applications in statistics, including hypothesis
testing.
Syntax: NORMDIST(x,mean,standard_dev,cumulative)


The following table describes NORMDIST function parameters.
x The value for which you want the distribution.
mean The arithmetic mean of the distribution.
Note: If mean = 0, standard_dev = 1, and cumulative = TRUE, NORMDIST returns

the standard normal distribution, NORMSDIST. If mean or standard_dev is
nonnumeric, NORMDIST returns an error.
standard_ The standard deviation of the distribution.

dev
Note: If standard_dev ≤ 0, NORMDIST returns an error. If mean = 0, standard_dev
= 1, and cumulative = TRUE, NORMDIST returns the standard normal distribution,
NORMSDIST. If mean or standard_dev is nonnumeric, NORMDIST returns an
error.
NORMDIST returns the cumulative distribution function; if FALSE, it returns the
probability mass function.
Note: When cumulative = TRUE, the formula is the integral from negative infinity
to x of the given formula. If mean = 0, standard_dev = 1, and cumulative = TRUE,
NORMDIST returns the standard normal distribution, NORMSDIST.
Examples:
The following table provides example formulas of the NORMDIST function.
Formula Result
NORMDIST(42,40,1.5,TRUE) Cumulative distribution function for the terms given (0.908789)
NORMDIST(42,40,1.5,FALSE) Probability mass function for the terms given (0.10934005)
NORMINV Function
The NORMINV function returns the inverse of the normal cumulative distribution for the specified
mean and standard deviation.
Given a value for probability, NORMINV seeks that value x such that NORMDIST(x, mean,
standard_dev, TRUE) = probability. Thus, precision of NORMINV depends on precision of
NORMDIST. NORMINV uses an iterative search technique. If the search has not converged after
100 iterations, the function returns the #N/A error value.


Syntax: NORMINV(probability,mean,standard_dev)
The following table describes NORMINV function parameters.
probability A probability corresponding to the normal distribution.
Note: If probability < 0 or if probability > 1, NORMINV returns the #NUM! error
value. If any argument is nonnumeric, NORMINV returns the #VALUE! error
value.
Note: If mean = 0 and standard_dev = 1, NORMINV uses the standard normal

distribution. If any argument is nonnumeric, NORMINV returns the #VALUE! error
value.
standard_ The standard deviation of the distribution.

dev
Note: If mean = 0 and standard_dev = 1, NORMINV uses the standard normal
distribution. If any argument is nonnumeric, NORMINV returns the #VALUE! error
value.
Example:
The following table provides an example formula of the NORMINV function.
Formula Result
NORMINV Inverse of the normal cumulative distribution for the terms given
(0.908789,40,1.5) (42)
PEARSON Function
The PEARSON function returns the Pearson product moment correlation coefficient, r, a
dimensionless index that ranges from -1.0 to 1.0 inclusive and reflects the extent of a linear
relationship between two data sets.
Syntax: PEARSON(values1,values2)

The following table describes PEARSON function parameters.

values1 A set of independent values.
Note: The arguments must be numbers, names or references that contain numbers.
are ignored; however, fields with the value zero are included. If values1 and values2
are empty or have a different number of data points, PEARSON returns an error.
values2 A set of dependent values.
Note: The arguments must be numbers, names or references that contain numbers.
are ignored; however, fields with the value zero are included. If values1 and values2
are empty or have a different number of data points, PEARSON returns an error.
Example:
The following table provides an example formula of the PEARSON function.
Formula Result
PEARSON( REF([Data Set],[Independent Values]), REF([Data Pearson product moment

Set],[Dependent Values])) correlation coefficient for the
where Data Set is a cross-reference field, the values in the data sets given (0.699379)
Independent Values field are 9, 7, 5, 3, and 1 and the values in
the Dependent Values field are 10, 6, 1, 5, and 3.
PERCENTILE Function
The PERCENTILE function returns the k-th percentile of values in a range. You can use this
function to establish a threshold of acceptance. For example, you can decide to examine candidates
who score above the 90th percentile.
Syntax: PERCENTILE(values,k)

The following table describes PERCENTILE function parameters.

values The set of fields that defines relative standing.
Note: If the set is empty or contains more than 8,191 data points, PERCENTILE
returns an error.
k The percentile value in the range 0..1, inclusive.
Note: If k is nonnumeric, if k is < 0 or if k > 1, PERCENTILE returns an error. If k

is not a multiple of 1/(n - 1), PERCENTILE interpolates to determine the value at
the k-th percentile.
Example:
The following table provides an example formula of the PERCENTILE function.
Formula Result
PERCENTILE(REF([Data Set],[Values]),0.3) 30th percentile of the list

where Data Set is a cross-reference field and the values in the given (1.9)
Values field are 1, 3, 2, and 4.
PERCENTRANK Function
The PERCENTRANK function returns the rank of a value in a data set as a percentage of the data
set. This function can be used to evaluate the relative standing of a value within a data set. For
example, you can use PERCENTRANK to evaluate the standing of an aptitude test score among all
scores for the test.
Syntax: PERCENTRANK(values,x,significance)
The following table describes PERCENTRANK function parameters.
values The reference to a set of fields with numeric values that defines relative standing.
Note: If the set is empty, PERCENTRANK returns an error.

x The value for which you want to know the rank.
Note: If x does not match one of the values in the field, PERCENTRANK
interpolates to return the correct percentage rank.
significance An optional value that identifies the number of significant digits for the returned
percentage value. If omitted, PERCENTRANK uses three digits (0.xxx).
Note: If significance < 1, PERCENTRANK returns an error.
Examples:
The following table provides example formulas of the PERCENTRANK function.
Formula Result
PERCENTRANK(REF([Data Set], Percent rank of 2 in the list given (0.333, because 3

[Values]),2) values in the set are smaller than 2, and 6 are larger
where Data Set is a cross-reference field than 2; 3/(3+6)=0.333)
and the values in the Values field are 13,
12, 11, 8, 4, 3, 2, 1, 1, and 1.
PERCENTRANK(REF([Data Set], Percent rank of 4 in the list given (0.555)

[Values]),4)
where Data Set is a cross-reference field
12, 11, 8, 4, 3, 2, 1, 1, and 1.
PERCENTRANK(REF([Data Set], Percent rank of 8 in the list given (0.666)

[Values]),8)
where Data Set is a cross-reference field
12, 11, 8, 4, 3, 2, 1, 1, and 1.
PERCENTRANK(REF([Data Set], Percent rank of 5 in the list given (0.583, one-

[Values]),5) quarter of the way between the PERCENTRANK
where Data Set is a cross-reference field of 4 and the PERCENTRANK of 8)
12, 11, 8, 4, 3, 2, 1, 1, and 1.
PERMUT Function
The PERMUT function returns the number of permutations for a given number of objects that can be

selected from number objects. A permutation is any set or subset of objects or events where internal
order is significant. Permutations are different from combinations, for which the internal order is not
significant. Use this function for lottery-style probability calculations.
Syntax: PERMUT(number,number_chosen)
The following table describes PERMUT function parameters.
number An integer that describes the number of objects.
Note: Both arguments are truncated to integers. If number or number_chosen is

nonnumeric, if number ≤ 0 or if number_chosen < 0, or if number < number_chosen,
PERMUT returns an error.
number_ An integer that describes the number of objects in each permutation.

chosen
Note: Both arguments are truncated to integers. If number or number_chosen is
nonnumeric, if number ≤ 0 or if number_chosen < 0 or if number < number_chosen,
PERMUT returns an error.
Example:
You want to calculate the odds of selecting a winning lottery number. Each lottery number contains
three numbers, each of which can be between 0 (zero) and 99, inclusive.
The following table provides an example formula of the PERMUT func-
tion. The function calculates the number of possible permutations.
Formula Result
PERMUT(100,3) Permutations possible for the terms given (970200)
POISSON Function
The POISSON function returns the Poisson distribution. A common application of the Poisson
distribution is predicting the number of events over a specific time, such as the number of cars
arriving at a toll plaza in 1 minute.
Syntax: POISSON(x,mean,cumulative)

The following table describes POISSON function parameters.

x The number of events.
Note: If x is not an integer, it is truncated. If x or mean is non-numeric, or if x < 0,

POISSON returns an error.
mean The expected numeric value.
Note: If mean < 0, POISSON returns an error.
cumulative A logical value that determines the form of the probability distribution returned. If
cumulative is TRUE, POISSON returns the cumulative Poisson probability that the
number of random events occurring will be between zero and x inclusive; if FALSE,
it returns the Poisson probability mass function that the number of events occurring
will be exactly x.
Examples:
The following table provides example formulas of the POISSON function.
Formula Result
POISSON(2,5,TRUE) Cumulative Poisson probability with the terms given (0.124652)
POISSON(2,5,FALSE) Poisson probability mass function with the terms given (0.084224)
PROB Function
The PROB function returns the probability that values in a range are between two limits. If upper_
limit is not supplied, returns the probability that values in x_range are equal to lower_limit.
Syntax: PROB(x_range,prob_range,lower_limit,upper_limit)
The following table describes PROB function parameters.
x_range The range of numeric values of x with which there are associated probabilities.
Note: If x_range and prob_range contain a different number of data points, PROB
returns an error.

prob_range A set of probabilities associated with values in x_range.
Note: If any value in prob_range ≤ 0 or if any value in prob_range > 1, PROB

returns an error. If the sum of the values in prob_range is not equal to 1, PROB
returns an error. If x_range and prob_range contain a different number of data
points, PROB returns an error.
lower_limit The lower bound on the value for which you want a probability.
upper_limit The optional upper bound on the value for which you want a probability.
Note: If upper_limit is omitted, PROB returns the probability of being equal to

lower_limit.
Examples:
The following table provides example formulas of the PROB function.
Formula Result
PROB([X Range],[Set of Probabilities],[Lower Limit]) Probability that

where the values in the X Range field are 0, 1, 2, and 3, the values in the Set of x is 2 (0.1)
Probabilities field are 0.2, 0.3, 0.1, and 0.4, and the value in the Lower Limit
field is 2.
PROB([X Range],[Set of Probabilities],[Lower Limit],[Upper Limit]) Probability that

where the values in the X Range field are 0, 1, 2, and 3, the values in the Set of x is between 1
Probabilities field are 0.2, 0.3, 0.1, and 0.4, the value in the Lower Limit field is and 3 (0.8)
1, and the value in the Upper Limit field is 3.
QUARTILE Function
The QUARTILE function returns the quartile of a data set. Quartiles often are used in sales and
survey data to divide populations into groups. For example, you can use QUARTILE to find the top
25 percent of incomes in a population.
Syntax: QUARTILE(range,quart)

The following table describes QUARTILE function parameters.

range The reference to a range of numeric values for which you want the quartile value.
Note: If this parameter is empty, QUARTILE returns an error.
quart Indicates which value to return.

l If quart equals 0, QUARTILE returns Minimum value.
l If quart equals 1, QUARTILE returns First quartile (25th percentile).
l If quart equals 2, QUARTILE returns Median value (50th percentile).
l If quart equals 3, QUARTILE returns Third quartile (75th percentile).
l If quart equals 4, QUARTILE returns Maximum value.
Note: If quart is not an integer, it is truncated. If quart < 0 or if quart > 4,

QUARTILE returns an error. MIN, MEDIAN, and MAX return the same value as
QUARTILE when quart is equal to 0 (zero), 2, and 4, respectively.
Example:
The following table provides an example formula of the QUARTILE function.
Formula Result
QUARTILE( REF( [Data Set], [Values]), 1) First quartile (25th percentile)

where Data Set is a cross-reference field and the values in the of the data given (3.5)
Values field are 1, 2, 4, 7, 8, 9, 10 and 12.
RANK Function
The RANK function returns the rank of a number in a list of numbers. The rank of a number is its
size relative to other values in a list. (If you were to sort the list, the rank of the number would be its
position.)
RANK gives duplicate numbers the same rank. However, the presence of duplicate numbers affects
the ranks of subsequent numbers. For example, in a list of integers sorted in ascending order, if the
number 10 appears twice and has a rank of 5, then 11 would have a rank of 7 (no number would have
a rank of 6).
For some purposes, you might want to use a definition of rank that takes ties into account. In the
previous example, you would want a revised rank of 5.5 for the number 10. This can be done by
adding the following correction factor to the value returned by RANK. This correction factor is
appropriate both for the case where rank is computed in descending order (order = 0 or omitted) or
ascending order (order = nonzero value).

Correction factor for tied ranks = [COUNT(ref) + 1 – RANK(number, ref, 0) – RANK(number, ref,
1)] / 2.
Syntax: RANK(number,values,order)
The following table describes RANK function parameters.
number The number whose rank you want to find.
values A reference to a list of numbers. Nonnumeric values are ignored.
order A number specifying how to rank number.

l If order is 0 (zero) or omitted, Archer ranks number as if values were a list
sorted in descending order.
l If order is any non-zero value, Archer ranks number as if values were a list
sorted in ascending order.
Examples:
The following table provides example formulas of the RANK function.
Formula Result
RANK(3.5,REF([Data Set], Rank of 3.5 in the list given (3)

[Values]),1) The correction factor is (5 + 1 – 2 – 3)/2 = 0.5 and the revised rank
where Data Set is a cross- that takes ties into account is 3 + 0.5 = 3.5. If number occurs only
reference field and the once in ref, the correction factor will be 0, since RANK would not
values in the Values field have to be adjusted for a tie.
are 7, 3.5, 3.5, 1, and 2.
RANK(7,REF([Data Set], Rank of 7 in the list given (5)

[Values]),1)
where Data Set is a cross-
reference field and the
values in the Values field
are 7, 3.5, 3.5, 1, and 2.

RSQ Function
The RSQ function returns the square of the Pearson product moment correlation coefficient through
data points in known_y's and known_x's. For more information, see the PEARSON function. The r-
squared value can be interpreted as the proportion of the variance in y attributable to the variance in
x. Note that:
l Arguments can either be numbers, names, or references that contain numbers.
l Logical values and text representations of numbers that you type directly into the list of arguments
are counted.
l If a reference argument contains text, logical values, or empty fields, those values are ignored;
however, fields with the value zero are included.
l Arguments that are error values or text that cannot be translated into numbers cause errors.

Syntax: RSQ(known_y's,known_x's)
The following table describes RSQ
function parameters.
known_y's A set of data points.
known_x's A set of data points.
Note: If known_y's and known_x's are empty or have a different number of data points, RSQ returns
an error. If known_y's and known_x's contain only 1 data point, RSQ returns an error.
Example:
The following table provides an example formula of the RSQ function.
Formula Result
RSQ(REF([Data Set],[Known Y]),REF([Data Set],[Known Square of the Pearson product

X])) moment correlation coefficient
where Data Set is a cross-reference field, the values in the through data points given (0.05795)
Known Y field are 2, 3, 9, 1, 8, 7, and 5, and the values in
the Known X field are 6, 5, 11, 7, 5, 4, and 4.
SKEW Function
The SKEW function returns the skewness of a distribution. Skewness characterizes the degree of

asymmetry of a distribution around its mean. Positive skewness indicates a distribution with an
asymmetric tail extending toward more positive values. Negative skewness indicates a distribution
with an asymmetric tail extending toward more negative values.
Syntax: SKEW(number1,number2,...)
The following table describes SKEW function parameters.
number1, 1 to 255 arguments for which you want to calculate skewness.

number2,...
of arguments are counted. If a reference argument contains text, logical values, or
empty fields, those values are ignored; however, fields with the value zero are
included. Arguments that are error values or text that cannot be translated into
numbers cause errors. If there are fewer than three data points, or the sample
standard deviation is zero, SKEW returns an error.
Example:
The following table provides an example formula of the SKEW function.
Formula Result
SKEW(REF([Data Set],[Values])) Skewness of a distribution of the

where Data Set is a cross-reference field and the values in the data set given (0.359543)
SLOPE Function
The SLOPE function returns the slope of the linear regression line through data points in known_y's
and known_x's. The slope is the vertical distance divided by the horizontal distance between any two
points on the line, which is the rate of change along the regression line.
The underlying algorithm used in the SLOPE and INTERCEPT functions is different than the
underlying algorithm used in the LINEST function. The difference between these algorithms can
lead to different results when data is undetermined and collinear. For example, if the data points of
the known_y's argument are 0 and the data points of the known_x's argument are 1, then:
l SLOPE and INTERCEPT return errors. The SLOPE and INTERCEPT algorithm is designed to
look for one and only one answer, and in this case there can be more than one answer.

l LINEST returns a value of 0. The LINEST algorithm is designed to return reasonable results for
collinear data, and in this case at least one answer can be found.

Syntax: SLOPE(known_y's,known_x's)
The following table describes SLOPE function para-
meters.
known_y's A set of numeric dependent data points.
known_x's The set of independent data points.
Note: The arguments must be numbers, names, or references that contain numbers. If a reference
argument contains text, logical values, or empty fields, those values are ignored; however, fields
with the value zero are included. If known_y's and known_x's are empty or have a different number
of data points, SLOPE returns an error.
Example:
The following table provides an example formula of the SLOPE function.
Formula Result
SLOPE(REF([Data Set],[Known Y]),REF([Data Set],[Known Slope of the linear regression

X])) line through the data points
where Data Set is a cross-reference field, the values in the Known given (0.305556)
Y field are 2, 3, 9, 1, 8, 7, and 5, and the values in the Known X
field are 6, 5, 11, 7, 5, 4, and 4.
SMALL Function
The SMALL function returns the k-th smallest value in a data set. Use this function to return values
with a particular relative standing in a data set. If n is the number of data points in the values field,
SMALL(values,1) equals the smallest value and SMALL(values,n) equals the largest value.
Syntax: SMALL(values,k)

The following table describes SMALL function parameters.

values A set of numeric data for which you want to determine the k-th smallest value.
Note: If the set is empty, SMALL returns an error.
k The position (from the smallest) in the set of fields to return.
Note: If k ≤ 0 or if k exceeds the number of data points, SMALL returns an error.
Examples:
The following table provides example formulas of the SMALL function.
Formula Result
SMALL(REF([Data Set],[Values]),4) 4th smallest number in the

where Data Set is a cross-reference field and the values in the set of fields (4)
Values field are 3, 4, 5, 2, 3, 4, 6, 4, and 7.
SMALL(REF([Data Set],[Values]),2) 2nd smallest number in the

where Data Set is a cross-reference field and the values in the set of fields (3)
Values field are 1, 4, 8, 3, 7, 12, 54, 8, and 23.
STANDARDIZE Function
The STANDARDIZE function returns a normalized value from a distribution characterized by mean
and standard_dev.
Syntax: STANDARDIZE(x,mean,standard_dev)
The following table describes STANDARDIZE function
parameters.
x The value that you want to normalize.
standard_dev The standard deviation of the distribution.
Example:

The following table provides an example formula of the STANDARDIZE function.

Formula Result
STANDARDIZE(42,40,1.5) Normalized value of 42 for the terms given (1.333333)
STDEV Function
The STDEV function estimates standard deviation based on a sample. The standard deviation is a
measure of how widely values are dispersed from the average value (the mean).
STDEV assumes that its arguments are a sample of the population. If your data represents the entire
population, compute the standard deviation using STDEVP.
The standard deviation is calculated using the "n-1" method. To include logical values and text
representations of numbers in a reference as part of the calculation, use the STDEVA function.
Syntax: STDEV(number1,number2,...)
The following table describes STDEV function parameters.
number1, 1 to 255 number arguments corresponding to a sample of a population. You can also
number2,... use a reference to a set of fields instead of arguments separated by commas.

of arguments are counted. If an argument is a reference, only numbers in that
reference are counted. Empty fields, logical values, text, or error values in the
reference are ignored. Arguments that are error values or text that cannot be
translated into numbers cause errors.
Example:
10 tools stamped from the same machine during a production run are collected as a random sample
and measured for breaking strength.
The following table provides an example formula of the STDEV function.
Formula Result
STDEV(REF([Data Set],[Breaking Strength])) Standard deviation of

where Data Set is a cross-reference field and the values in the Breaking breaking strength
Strength field are 1345, 1301, 1368, 1322, 1310, 1370, 1318, 1350, 1303, (27.46391572)
and 1299.

STDEVA Function
The STDEVA function estimates standard deviation based on a sample. The standard deviation is a
measure of how widely values are dispersed from the average value (the mean). The standard
deviation is calculated using the "n-1" method.
STDEVA assumes that its arguments are a sample of the population. If your data represents the
entire population, you must compute the standard deviation using STDEVPA.
If you do not want to include logical values and text representations of numbers in a reference as
part of the calculation, use the STDEV function.
Syntax: STDEVA(value1,value2,...)
The following table describes STDEVA function parameters.
value1, 1 to 255 values corresponding to a sample of a population. You can also use a
value2,... reference to a set of fields instead of arguments separated by commas.
Note: Arguments can be the following: numbers; names, or references that contain
numbers; text representations of numbers; or logical values, such as TRUE and
FALSE, in a reference. Arguments that contain TRUE evaluate as 1; arguments that
contain text or FALSE evaluate as 0 (zero). If an argument is a reference, only
values in that reference are used. Empty cells and text values in the reference are
Example:
The following table provides an example formula of the STDEVA function.
Formula Result
STDEVA(REF([Data Set],[Breaking Strength])) Standard deviation of

where Data Set is a cross-reference field and the values in the breaking strength for all the
Breaking Strength field are 1345, 1301, 1368, 1322, 1310, 1370, tools (27.46391572)
1318, 1350, 1303, and 1299.
STDEVP Function
The STDEVP function calculates standard deviation based on the entire population given as

arguments. The standard deviation is a measure of how widely values are dispersed from the
average value (the mean).
STDEVP assumes that its arguments are the entire population. If your data represents a sample of
the population, compute the standard deviation using STDEV.
For large sample sizes, STDEV and STDEVP return approximately equal values.
The standard deviation is calculated using the "n" method.
To include logical values and text representations of numbers in a reference as part of the
calculation, use the STDEVPA function.
Syntax: STDEVP(number1,number2,...)
The following table describes STDEVP function parameters.
number1, 1 to 255 number arguments corresponding to a population. You can also use a
number2,... reference to a set of fields instead of arguments separated by commas.

Logical values, and text representations of numbers that you type directly into the
list of arguments are counted. If an argument is a reference, only numbers in that
Example:
The following table provides an example formula of the STDEVP function.
Formula Result
STDEVP(REF([Data Set],[Breaking Strength])) Standard deviation of breaking

where Data Set is a cross-reference field and the values in strength, assuming only 10 tools
the Breaking Strength field are 1345, 1301, 1368, 1322, 1310, are produced (26.05455814)
1370, 1318, 1350, 1303, and 1299.
STDEVPA Function
The STDEVP function calculates standard deviation based on the entire population given as
arguments. The standard deviation is a measure of how widely values are dispersed from the

average value (the mean).

STDEVP assumes that its arguments are the entire population. If your data represents a sample of
the population, compute the standard deviation using STDEV.
For large sample sizes, STDEV and STDEVP return approximately equal values.
The standard deviation is calculated using the "n" method.
To include logical values and text representations of numbers in a reference as part of the
calculation, use the STDEVPA function.
Syntax: STDEVP(number1,number2,...)
The following table describes STDEVP function parameters.
number1, 1 to 255 number arguments corresponding to a population. You can also use a
number2,... reference to a set of fields instead of arguments separated by commas.

Logical values, and text representations of numbers that you type directly into the
list of arguments are counted. If an argument is a reference, only numbers in that
Example:
The following table provides an example formula of the STDEVP function.
Formula Result
STDEVP(REF([Data Set],[Breaking Strength])) Standard deviation of breaking

where Data Set is a cross-reference field and the values in strength, assuming only 10 tools
the Breaking Strength field are 1345, 1301, 1368, 1322, 1310, are produced (26.05455814)
1370, 1318, 1350, 1303, and 1299.
STEYX Function
The STEYX function returns the standard error of the predicted y-value for each x in the regression.
The standard error is a measure of the amount of error in the prediction of y for an individual x.


Syntax: STEYX(known_y's,known_x's)
The following table describes STEYX function
parameters.
known y's A set of dependent data points.
known x's A set of independent data points.
Note: Arguments can be numbers, names or references that contain numbers. Logical values and
text representations of numbers that you type directly into the list of arguments are counted. If a
reference argument contains text, logical values, or empty fields, those values are ignored; however,
fields with the value zero are included. Arguments that are error values or text that cannot be
translated into numbers cause errors. If known_y's and known_x's have a different number of data
points, STEYX returns an error. If known_y's and known_x's are empty or have less than three data
points, STEYX returns an error.
Example:
The following table provides an example formula of the STEYX function.
Formula Result
STEYX(REF([Data Set],[Dependent Data]), REF([Data Set], Standard error of the

[Independent Data])) predicted y-value for each x
where Data Set is a cross-reference field, the values in the in the regression (3.305719)
Dependent Data field are 2, 3, 9, 1, 8, 7, and 5, and the values in
the Independent Data field are 6, 5, 11, 7, 5, 4, and 4.
SUM Function
The SUM function adds all of the numbers in the specified parameters. If the SUM function
references a multi-selection values list, it can be used with the SELECTED function to return the
sum of the numeric values for each of the currently selected items.
Syntax: SUM(number1, number2,...)

The following table describes SUM function parameters.

number1, Parameters for which you want the total value. These parameters can be entered as
number2, hard-coded values, for example, 2, or Numeric-field references, for example, [field
name]. Referenced fields can reside within the application or within Sub-Form,
Cross-Reference, or Related Records fields.
Examples:
The following table provides example formulas of the SUM function.
Formula Result
SUM(3, [Risk]) 15
where the value in the Risk field is 12.
SUM([Risk], [Criticality]) 19
SUM(REF([Orders],[Price])) 202.94
where the value in the Price field within the Orders sub-form are 120.00, 50.19, and
32.75.
SUM(SELECTEDVALUENUMBER([Key Factors])) 25
where Key Factors is a multi-selection Values List field and the numeric values of the
current selections are 3, 8, 4, and 10.
SUMIF Function
The SUMIF function sums the values of a specified Numeric field across all records in a Sub-Form,
Cross-Reference, Related Records, or Scheduler field that contain a specific value in a given field.
For example, you can return the sum of all Price field values across all cross-referenced records in
which the Status field is set to “Shipped.”
Syntax: SUMIF(eval_field_ref, criterion, sum_field_ref)

The following table describes SUMIF function parameters.

eval_field_ The reference to the field against which the criterion will be evaluated.
ref
field to sum.
criterion The test that will be performed against eval_field_ref to determine whether a given
record will be qualified for the sum operation. The criterion can involve Values List,
User/Groups List, and Record Permissions fields as well as fields containing
numeric, text, and date type values.
l Values Lists. If eval_field_ref is a Values List field, enclose the criterion value
in VALUEOF or supply it as a quoted literal string, for example, "Dallas".
l User/Groups List and Record Permissions Fields. If eval_field_ref is a
User/Groups List or Record Permissions field, enclose the criterion value in
USER or GROUP (as appropriate for the criterion).
l Text, Numeric, or Date Fields. If eval_field_ref is a Text, Numeric, or Date
field, the criterion must be enclosed in quotes, for example, ">56", and the
criterion can involve any of the supported comparison operators (=, <, >, <=, >=,
<>).
Note: The evaluation will always result in no matches if there is a space between
the operator and the test value. For example, if the intent is to sum a given Numeric
field across all sub-form records where a another given field contains a numeric
value greater than 56, a space cannot appear in the formula between the ">" and the
"56"

"greater than today" would be:
">"&TODAY( )
sum_field_ The reference to a Numeric field that will be summed across all qualified records.
ref
field to sum.
Examples:

The following table provides example formulas of the SUMIF function.

Formula Result
SUMIF(REF([Cases], [Status]), VALUEOF(REF([Cases], [Status]), "Open"),REF 832

([Cases], [Time Spent]))
where:
l The name of the Cross-Reference field is Cases.
l The Status Values List field contains the values to be evaluated.
l The criterion for matching on the Status field is the selection “Open”.
l Time Spent is a Numeric field containing the numeric values to be summed.
l The sum of Time Spent across all “Open” cases is 832 minutes.
SUMIF(REF([Items], [Line Item Cost]), ">5.99",REF([Items], [Line Total])) 2378.10

where:
l The name of the Sub-Form field is Items.
l The Line Item Cost Numeric field in the related sub-form contains the data to be
evaluated.
l The criterion for matching on Line Item Cost is values greater than 5.99.
l Line Total is a Numeric field containing the numeric values to be summed.
l The sum of Line Total across all sub-form records where Line Item Cost is greater
than 5.99 is 2378.10.
SUMIF(REF([Properties], [Sale Price]), ">=150000") 2654887

where:
l The Sale Price Numeric field in the related application contains the data to be
evaluated.
l The criterion for matching on Sale Price is values greater than or equal to 150000.
l The sum of Sale Price across all related records where Line Item Cost is greater than
or equal to 150000 is 1654887.
Note: In this example, the sum_field_ref is not passed to SUMIF. As a result, the
system will use Sale Price for evaluation purposes and for summing.

Formula Result
SUMIF(REF([Properties], [Sale Date]), ">="&DATETIMEVALUE("7/1/2008"),REF 1299000

([Properties], [Sale Price]))
where:
l The Sale Date field in the related application contains the data to be evaluated.
l The criterion for matching on Sale Date is dates greater than or equal to 7/1/2008.
l Sale Price is a Numeric field containing the numeric values to be summed.
l The sum of Sale Price across all related records where Sales Date is greater than or
equal to 7/1/2008 is 1299000.
SUMPRODUCT Function
The SUMPRODUCT function multiplies corresponding components in the given sets of fields, and
returns the sum of those products.
Syntax: SUMPRODUCT(values1,values2,values3, ...)
The following table describes SUMPRODUCT function parameters.
values1, 2 to 255 sets of values whose components you want to multiply and then add.
values2,
values3, ... Note: The respective arguments must have the same dimensions. If they do not,
SUMPRODUCT returns an error. SUMPRODUCT treats field entries that are not
numeric as if they were zeros.
Example:
The following table provides an example formula of the SUMPRODUCT function.
Formula Result
SUMPRODUCT(REF([Data Set],[Values1]),REF Multiplies all the components of the two

([Data Set],[Values2])) arrays and then adds the products — that
where Data Set is a cross-reference field and the is, 3*2 + 4*7 + 8*6 + 6*7 + 1*5 + 9*3.
values in the Values1 field are 3, 4, 8, 6, 1, and 9, (156)
and the values in the Values2 field are 2, 7, 6, 7, 5,
and 3.

SUMSQ Function
The SUMSQ function returns the sum of the squares of the arguments.
Syntax: SUMSQ(number1,number2, ...)
The following table describes SUMSQ function parameters.
number1, 1 to 255 arguments for which you want the sum of the squares. You can also use a
number2, ... reference to an array instead of arguments separated by commas.

Numbers, logical values, and text representations of numbers that you type directly
into the list of arguments are counted. If an argument is a reference, only numbers in
that reference are counted. Empty cells, logical values, text, or error values are
Example:
The following table provides an example formula of
the SUMSQ function.
Formula Result
SUMSQ(3,4) Sum of the squares of 3 and 4 (25)
SUMX2PY2 Function
The SUMX2PY2 function returns the sum of the sum of squares of corresponding values in two sets
of fields. The sum of the sum of squares is a common term in many statistical calculations.
Syntax: SUMX2PY2(values_x,values_y)
SUMX2PY2 function parameters.

SUMX2PY2 returns an error.
Example:
The following table provides an example formula of the SUMX2PY2 function.
Formula Result
SUMX2PY2(REF([Data Set],[Values1]), REF([Data Set], Sum of the sum of squares

[Values2])) of the two sets of fields
where Data Set is a cross-reference field, the values in the Values1 given (521)
field are 2, 3, 9, 1, 8, 7 and 5 and the values in the Values2 field are
6, 5, 11, 7, 5, 4, and 4.
SUMXMY2 Function
The SUMXMY2 function returns the sum of squares of differences of corresponding values in two
sets of fields.
Syntax: SUMXMY2(values_x,values_y)
SUMXMY2 function parameters.
SUMXMY2 returns an error.
Examples:

The following table provides example formulas of the SUMXMY2 function.

Formula Result
SUMXMY2(REF([Data Set],[Values1]), REF([Data Set],[Values2])) Sum of squares of

where Data Set is a cross-reference field, the values in the Values1 differences of the two
field are 2, 3, 9, 1, 8, 7, and 5, and the values in the Values2 field are arrays given (79)
6, 5, 11, 7, 5, 4, and 4.
SUMXMY2({2, 3, 9, 1, 8, 7, 5}, {6, 5, 11, 7, 5, 4, 4}) Sum of squares of

differences of the two
arrays constants (79)
TRIMMEAN Function
The TRIMMEAN function returns the mean of the interior of a set of data. The value is derived by
determining the mean of a series of values and excluding a percentage of the top and bottom values
from the data set. This function can be used to eliminate outliers when determining the mean.
Syntax: TRIMMEAN(values,percent)
The following table describes TRIMMEAN function parameters.
values A set of values.
percent This is the percent of data points to exclude when determining the mean. For
example, if the percent parameter is .2 and the number of values in the data series is
100, 20 data points will be excluded when determining the mean (100 x .2 = 20).
Within the excluded data points for this example, the calculation will exclude the 10
highest values and the 10 lowest values.
Note: This function rounds the number of excluded data points down to the nearest
multiple of 2. For example, if the percent is .1 and the number of data points is 30,
the number of excluded data points should be 3. However, since this returns an odd
number, TRIMMEAN will round this number down to 2 and exclude the highest
value and the lowest value in the data series.
Example:

The following table provides an example formula of the TRIMMEAN function.

Formula Result
TRIMMEAN(REF([Facilities],[Risk 69
Rating]), .2) The values 45 and 92 were thrown out (since 20%
where Facilities is a cross-reference field of the values were to be excluded) and the function
and the values in the Risk Rating field are found the mean of the remaining values.
35, 50, 52, 60, 68, 75, 79, 82, 86, and 100.
VAR Function
The VAR function estimates the variance based on a sample of numbers. This function can compute
the variance for up to 255 different values.
Syntax: VAR(number1, number2,...)
The following table describes VAR function parameters.
number1, Parameters for which you want to find the variance. These parameters can be
number2, ... entered as hard-coded values, for example, 2, or Numeric-field references, for
example, [field name]. Referenced fields can reside within the application or within
Sub-Form, Cross-Reference, or Related Records fields.
Note: This function assumes the numbers represent a sample from the overall
population. If your data set represents the entire population, you must compute the
variance using VARP.
Example:
The following table provides an example formula of the VAR function.
Formula Result
VAR(REF([Facilities],[Risk Rating])) 382.4556

where the parent record is related to 10 Facilities records and the values in the Risk
Rating field are 35, 50, 52, 60, 68, 75, 79, 82, 86, and 100.
VARA Function
The VARA function estimates the variance based on a sample of numbers, text, or logical values
(TRUE or FALSE).


Syntax: VARA(value1, value2,...)
The following table describes VARA function parameters.
value1, Parameters for which you want to find the variance. These parameters can be
value2, entered as hard-coded values, for example, 2, or field references, for example,
[field name]. Referenced fields can reside within the application or within Sub-
Form, Cross-Reference, or Related Records fields. If logical values (TRUE or
FALSE) are used, they are evaluated as 1 and 0, respectively.
Note: This function assumes the numbers represents a sample from the overall
population. If your data set represents the entire population, you must compute the
variance using VARPA.
Example:
The following table provides an example formula of the VARA function.
Formula Result
VAR([Offshore Facilities],[Risk Rating],[Customer Data])) 30.33333

where the value of the Offshore Facilities field is "True", the value of the Risk Rating
field is "10", and the value of the Customer Data field is "False".
VARP Function
The VARP function estimates the variance based on the entire population. This function can
compute the variance for up to 255 different values.
Syntax: VARP(number1, number2,...)

The following table describes VARP function parameters.

number1, Parameters for which you want to find the variance. These parameters can be
number2, ... entered as hard-coded values, for example, 2, or Numeric-field references, for
example, [field name]. Referenced fields can reside within the application or within
Sub-Form, Cross-Reference, or Related Records fields.
Note: This function assumes that the numbers represent the entire population. If
your data set represents a sample population, you must compute the variance using
VAR.
Example:
The following table provides an example formula of the VARP function.
Formula Result
VARP(REF([Facilities],[Risk Rating])) 344.21

where the parent record is related to 10 Facilities records and the values in the Risk
Rating field are 35, 50, 52, 60, 68, 75, 79, 82, 86, and 100.
VARPA Function
The VARPA function estimates the variance based on a total population of numbers, text or logical
values (TRUE or FALSE).
Syntax: VARPA(value1, value2,...)
The following table describes VARPA function parameters.
value1, Parameters for which you want to find the variance. These parameters can be
value2, ... entered as hard-coded values, for example, 2, or field references, for example,
[field name]. Referenced fields can reside within the application or within Sub-
Form, Cross-Reference, or Related Records fields. If logical values (TRUE or
FALSE) are used, they are evaluated as 1 and 0, respectively.
Note: This function assumes the numbers represent the entire population. If your
data set represents a sample population, you must compute the variance using
VARA.
Example:

The following table provides an example formula of the VARPA function.

Formula Result
VARPA([Offshore Facilities],[Risk Rating],[Customer Data])) 20.22222

where the value of the Offshore Facilities field is "True", the value of the Risk Rating
field is "10", and the value of the Customer Data field is "False".
WEIBULL Function
The WEIBULL function returns the Weibull distribution. You can use this distribution in reliability
analysis.
Syntax: WEIBULL(x,alpha,beta,cumulative)
The following table describes WEIBULL function parameters.
x The value of the function.
Note: If x is nonnumeric or if x < 0, WEIBULL returns an error.
alpha A parameter value for the distribution.
Note: If alpha ≤ 0, WEIBULL returns an error.
beta The other parameter value for the distribution.
Note: If beta ≤ 0, WEIBULL returns an error.
cumulative A logical value that indicates which form of the function to provide. If cumulative is
TRUE, WEIBULL returns the cumulative distribution function; if FALSE, it returns
the probability density function.
Examples:
The following table provides example for-
mulas of the WEIBULL function.
Formula Result
WEIBULL(210,40,200,TRUE) .999124
WEIBULL(210,40,200,FALSE) .001175

ZTEST Function
The ZTEST function returns the one-tailed probability value of a z-test. The function returns the
probability that the sample mean would be greater than the average of observations in the data set.
Syntax: ZTEST(values,test,sigma)
The following table describes ZTEST function parameters.
values A range of values.
Note: If a reference argument contains text, logical values, or empty fields, those
values are ignored; however, fields with the value zero are included.
test The value to test.
sigma The population standard deviation. If this value is not provided, the sample standard
deviation is used.
Example:
The following table provides an example formula of the ZTEST function.
Formula Result
ZTEST(REF([Facilities],[Risk Rating]),85) .99580

where Facilities is a cross-reference field and the values in the Risk Rating field are 35,
50, 52, 60, 68, 75, 79, 82, 86, and 100.
System Functions
The following system functions work with variables specific to RSA Archer and options to produce
dynamic results.
COMBINESELECTIONS Function
The COMBINESELECTIONS function merges the Selected Values of all the Values List fields
included in a function for one or more applications.
Important: The calculated Values List field must contain all of the Values List Values of the
referenced Values Lists in order for all of the Selected Values to be shown. Also, the function
performs a case-insensitive string comparison of the Selected Values, so it is possible that the
Values List fields referenced in the function may refer to different Values Lists.

Return Type: Values List

Syntax: COMBINESELECTIONS([values_listfield1], [values_listfield2],[...])
In the above syntax, the expression must contain at least one values list field.
The following table describes COMBINESELECTIONS function parameters.
values_ The values list fields that are being combined.

listfield1
values_ Additional values lists, up to a maximum of 255 items. The values list fields must be
listfield2 separated by commas.
Example:
The following table provides an example formula of the COMBINESELECTIONS function.
Formula Result
COMBINESELECTIONS(REF([AppB],[Colors])) Red
Green
where the colors values list contains Red and Green in one related record and Green and
Blue in another related record of the cross-referenced application. Blue
CONTAINS Function
The CONTAINS function is used to determine if any value within a list of values matches the value
stored in a given field. If one of the values matches the field value, the function evaluates to TRUE
and one value is returned. If there is no match between the list of values and the field value, the
function evaluates to FALSE and another value is returned. The CONTAINS function must be used
in conjunction with an IF function.
Although done infrequently, the CONTAINS function may be used to test whether the string value of
a given Text field is equal to any one of a list of given string values. When a Text field is targeted,
the string value in the field will be compared to the given test strings. Matching will be based on
complete strings only. The function will not find a match based on a substring. For example, if the
target Text field contains the value “Confiscated laptop”, CONTAINS will not find a match for a
test string of “laptop”.
Syntax: IF(CONTAINS(eval_type, field_ref, value1, value2...),value_if_true,value_if_false)

The following table describes CONTAINS function parameters.

eval_type One of the following evaluation type keywords:

l ANY. Specifies that the targeted field must contain at least one of the given
selections.
l EXACT. Specifies that the targeted function must contain each of the given
selections and only those selections
l ALL. Specifies that the target field must, at a minimum, contain each of the
given selections. When using ALL, CONTAINS will still return TRUE even if
there are selections in the field in addition to the ones specified.
Note: When targeting a Text field, CONTAINS will return TRUE if one or more of
the supplied test strings match the string value of the Text field. The behavior of
EXACT and ALL is the same when targeting a text field. When using EXACT or
ALL against a Text field, only one test string should be specified because a Text
field can have only one value.
field_ref A reference to a field, for example, [field name].The reference must be a Values
List, User/Groups List, Record Permissions, or Text field.

value1, Any one the following:

value 2, ... l One or more string values supplied as a potential match for the values selected in
the targeted list field. (When evaluating the selections in a Values List field, the
test string values should be enclosed in a VALUEOF function.)
l One or more references to additional Values List, User/Groups List, or Record
Permissions fields. At runtime, the system will extract the list of selections in the
supplied fields and treat those values as strings (or user/group IDs) to be tested
against the selections in the targeted field.
Note: When referencing multiple fields to obtain test values, all fields must be of
the same type and that type must match the type of the target field. When
referencing a User/Groups List or Record Permissions field to obtain test values,
the field reference must be wrapped in either the GETUSERS or GETGROUPS
function to provide the proper context for retrieving the selections. Selections in
User/Groups List and Record Permissions fields will be returned as IDs, while
selections in a Values List field will be returned as strings.
l A combination of both literal values and field references. At runtime, the system
will extract the list of selections for any referenced field and, conceptually,
marry those selections to the literal values provided to form a single list of
selections to test against the target field.
Examples:
The following table provides examples of the CONTAINS function.
Formula Result
IF(CONTAINS(ANY, [Location], VALUEOF([Office], "Chicago", "Local", Local

"Global")))
where the selected value in Location is Chicago.
IF(CONTAINS(ANY, [Region], VALUEOF([Office], "Connecticut", "New Connecticut

York", "Massachusetts"), VALUEOF ([Office], "Kansas", "Illinois", "Texas")) New York
Massachusetts
CONTENTID Function
The CONTENTID function returns a content record ID that uniquely identifies the current record
within the context of the current application or sub-form. Content IDs are generated sequentially,
beginning with the number 1.


Syntax: CONTENTID( )
Example:
The following table provides an example formula of the CONTENTID function.
Formula Result
[Type Code] & "-" & TRACKINGID( ) & "-" & CONTENTID( ) WORM-
where the value in the Type Code field is WORM, the system-wide tracking ID is 678904-34
678904 and the application-specific tracking ID is 34.
GETGROUPS Function
The GETGROUPS function returns a list of group IDs for the groups currently selected in a
specified User/Groups List or Record Permissions field. The list of group IDs can then be evaluated
by another function. For example, GETGROUPS might be used inside a CONTAINS function to
determine whether a given group is contained in the list of groups retrieved from a specified
User/Groups List field.
Syntax: GETGROUPS(field_ref)
The following table describes the GETGROUPS function para-
meter.
field_ref A User/Groups List or Record Permissions field.
Examples:
The following table provides example formulas of the GETGROUPS function.
Formula Result
IF(CONTAINS(ANY, GETGROUPS([Team]), GROUP(NAME, "Training", Yes

"Support", "IT")), "Yes”, “No”)
where the group "Training” (which is referenced by name here but converted to an
ID at runtime) matches the ID of a group returned from the a User/Groups List field
named Team.

Formula Result
IF(ISEMPTY(GETGROUPS([Reviewers]), "Empty - No groups selected", "Not Not Empty

Empty - One or more groups selected") – One or
where one or more groups are currently selected in the Reviewers Record more
Permissions field. groups
selected
In this example, ISEMPTY is only evaluating the Reviewers field for group
selections, not user selections. In this example, ISEMPTY would have returned true
if no groups were selected but one or more users were selected.
IF(AND(ISEMPTY(GETUSERS ([Reviewers]), ISEMPTY(GETGROUPS, Empty -

([Reviewers])),"Empty - No users or groups selected", "Not Empty - One or more No users
users or groups selected") or groups
where the Reviewers Record Permissions field has no selections. selected
To evaluate both user and group selections, two ISEMPTY functions can be wrapped
in an AND function, as shown above.
IF(AND(CONTAINS(EXACT, GETGROUPS([Case Managers]), GROUP(NAME, All test

"Training", "Support", "IT")), CONTAINS(EXACT, GETUSERS([Case users and
Managers]), USER(LOGIN, "blair.gates", "alfred.turks", "betty.smalls"))), "All test groups are
users and groups are selected", "Test failed") selected
where the Case Managers Record Permissions field contains each of the test
selections and only those selections.
To test a User/Groups List or Record Permissions field for a combination of user and
group selections, two CONTAINS functions can constructed (one to test for groups;
one to test for users) and wrapped in an AND, OR or NOT function.
GETUSERS Function
The GETUSERS function returns a single user ID for a user currently selected in a specified
User/Groups List or Record Permissions field. The user ID can then be evaluated by another
function. For example, GETUSERS might be used inside a CONTAINS function to determine
whether a given user matches the ID of a user returned from a specified User/Groups List field.
Important: To ensure that this function returns no more than one user ID, you must set the
Maximum Selections option in the Configuration section for a User/Groups List field or a Record
Permissions field to 1. Otherwise, the GETUSERS function returns an error.

Syntax: GETUSERS(field_ref)
In the above syntax, the parameter in bold is required.

The following table describes the GETUSERS function para-

meter.
field_ref A User/Groups List or Record Permissions field.
Examples:
The following table provides example formulas of the GETUSERS function.
Formula Result
IF(CONTAINS(ANY, GETUSERS ([Sales Rep]), USER(NAME, "Wilson, Yes

Jonah", “Kellerman, Kathy”, “Boone, Julia”)), "Yes”, “No”
where the user "Boone, Julia” (who is referenced by name here but converted to an
ID at runtime) matches the ID of a user returned from the User/Groups List field
named Sales Rep.
IF(ISEMPTY(GETUSERS ([Associate]), "Empty - No users selected", "Not Empty Empty – No

- One or more users selected") users
where no users are currently selected in the Associate Users/Groups List field. selected
In this example, ISEMPTY is only evaluating the Associate field for user
selections, not group selections. In this example, ISEMPTY would have returned
true if no users were selected but one or more groups were selected.
IF(AND(ISEMPTY(GETUSERS ([Reviewers]), ISEMPTY(GETGROUPS, Empty - No

([Reviewers])),"Empty - No users or groups selected", "Not Empty - One or more users or
users or groups selected") groups
where the Reviewers Record Permissions field has no selections. selected
To evaluate both user and group selections, two ISEMPTY functions can be
wrapped in an AND function, as shown above.
GROUP Function
The GROUP function is used to maintain the validity of a formula reference to a specific group
selection in a User/Groups List or Record Permissions field, even if the group name is changed
later.
The GROUP function also directly accepts system-assigned group ID numbers. Each group in the
system has an internal ID number that is guaranteed to be unique. For example, if two groups both
named Support exist in the system, the group name cannot be resolved to determine whether the
intended Support is selected in the given User/Groups List or Record Permissions field. However, a
system ID (for example, 48761) can be used in place of the ambiguous group name to uniquely
identify the correct Support group.

Return Type: Text or Numeric, depending on the format selected for the ref_type parameter
Syntax: GROUP(ref_type, value1, value2…)
The following table describes GROUP function parameters.
ref_type Accepts the keyword NAME or ID. If NAME is specified, the function will inspect
field selections by literal group name, for example, "Support". If ID is specified, the
function will inspect group selections based on unique system-assigned ID numbers.

value1, One or more values within a User/Groups or Record Permissions field.

value2… NAME. If ref_type is NAME, group names must be passed exactly as they display
in the User/Groups List or Record Permissions field. Matching will be case
sensitive. When using NAME with GROUP, an error will occur during formula
validation if any of the following is true:
l If the named group cannot be found in any domain
l If the named group is found in more than one domain
l If the named group is found in a single domain but the group name is not unique
within that domain
If the NAME string contains at least one @ sign, the system will assume that all
text following the last @ sign is a domain reference and the system will attempt to
locate that domain. If the NAME string does not contain a @ sign, the system will
look for an exact match for the entire group name string in the Archer (NULL)
domain and the default domain.
Note: The system will attempt to match the domain name against both active and
deleted (for example, soft-deleted) domains. Only active domain names must be
unique; it is possible that a deleted domain has the same name as an active domain.
If the group name string exists in more than one of the domains that have the same
name, the system will fail the formula on validation.
If the domain can be found:

1. The system will treat all text in the name string before the last @ sign as the
group name and will attempt to find that group within the domain.
2. If the group is found within the domain, the system will replace the group name
string in the formula with the ID of the group matching that login.
3. If the domain cannot be found:
4. The system will look for an exact match for the entire group name string in the
Archer (NULL) domain and the default domain.
5. If only one group with that name exists, the system will replace the group name
string in the formula with the ID of that group.
ID. If ref_type is ID, the function will expect one or more system-assigned group ID
numbers. The IDs in the list should be quoted. When using ID with GROUP, an
error will occur during formula validation the group ID cannot be found in any
domain.
Examples:

The following table provides example formulas of the GROUP function.

Formula Result
IF(CONTAINS(ANY, GETGROUPS([Technician]), GROUP(NAME, "Tier 1", "Tier Priority

4", “Tier 9”)), "Priority", "Standard")
where the group "Tier 4" is selected in the Technician User/Groups List field.
IF(CONTAINS(ANY, GETGROUPS([Technician]), GROUP(ID, 76712, 89766, Yes

90287)),"Yes", "No")
where "Tier 9" is selected in the Technician User/Groups List field and that group’s
unique system ID is 90287.
ISCORRECT Function
The ISCORRECT function evaluates a Values List question and determines whether the selected
value is identified as “Correct” or “Incorrect.” Values are identified as either correct or incorrect on
the Answer tab of the Define Fields page. The function evaluates to TRUE if the selected value is
set as the “Correct” value. The function evaluates to FALSE if the selected value is not set as the
“Correct” value. The ISCORRECT function must be used in conjunction with an IF function and can
only be used against a Values List question within a questionnaire.
supplied for the value_if_true and value_if_false parameters.
Syntax: ISCORRECT([field_ref])
The following table describes the ISCORRECT function parameter.
field_ref A reference to the Values List question, for example, [question name].
Example:
The following table provides an example formula of the ISCORRECT function.
Formula Result
IF(ISCORRECT([Password Question]),“Compliant”,“Not Compliant”) Compliant

where the value selected for the question is identified as “Correct”.
ISEMPTY Function
The ISEMPTY function is used to determine if a given field contains a value or is blank (empty).
The function evaluates to TRUE if the specified field is blank, for example, contains no value. The

function evaluates to FALSE if the specified field is not blank (contains a value). The ISEMPTY
function must be used in conjunction with an IF function.
supplied for the value_if_true and value_if_false parameters.
Syntax: ISEMPTY([field_ref])
The following table describes the ISEMPTY function parameter.
field_ref A reference to a field, for example, [field name].
Examples:
The following table provides example formulas of the ISEMPTY function.
Formula Result
IF(ISEMPTY([Middle Name]), "No middle name", "Middle name is " & No middle name
[Middle Name])
where Middle Name is a Text field containing no value.
IF(ISEMPTY([Middle Name]), "No middle name", "Middle name is " & Middle name is
[Middle Name]) Douglas
where Middle Name is a Text field containing the value Douglas.
ISNUMBER Function
The ISNUMBER function checks the specified value and returns TRUE or FALSE depending on
whether it is a number. You can use this function to get information about a value before performing
a calculation or other action with it.
Syntax: ISNUMBER(value)

The following table describes the ISNUMBER function parameter.

value The value that you want tested. The value argument can be a blank (empty cell),
error, logical value, text, number, or reference value, or a name referring to any of
these. Returns TRUE if Value refers to a number.
Note: The value arguments of the IS functions are not converted. Any numeric
values that are enclosed in double quotation marks are treated as text. For example,
in most other functions where a number is required, the text value "19" is converted
to the number 19. However, in the formula ISNUMBER("19"), "19" is not converted
from a text value to a number value, and the ISNUMBER function returns FALSE.
Example:
ISNUMBER function.
Formula Result
ISNUMBER(4) Checks whether 4 is a number (TRUE)
MOSTRECENTVALUE Function
The MOSTRECENTVALUE displays a specific value from the record that is evaluated as the
"most recent" from a list of related records. For example, if a record in the Facilities application is
related to multiple questionnaires, you could use this function to return the value of the Quantitative
Summary field from the most recently submitted questionnaire.
Return Type: Text
Syntax: MOSTRECENTVALUE(field_to_display, date_criteria_field)
The following table describes MOSTRECENTVALUE function parameters.
field_to_ This is the reference for the field value that you want to display, for example, REF
display ([Cross-Reference field name],[field name]).
date_ This is the Date field that you will use to determine which of the related records has
criteria_ the most recent value, for example, REF([Cross-Reference field name],[Date field
field name]).
Example:

The following table provides an example formula of the MOSTRECENTVALUE function.

Formula Result
MOSTRECENTVALUE(REF([Risk Questionnaire],[Inherent Risk]), REF([Risk 65

Questionnaire],[Submitted Date]))
where the value in the Inherent Score field of the record with the most recent Submitted
Date value is "65".
NOVALUE Function
The NOVALUE function is used either to set a null value for a calculated Date, Text, or Numeric
field or to set a calculated Values List field to have no selection. The NOVALUE function is only
valid within the context of the IF function.
Note: The NOVALUE function cannot be passed to VALUEOF to clear selections from a
calculated Values List field.
Return Type: None

Syntax: NOVALUE()
Examples:
The following table provides an example formula of the NOVALUE function.
Formula Result
IF([Rating] >=0, “Action Required”, NOVALUE( )) The calculated Text field is set
where the value of Rating is less than 6 and the calculated field to null.
is a Text field .
OTHERTEXT Function
The OTHERTEXT function returns the text a user has entered in the "Other" field for the specified
Values List field or Values List question.
Return Type: Text
Syntax: OTHERTEXT([field_ref])

The following table describes the OTHERTEXT function parameter.

field_ref A reference to a Values List field or Values List question, for example, [question
name].
Examples:
The following table provides an example formula of the OTHERTEXT function.
Formula Result
OTHERTEXT([Severity of Last Security Incident]) We have not had

where the name of the Values List question is "Severity of Last Security a security
Incident" and the text entered in the Other field is "We have not had a security incident.
incident."
REF Function
The REF function returns a reference to a field that is a child field to a parent Sub-Form, Cross-
Reference, Related Records, or Scheduler field. It can be used within another calculation that
requires a set of fields or values as input. REF is only valid for use with the following field types:
l Cross-Reference
l Related Records
l Sub-Form
l Scheduler
Return Type: Text, Numeric, Date, or a Values List field selection, depending on the type of data
returned from the referenced field
Syntax: REF(parent_field, child_field, data_level_name)
The following table describes REF function parameters.
parent_field The name of the Cross-Reference, Related Records, Sub-Form, or Scheduler field.
These field types are considered "parents" because they act as containers for other
fields. For example, a Sub-Form field by itself does not have any value; values can
only be derived from its child fields.
child_field The name of a field that resides within the parent_field.

data_level_ If a Cross-Reference field targets a multi-level application, the name of the level
name under which the field resides. Passing data_level_name is optional and is only
necessary when a Cross-Reference field targets a multi-level application.
For a Scheduler field, the data_level_name is required, since Scheduler fields
always target multiple levels. The Scheduler field always targets the Appointment
application and may target either the resource application or one or more parent
applications.
Examples:
The following table provides example formulas of the REF function.
Formula Result
SUM(REF([Controls], [Risk])) Cross-Reference to

where Controls is a Cross-Reference field and Risk is a field in the Flat Application
cross-referenced flat application.
AVERAGE(REF([Response Measures], [Severity Rating], [Responses])) Cross-Reference to

where Response Measures is a Cross-Reference field, Responses is a Multi-Level
level in the cross-referenced multi-level application and Severity Rating Application
is a field in the Responses data level.
COUNTA(REF([Baselines], [Name])) Related Records

where Baselines is a Related Records field and Name is a field in the
application that contains the corresponding Cross-Reference field.
COUNTA(REF([Actions], [Contact ID])) Sub-Form

where Actions is a Sub-Form field and Contact ID is a field in the sub-
form associated with the Sub-Form field.
SUM(REF([SchedulerField],[Duration (Hours)],[Appointment])) Scheduler Field

where SchedulerField is a scheduler field, Duration (Hours) is a field in reference to the
the Appointment application and Appointment is the level through which Appointment
the scheduler is referencing. application

SELECTEDVALUENUMBER Function
The SELECTEDVALUENUMBER function extracts the numeric value from the values list item
selected from a Values List field. If the Values List field allows multiple selections, this function
must be used in conjunction with an aggregate function, as the following example shows:
SUM(SELECTEDVALUENUMBER([Multi-Select Values List Field]))
In addition, if you reference a Values List field in a cross-referenced application, both the Cross-
Reference field used to form the application relationship and the Values List field in the related
application must be single-select fields in order to use the SELECTEDVALUENUMBER function
without wrapping it in an aggregate function. If either the Cross-Reference or Values List field
allows multiple selections, an aggregate function must also be used, as shown in the following
example:
AVERAGE(SELECTEDVALUENUMBER(REF([Multi-Select Cross-Ref Field], [Values List
Field])))
If no numeric value is assigned to a values list item, that value will be treated as 0. The only
exception is when the AVERAGE function is used in conjunction with the
SELECTEDVALUENUMBER function. In this case, the null value will not be used in the
calculation. Use the following values as an example:
Value A: 10
Value B: 5
Value C: no numeric value assigned
If the SUM function is used in conjunction with SELECTEDVALUENUMBER, Value C will be
treated as 0 in the calculation. If all three values were selected in the Values List field, the result of
the calculation would be 15. However, if the AVERAGE function were used and all three values
were selected in the Values List field, Value C would be ignored in the calculation since it has no
numeric value. The result would be 7.5.
Syntax: SELECTEDVALUENUMBER(field_ref)
The following table describes the SELECTEDVALUENUMBER function parameter.
field_ref A reference to a Values List field in the application, for example, [Risk Rating], a
field in a child sub-form, for example, [Notes].[Risk Rating], or a field in a cross-
referenced application, for example, [Vendors].[Risk Rating].
Examples:

The following table provides example formulas of the SELECTEDVALUENUMBER function.

Formula Result
SELECTEDVALUENUMBER([Risk Rating]) 10
where the selected value in the Risk Rating field is “High” and the numeric value
assigned to the value “High” is 10.
MAX(SELECTEDVALUENUMBER([Affected Departments])) 10
where the Affected Departments field is a multi-select Values List field, the selected
values are “Operations” and “IT,” and the associated numeric values are 7 and 10,
respectively.
AVERAGE(SELECTEDVALUENUMBER(REF([Vendors], [Risk Rating]))) 9

where Vendors is a multi-select Cross-Reference field to the Vendors application, Risk
Rating is a single-select Values List field in the Vendors application, the selected values
in the related records are “High” and “Low,” and the associated numeric values are 10
and 8, respectively.
TRACKINGID Function
The TRACKINGID function returns a record ID that uniquely identifies the current record across
all applications. This function could be used in conjunction with the CONTENTID function to
produce a complex ID that combines the system-wide ID, the application-specific ID, and data
pulled from other fields.
Syntax: TRACKINGID( )
This function does not have parameters.
Example:
The following table provides an example formula of the TRACKINGID function.
Formula Result
[Type Code] & "-" & TRACKINGID( ) & "-" & CONTENTID( ) WORM-
where the Type Code field is WORM, the system-wide tracking ID is 678904, and 678904-34
the application-specific content record ID is 34.
USER Function
The USER function maintains the validity of a formula reference to a specific user selection in a
User/Groups List or Record Permissions field, even if the user name is changed later. User
references can be passed as either as literal names or logon IDs. A logon name can optionally be

referenced by a specific domain.

For example, if the literal user name "Jones, Mary" is referenced in a formula within the USER
function and that user’s name is subsequently changed to "Jones-Smith, Mary", the original user
name reference will automatically be updated in the formula to "Jones-Smith, Mary".
As another example, user Mary Jones is referenced in a formula by her Archer logon name for the
domain "bigcompany.com". Her logon name should be passed to the USER function as
"mjones@bigcompany.com". If an administrator later changes Mary Jones’ logon name on that
domain to "msmith", the original logon name will automatically be updated to
"msmith@bigcompany.com".
The USER function also directly accepts system-assigned user ID numbers. Each user in the system
has an internal ID number that is guaranteed to be unique. For example, if two users both named
Graham, Ned exist in the system, the user name cannot be resolved to determine whether the
intended Graham, Ned is selected in the given User/Groups List or Record Permissions field.
However, a system ID, for example, 76219, can be used in place of the ambiguous user name to
uniquely identify the correct Graham, Ned.
Return Type: Text or Numeric, depending on the format selected for the ref_type parameter
Syntax: USER(ref_type, value1, value2…)
The following table describes USER function parameters.
ref_type Accepts the keyword NAME, LOGIN, or ID.

l If NAME is specified, the function will inspect field selections by literal user
name, for example, "Jones, Mary".
l If LOGIN is specified, the function will inspect user selections based on logon
name, rather than user name, for example, mjones@bigcompany.com.
l If ID is specified, the function will inspect user selections based on unique
system-assigned ID numbers.

value1, One or more values within a User/Groups or Record Permissions field.

value2… l NAME. If ref_type is NAME, user names must be passed exactly as they
display in the User/Groups List or Record Permissions field. If passing a user’s
name, the name must be specified in the following format: "lastname, firstname".
Matching will be case sensitive. The system will test only against non-deleted
users.
When using NAME with USER, an error will occur during formula validation if
any of the following is true:
o If the named user cannot be found in any domain
o If the named user is found in more than one domain
o If the named user is found in a single domain only but the user name is not
unique within that domain.
l LOGIN. If ref_type is LOGIN, the function will expect one or more Archer user
logon name values. Matching will be performed against users’ logons rather than
by their last and first names.
When using LOGIN with USER, an error will occur during formula validation if
any of the following is true:
o If the user referenced by logon cannot be found in any domain
o If the user referenced by logon is found in more than one domain
If the LOGIN string contains at least one @ sign, the system will assume that all
text following the last @ sign is a domain reference and the system will attempt
to locate that domain. If the LOGIN string does not contain a @ sign, the system
will look for an exact match for the entire login string in the Archer (NULL)
domain and the default domain.
Note: The system will attempt to match the domain name against both active and
deleted, for example, soft-deleted, domains. Only active domain names must be
unique; it is possible that a deleted domain has the same name as an active
domain. If the logon string exists in more than one of the domains that have the
same name, the system will fail the formula on validation.
If the domain can be found:

1. The system treats all text in the logon string before the last @ sign as the user
logon name and will attempt to find that user logon within the domain.
2. If the logon is found within the domain, the system will replace the logon
string in the formula with the ID of the user matching that logon.

If the domain cannot be found:

1. The system will look for an exact match for the entire logon string in the
Archer (NULL) domain and the default domain.
2. If only one user with that logon exists, the system will replace the logon string
in the formula with the ID of the user matching that logon.
l ID. If ref_type is ID, the function will expect one or more system-assign user ID
numbers. User IDs are assigned by the system and are always unique. User IDs
are numbers and should not be quoted. When using ID with USER, an error will
occur during formula validation if any of the following is true referenced user ID
cannot be found in any domain.
Examples:
The following table provides example formulas of the USER function.
Formula Result
IF(CONTAINS(ANY, GETUSERS([Technician]), USER(NAME, Standard

"Thurman, Laurie", "Winters, George")), "Standard", "Priority")
where the user "Thurman, Laurie" is selected in the Technician
User/Groups List field.
IF(CONTAINS(ANY, GETUSERS([Reviewer]), USER(NAME, "Jasper, Yes

Susan", "Miner, Burt", "Rollins, Jacob")), "Yes", "No")
where the user "Miner, Burt" is selected in the Reviewer Record
Permissions field.
IF(CONTAINS(ANY, GETUSERS([Manager]), USER(LOGIN, The value

"kjackson", "tbarnett@bigcompany.com", "jwilson@bigcompany.net", "Escalate" is
"smartin")),VALUEOF([Alert], "Escalate"), VALUEOF([Alert], selected in the Alert
NOVALUE( ))) Values List field.
where "Barnett, Tina" is selected in the User/Groups List field and her
Archer logon ID for the "bigcompany.com" domain is "tbarnett".
IF(CONTAINS(ANY, GETUSERS([Associates]), USER(ID, 76299, Found

56897, 79867)),”Found”, ”Not Found”)
where "Eastman, Tina" is selected in the User/Groups List field and her
system user ID is 79867.

USERFIRSTNAME Function
The USERFIRSTNAME function returns the first name of either the record creator or the record
editor. The creator is defined as the user who created the record (or is currently creating the record).
The editor is defined as the user who last edited the record.
Return Type: Text
Syntax: USERFIRSTNAME(user_type)
The following table describes the USERFIRSTNAME function parameter.
user_type Accepts the keyword CREATOR or EDITOR. If CREATOR is specified, the

function returns the first name of the user associated with creating the record. If
EDITOR is supplied, the function returns the first name of the user associated with
the most recent record update.
Examples:
USERFIRSTNAME function.
Formula Result
"Hello, " & USERFIRSTNAME(CREATOR) Hello, Janet

where Janet is the first name of the record creator.
"Hello, " & USERFIRSTNAME(EDITOR) Hello, Miles

where Miles is the first name of the record editor.
USERLASTNAME Function
The USERLASTNAME function returns the last name of either the record creator or the record
editor. The creator is defined as the user who created the record (or is currently creating the record).
The editor is defined as the user who last edited the record.
Return Type: Text
Syntax: USERLASTNAME(user_type)

The following table describes the USERLASTNAME function parameter.


function returns the last name of the user associated with creating the record. If
EDITOR is supplied, the function returns the last name of the user associated with
the most recent record update.
Examples:
The following table provides example formulas of the USERLASTNAME
function.
Formula Result
"Last Name: " & USERLASTNAME(CREATOR) Last Name: Rossi

where Rossi is the last name of the record creator.
"Last Name: " & USERLASTNAME(EDITOR) Last Name: Eldrich

where Eldrich is the last name of the record editor.
USERMIDDLENAME Function
The USERMIDDLENAME function returns the middle name of either the record creator or the
record editor. The creator is defined as the user who created the record (or is currently creating the
record). The editor is defined as the user who last edited the record.
Return Type: Text
Syntax: USERMIDDLENAME(user_type)
The following table describes the USERMIDDLENAME function parameter.

function returns the middle name of the user associated with creating the record. If
EDITOR is supplied, the function returns the middle name of the user associated
with the most recent record update.
Examples:

The following table provides example formulas of the USERMIDDLENAME func-

tion.
Formula Result
"Middle Name: " & USERMIDDLENAME(CREATOR) Middle Name: Ellen

where Ellen is the middle name of the record creator.
"Middle Name: " & USERMIDDLENAME(EDITOR) Middle Name: Quentin

where Quentin is the middle name of the record editor.
VALUEOF Function
The VALUEOF function maintains the validity of a Values List field selection. If the text of a value
is changed in the custom or global values list by the RSA Archer administrator, this function
automatically updates the formula to use the new text for the value. For example, if the value "Blue"
is referenced in a formula with the VALUEOF function and that value is subsequently changed to
"Red" within the values list, the value reference "Blue" will automatically be changed to "Red"
within the formula.
From a user perspective, the VALUEOF function serves two additional purposes, it enables you to:
l Evaluate a Values List field for the presence of a specific value.
l Set value selections in a Values List field.
The following example shows the use of the VALUEOF function in a formula for a calculated
Values List field. The VALUEOF function is used for both the "value_if_true" and "value_if_false"
parameters within the IF function syntax.
IF([Risk Rating]>=10, VALUEOF([Criticality], "High"), VALUEOF([Criticality], "Low"))
In a record, this formula will evaluate Risk Rating, and if the value in that field is greater than or
equal to 10, the formula selects the value High in the Criticality calculated Values List field. If the
value in Risk Rating is less than 10, the formula selects the value Low in Criticality.
This second example shows the use of the VALUEOF function in a formula for a calculated Text
field. The VALUEOF function is used for the value parameter within the CONTAINS function
syntax.
IF(CONTAINS(ANY, [Location],VALUEOF([Location], "New York")),"Yes","No")
In a record, this formula produces the value "Yes" or "No" in the calculated Text field depending on
whether the value "New York" is selected in Location, which is a Values List field. If the value
"New York" is selected, the calculated Text field displays the value "Yes." If the value "New York"
is not selected, the calculated Text field displays the value "No."
Return Type: Text
Syntax: VALUEOF(field_ref, value1, value2…)


The following table describes VALUEOF function parameters.
field_ref A reference to a field, for example, [field name].
value1, A value within a Values List field. Enter the value as "value", for example,
value 2, ... "Urgent". If the Values List field allows multiple selections, multiple values can be
entered as "value1","value2","value3".
VALUEOF([Values List Name], "value1", "value2", "value3"). For example,
VALUEOF([States], "Washington", "New York", "Massachusetts")
Examples:
The following table provides example formulas of the VALUEOF function.
Formula Result
IF(CONTAINS(ANY, [Location],VALUEOF([Office], "Chicago”, "Local", Local

"Global")))
where the selected value in Location is Chicago.
IF(CONTAINS(ANY, [Region], VALUEOF([Region], "Northeast")), Connecticut

VALUEOF([Office], "Connecticut", "New York", Massachusetts"), VALUEOF New York
([Office], "Kansas", "Illinois", "Texas"))
Massachusetts
where the selected value in Region is Northeast.
IF(CONTAINS(ANY, [Color], VALUEOF([Color], "Red", "Green", "Blue", Other

"Yellow")), "Primary Color", "Other")
where the selected value in Color is Silver.
WEIGHTEDSCORE Function
The WEIGHTEDSCORE function returns the weighted score value for the values selected in a
Values List question. This function is only useful if you assigned a weight to the Values List
question and you assigned a numeric value to each of the possible answers to the question.
Using this function will execute the following calculation:
[values list selection numeric value] * [values list question weighting] = WEIGHTEDSCORE
or (for multi-select Values List questions):
SUM([values list selection numeric value1], [values list selection numeric value2]) * [values list
question weighting] = WEIGHTEDSCORE

The WEIGHTEDSCORE function can only be used within a questionnaire and can only reference a
Values List question.
Syntax: WEIGHTEDSCORE(field_ref)
The following table describes the WEIGHTEDSCORE function parameter.
Example:
The following table provides an example formula of the WEIGHTEDSCORE function.
Formula Result
WEIGHTEDSCORE([New User Access]) 50

where the weighting value for the New User Access question is "10" and the numeric
value for the answer is "5".
WEIGHTING Function
The WEIGHTING function returns the weighting value of a Values List question. The
WEIGHTING function can only be used within a questionnaire and can only reference a Values List
question.
Syntax: WEIGHTING([field_ref])
The following table describes the WEIGHTING function parameter.
Example:
The following table provides an example formula of the WEIGHTING function.
Formula Result
WEIGHTING([New User Access]) 10

where the weighting value for the New User Access question is "10".

Text Functions
The following text functions utilize and manipulate text strings to produce dynamic values.
CONCATENATE Function
The CONCATENATE function joins up to 255 text strings into 1 text string. The joined items can be
text, numbers, cell references, or a combination of those items. You must specify any spaces or
punctuation that you want to appear in the results as an argument that is enclosed in quotation marks.
Return Type: Text
Syntax: CONCATENATE(text1, text2, ...)
The following table describes CONCATENATE function parameters.
text1 The first text item to be concatenated.
text2, ... Additional text items, up to a maximum of 255 items. The items must be separated
by commas.
Example:
The following table provides an example formula of the CONCATENATE function.
Formula Result
CONCATENATE([First Name], " ", [Last Name]) John

where the value in the First Name field is "John" and the value in the Last Name field Smith
is "Smith".
FIND Function
The FIND function searches for a specific character or text string within another text string. It
returns the number of the character at which the specific character or test string is first found. The
FIND function is case sensitive.
Syntax: FIND(find_text, field_ref, start_num)

The following table describes FIND function parameters.

find_text The character or text string you want to find. You can format this parameter as a
hard-coded character or text string, for example, "sci", or as a Text-field reference,
for example, [field name].
field_ref A Text-field reference, for example, [field name].
start_num The character number in the field_ref parameter at which you want to start
searching for the find_text parameter. If this parameter is omitted, the search will
begin at the first character in the Text field. If this parameter is less than or equal to
0 (zero) or is greater than the number of characters in the Text field, a formula
validation error will occur.
Examples:
The following table provides example formulas of the FIND function.
Formula Result
FIND("Sci", 10 (because "Sci" begins at the tenth character in this text string)
[Subject])
where the value
in the Subject
field is "Arts and
Sciences".
FIND("s", 17 (notice that the first "s" in the Subject field value was skipped because the
[Subject], 5) start_num parameter required that the search begin at the fifth character and
where the value the "S" in the Subject field value was skipped because it does not match the
in the Subject case specified)
field is "Arts and
Sciences".
LEFT Function
The LEFT function returns the first character or characters in a text string, based on the number of
characters that you specify. LEFT is intended for use with languages that use the single-byte
character set (SBCS). LEFT always counts each character, whether single-byte or double-byte, as 1,
regardless of what the default language setting is.
Syntax: LEFT(text,num_chars)

The following table describes LEFT function parameters.

text The text string that contains the characters that you want to extract.
num_chars The number of characters that you want LEFT to extract. Note that:
l Num_chars must be greater than or equal to zero.
l If num_chars is greater than the length of text, LEFT returns all of
text.
l If num_chars is omitted, it is assumed to be 1.
Examples:
The following table provides example formulas of the LEFT function.
Formula Result
LEFT([Text],4) First four characters in the string (Sale)

where the value in the Text string is Sale Price.
LEFT([Text]) First character in the string (S)

where the value in the Text string is Sweden.
LEN Function
The LEN function returns the number of characters in the supplied string.
Syntax: LEN(text)
The following table describes the LEN function parameter.
text The text string to be evaluated. This parameter should be formatted as a Text-field
reference, for example, [field name].

Example:
LEN function.
Formula Result
LEN ([Last Name]) 5

where the value in the Last Name field is "Jones".
LOWER Function
The LOWER function converts all characters in the supplied text string to lowercase. This function
does not affect non-alphabetic characters.
Return Type: Text
Syntax: LOWER(text)
The following table describes the LOWER function parameter.
text The text string to be converted to lowercase. This parameter should be formatted as
a Text-field reference, for example, [field name].
Examples:
The following table provides example formulas of the LOWER function.
Formula Result
LOWER([Name]) jake miller

where the value in the Name field is "Jake Miller ".
LOWER([Email Address]) suzy.williams@shore2shore.org

where the value in the Email Address field is
"SUZY.WILLIAMS@Shore2Shore.org".
MASKEDTEXT Function
The MASKEDTEXT function returns the string value of the referenced Text field using the mask (if
any) defined for the field. If the function references a Text field for which a mask has not been
defined, the function will return the raw value from the field.
Note: Unless a Text field reference is wrapped in MASKEDTEXT, the calculation engine will
always evaluate the raw, unformatted value of the Text field.

Return Type: Text

Syntax: MASKEDTEXT(text_field)
The following table describes the MASKEDTEXT function.
text_field This parameter should be formatted as a Text-field reference, for example, [field
name].
Note: This function is valid only for Text fields.
Examples:
The following table provides example formulas of the MASKEDTEXT function.
Formula Result
MASKEDTEXT([Phone]) (913)
where the raw value in the Phone field is 9137862356 and the Text field is defined to 786-2356
use a phone number mask.
MASKEDTEXT([SIN]) 046 454

where the raw value is 046454286 and the Text field is defined to use a custom mask 286
for the Canadian Social Insurance Number.
NUMBERFORMAT Function
The NUMBERFORMAT function is used to "pad" zeros (0) to the left of a given numeric value
based on the count of digits specified by the number "mask." The zero padding is only applied if the
number of digits in the numeric value falls short of the number of digits specified in the mask. This
function returns a text value (string) that can be concatenated to other strings or stored directly in the
Text field.
Return Type: Text
Syntax: NUMBERFORMAT(value, value_mask)
The following table describes the NUMBERFORMAT function parameters.
value The numeric value, which can be derived through a Numeric-field reference, for
example, [field name], or through the use of a function that returns a numeric value.

value_mask The mask used to format the returned text value. The value_mask parameter must be
enclosed in quotes.
The final placeholder in the value_mask parameter must always be a single pound
sign (#). The placeholders allowed for this function are:
0 = Zero placeholder
# = Value placeholder
Examples:
The following table provides example formulas of the NUMBERFORMAT function.
Formula Result
NUMBERFORMAT(TRACKINGID( ), "00#") 001

where the tracking ID returned by the TRACKINGID function is 1.
NUMBERFORMAT(TRACKINGID( ), "000000#") 0000937

where the tracking ID returned by the TRACKINGID function is 937.
CONTENTID( ) & "-" & NUMBERFORMAT(TRACKINGID( ), "000#") 878762-

where the content ID returned by the CONTENTID function is 878762 and the tracking 0008
ID returned by the TRACKINGID function is 8.
NUMBERFORMAT([Risk] + [Criticality], "00#") 019

PROPER Function
The PROPER function capitalizes the first letter of each word in the supplied string, as well as the
first letter that follows any non-alphabetic character in the string. All other letters in the string are
converted to lowercase.
Return Type: Text
Syntax: PROPER(text)
The following table describes the PROPER function parameter.
text The text string to be converted to proper text format. This parameter should be
formatted as a Text-field reference, for example, [field name].

Examples:
The following table provides example formulas of the PROPER function.
Formula Result
PROPER([Last Name]) Jane Pearson-Wyatt

where the value in the Last Name field is "jane pearson-wyatt".
PROPER([Last Name]) O’Neil

where the value in the Last Name field is "O’NEIL".
PROPER([Last Name]) St. John

where the value in the Last Name field is "ST. JOHN".
PROPER([Web Page]) Www.Archer-Tech.Com

where the value in the Web Page field is "www.archer-tech.com".
PROPER([Equipment Note]) This Is Mike’S Laptop.

where the value in the Equipment Note field is "This is Mike’s laptop."
RIGHT Function
The RIGHT function returns a specific number of characters from the right side of the string. For
example, if you specify 3 characters, the last 3 characters from the string will be returned.
Return Type: Text
Syntax: RIGHT(text, num_chars)
The following table describes RIGHT function parameters.
text The text string that contains the characters that you want to return. This parameter
should be formatted as a Text-field reference, for example, [field name].
num_chars Specifies the number of characters in the text string that you want to return. This
parameter must be greater than or equal to 0 (zero). If this parameter is negative,
the function will return an error.
Example:

The following table provides an example formula of the RIGHT function.

Formula Result
RIGHT([Department Name], 4) ting

where the value in the Department Name field is "Marketing".
STRIPHTML Function
The STRIPHTML function removes HTML tags from calculated text fields within a data feed while
the feed is taking place. There are no defined parameters for this function because it is coded only to
remove the HTML tags from text fields in the data feed.
Return Type: Text
Syntax: STRIPHTML
SUBSTRING Function
The SUBSTRING function returns a specified number of characters from a text string. When
creating a formula with this function, you specify the character position where you want to start
extracting text, and you specify the number of characters to return. For example, if you enter 1 as the
start position and 3 as the number of characters to return, you would get the substring "Mar" from a
Text field with the value "Marketing."
Return Type: Text
Syntax: SUBSTRING(text_field, start_num, num_chars)
The following table describes SUBSTRING function parameters.
text_field The text string that contains the characters that you want to return. This parameter
should be formatted as a Text-field reference, for example, [field name].
start_num Specifies the position of the first character that you want to extract from the Text
field. The first character in a string has a start number of 1. If the start number value
is less than 1 or is greater than the number of characters in the string, the calculation
will fail.
num_chars Specifies the number of characters in the Text field that you want to return. If you
specify a value that is larger than the total number of characters in the string, then
this parameter returns all characters to the end of the string.
Example:


SUBSTRING function.
Formula Result
SUBSTRING([Department Name], 1, 4) Mark

where the value in the Department Name field is "Marketing".
Note: If the text string contains ampersand (&), less than (<), greater than (>), pound (#), single
quotation (') or double quotation (") characters, then the SUBSTRING function returns results
incorrectly.
TRIM Function
The TRIM function removes spaces from text strings, with the exception of single spaces between
words. A common use for the TRIM function is to remove extra spaces from data received from an
integration or data import. Often, data formatted in another system has irregular spacing. Using the
TRIM function ensures that unnecessary spaces are removed from your Archer text.
Return Type: Text
Syntax: TRIM(text)
The following table describes the TRIM function parameter.
text The text string from which you want to remove the unnecessary spaces.
Example:
The following table provides an example formula of the TRIM function.
Formula Result
TRIM([Asset Description]) "The HR-DB Server is used to

where the value of the Asset Description field is "The HR- store our human resources
DB Server is used to store our human resources information."
information."
UPPER Function
The UPPER function converts all characters in the supplied string to uppercase. This function does
not affect non-alphabetic characters.
Return Type: Text

Syntax: UPPER(text)
The following table describes the UPPER function parameter.
text The text string to be converted to uppercase. This parameter should be formatted as
a Text-field reference, for example, [field name].
Examples:
The following table provides example formulas of the UPPER function.
Formula Result
UPPER([Name]) JAKE MILLER

where the value in the Name field is "Jake Miller ".
UPPER([Web Site]) WWW.ARCHER-

where the value in the Web Site field is "www.archer-tech.com TECH.COM
".
Arithmetic Operators
The following table provides the

description of arithmetic operators
offered by the formula builder.
+ Addition (3 + 3)
/ Division (3 / 2)
^ Exponentiation (3 ^ 2)
* Multiplication (2 * 3)
- Subtraction (5 - 2)
Negation (-4)

If a field included in an addition, subtraction, multiplication, division or comparison operation is

empty or null, the value "0" (zero) is used for the field value. The following formula is an exception
to this rule:
IF([Sample Field] = 0, "TRUE","FALSE")
In this formula, the Sample Field is not populated with the value "0" if the field is empty or null.
Instead, this formula returns TRUE when the Sample Field is empty or null.
Comparison Operators
The following table provides the description of

comparison operators offered by the formula
builder.
= Equal to (3 = 3)
> Greater than (3 > 2)
>= Greater than or equal to (3 >= 3)
< Less than (2 < 3)
<= Less than or equal to (3 <= 3)
<> Not equal to (3 <> 2)
If a field included in an addition, subtraction, multiplication, division or comparison operation is

empty or null, the value "0" (zero) is used for the field value. The following formula is an exception
to this rule:
IF([Sample Field] = 0, "TRUE","FALSE")
In this formula, the Sample Field is not populated with the value "0" if the field is empty or null.
Instead, this formula returns TRUE when the Sample Field is empty or null.
Concatenate Operator
The following table describes the Concatenate operator.

& Concatenate, or join, two or more text strings to produce a single piece of text, for
example, "text" & "string".

Scheduling Calculations
Scheduling calculations enables you to automate predefined calculated fields in an application on a
recurring basis and run calculations on-demand.
System administrators have unrestricted access to all schedules in RSA Archer. Application owners
have unrestricted access to schedules in their applications, except for filter fields, reference fields,
or fields being updated to which they do not have access.
Schedule a calculation
1. Go to the Manage Schedule page of the application for which you want to schedule a calculation.
a. From the menu bar, click the Solution Name menu.
b. From the Solutions list, click the solution.
c. From the Applications list, click the icon next to the application name.
Note: If you have administrator access, you can also access the Manage Schedules page, which
displays all schedules in the system that you have access to. From the menu bar, click
and under Application Builder, click Schedules.
2. On the Calculation Schedules tab, click Add New.

3. In the General Information section, do the following:
a. Enter a name and description for the schedule.
b. Select the application for which you want to calculate fields.
c. In the Status field, select Active if you want the schedule to start running as scheduled once
it is saved. Otherwise, select Inactive and change the status to Active later when you are
ready for the schedule to start running.
l If the application is not a leveled application, go to the next step.
l If the application is a leveled application, select the level where the fields on which you
want to execute a calculation resides.
4. In the Notifications section, select Job Status Notification (regardless of whether it was
successful or not).
Note: Job Status Notifications are only sent if notifications have been configured for scheduled
calculations in this application. For instructions, see "Adding Admin Notifications" in the RSA
Archer Online Documentation.

5. In the Recurrences section, select the frequency, start time, start date, and time zone in which
you want to run the schedule.
6. In the Filters section, create search filters to identify only the records on which you want to
execute a calculation.
7. Click Save.
8. (Optional) Click to return to the Manage Schedule page.
Manage schedules
1. Go to the Manage Schedule page of the application for which you want to manage a scheduled
calculation.
c. From the Applications list, click the icon next to the application name.
Note: If you have administrator access, you can also access the Manage Schedules page, which
displays all schedules in the system that you have access to. From the menu bar, click
and under Application Builder, click Schedules.
2. Do any of the following:

l To edit a calculation, click the schedule name or, in the Actions column, click . Update the
scheduled calculation as necessary, then click Save.
l To delete a calculation, in the Actions column of the scheduled calculation you want to delete,
click . When prompted if you want to proceed, click Delete.
l To run a calculation on-demand, in the Actions column of the scheduled calculation you want
to run, click Run Now.
l To run a calculation, in the Actions column of the scheduled calculation you want to run, click
. When prompted if you want to proceed, click Run.
Important: The schedule runs using the permissions of the user who initiates the run.
The system queues a job in the Job Engine Services queue. When the job is complete, you can
view the run report (see step 3).
Note: The progress bar reflects both number of actions as well as number of records that are
being processed. The progress bar is proportioned by number of actions, and the proportion of
an action reflects the progress of the action.

l To email a schedule, click the schedule you want to share and click .
3. (Optional) To view the schedule run details, do the following:
a. Click the Schedule Run Details tab.
b. In the Report column for the schedule you want to view, click .
The report provides information and statistics about the schedule job. If the job is still
running, you can click Refresh to load the latest results.
c. To close the report, click OK.
Recalculation Conditions
Calculated fields can be recalculated when a user is viewing or editing a record. To initiate an
immediate recalculation, a user must have update permissions to the record. When initiated from
either mode, only marked content is recalculated. Content changes may result in outstanding
calculations in a related level or application.
The recalculation can be initiated when content is changed, or for content that has a status of marked
for recalculation. All calculated fields are recalculated immediately within the current content. All
related content affected by the change is marked and queued for recalculations in an asynchronous
job. When save or apply updates calculated fields, and there are no other user changes, notifications
are not sent.
When marked content is calculated asynchronously, only the fields associated with the executed job
are calculated. Notifications are never sent. Notifications are only sent when a user saves a record.
Calculated fields are only recalculated based on changes made directly in a data feed, data import,
web API, or scheduled recalculation jobs.
More information about recalculations in calculated fields

l In addition to scheduled recalculations, field recalculations are performed for a record each time
a user clicks Save or Apply for the record.
l Search does not trigger a recalculation of field values.
l Scheduled recalculations are written directly to the database and are not interpreted by the
application as true “record save” events and are not captured in the History Log field.
l Scheduled recalculations do not trigger notifications.
l Field-value changes stemming from a scheduled recalculation are not reflected in the audit
information displayed alongside a field.
l Each time that you create or edit a calculated field, the system searches for NOW and TODAY
in all of the application or formulas of the sub-form. If the system can no longer locate either of

these functions, any previously configured recalculation schedule are automatically disabled for
the application or sub-form.
l Fields with the As Needed option selected for recalculations are only recalculated if the value
will be changed.
l In multi-level applications, recalculation schedules are level-specific.
The following table describes other conditions that may also trigger a recalculation condition.
Trigger Description
Full All fields for all content are queued for recalculation but are not marked.
Module Calculation
Scheduled Content status remains unmarked and the calculation is updated by an

Recalculations asynchronous job. Only the fields that are set to Always and formulas with
NOW( ) and TODAY( ) functions are recalculated.
Related Content When a user, job engine, data feed, or Web API makes a change to a field
that affects changes in a related module, the following occurs:
l An asynchronous job is scheduled to recalculate all affected content one
level away of the related module, for example related record in current
application or cross-referenced application in related record.
l All affected content in the related module (one level away) is marked for
recalculation.
Recalculation and error handling rules

The following table describes recalculation and error handling rules.
Rule Description
Recalculation Determines when a field is recalculated As Needed or Always.

As Needed: Formulas are recalculated when a dependent field in the formula
changes.
Always: Formulas are recalculated every time content is saved even though a field
is not referenced in the formula. Formulas that contain NOW ( ) and TODAY ( )
functions, or user first name, last name, and middle name (Editor) parameters are
recalculated regardless of content change.

Rule Description
Error Determines what happens when a calculation error occurs. This rule has the
Handling following options:
Display Error: The word Error is displayed as a link when a calculation error
occurs. Users with the appropriate access privileges can click the link to open the
Calculation Error page where the error is explained.
Use No Value: An empty value is saved in the field when a calculation error
occurs.
Use Specific: A specific value is saved in the field when a calculation error
occurs.
Recalculations in edit mode

When in edit mode, the Recalculate button is not available. The recalculation is initiated from the
Save button.
Example: Cross-referenced field updated
The following table describes the example.
Calculated field is [Total Risk] in Application A. [Risk] is a cross-referenced field.
[Controls] is a level in the cross-reference multi-level application and [Severity Rating]
Scenario is a field in the Controls data level.
SUM(REF([Risk], [Severity Rating], [Controls]))
User drills into [Severity Rating] in Application B.

[Severity] = 12.
Action 1
User changes value of [Risk] to 11 and clicks Save.
Content of [Total Risk] is ‘marked’ for recalculation.
User with Read and Update permissions returns to Application A in Edit mode and
Action 2
clicks Save.
Action 3 User saves record in Application B.
[Total Risk] is recalculated immediately, and the updated value is displayed.

Results
[Total Risk]=23
Example: Calculated field updated by data feed


Application A has three fields Risk, Criticality, and Severity. Rating is a related record
in Application B.
[Total Risk] is dependent on the value of [Criticality].tota
Scenario
SUM(REF([Risk], [Criticality]))
[Severity] is dependent on [Rating].
IF([Rating]=10, VALUEOF ([Severity],"High"),VALUEOF ([Severity], "Low")
Action 1 User changes the value of Critically in Application B and clicks Save.
Results Related content in Application A is 'marked'.
Data feed updates [Rating] in Application A to a value of 10. Severity is calculated

Action 2
upon content save initiated by the data feed.
[Total Risk] is not recalculated.

Results [Rating] is updated during the data feed.
[Severity] is changed to High.
Action 3 User view records and clicks Recalculate.
Results [Total Risk] is recalculated immediately.
Recalculations in view mode

When in View mode, a message is displayed stating that the content may not be current. The
Recalculate button is available.
Example: Cross-Referenced field updated
User edits [Severity Rating] in Application B.

[Severity] = 12.
Action 1

User with Read and Update permissions returns to Application A in View mode and
Action 2
clicks Recalculate.

Results
[Total Risk]=23
Recalculating Calculated Fields

When scheduling recalculations for an application, those recalculations impact all records in the
application, including records currently opened (locked) for editing. When scheduling recalculations
for a sub-form, those recalculations impact all records in the sub-form across all applications in
which the sub-form is embedded. If an application contains both a sub-form and a calculated field
whose value is dependent on a field within the sub-form, records in the application also recalculate
when sub-form-level records recalculate. This condition is only true, however, for application
records in which a user has made at least one entry in the embedded sub-form.
In addition to a scheduled recalculation, you can also execute an on-demand recalculation. Both
types of recalculation are available per level of application.
Schedule a recalculation of a calculated field

Configure a batch recalculation schedule for an application or sub-form using the Recalculation
Schedule function. Using the recalculation schedule option ensures that date-based information is
kept current. If your application is leveled, it is possible to schedule a recalculation for each level
within your application.
1. Go to the Calculations tab of the application, questionnaire, or sub-form that you want to update.

b. Under Application Builder, click Applications, Questionnaires, or Sub-forms.
c. Select the application, questionnaire, or sub-form.
2. If the application is a leveled application, in the Select Data Level section, select the data level
to recalculate.
Note: If your application is not a leveled application, this section is not available.

3. In the Recalculation Schedule section, select Recalculations.
Note: If your application or sub-form does not contain at least one calculated field that uses the
TODAY or NOW functions, you cannot access the Recalculation Schedule dialog box.
Scheduled recalculations are necessary only if you need to evaluate content within the context of
the passage of time.
4. In the Interval field, enter the frequency, in days, for how often you want to execute a
recalculation.
For example, if you entered "7", the application recalculates every seven days.
5. In the Begin Time field, enter the time of day that you want to execute the recalculation.
6. In the Time Zone field, select the time zone to reference for determining the Begin Time value.
Execute an on-demand recalculation

You can execute an on-demand recalculation, in addition to scheduling a recalculation. When
viewing a record of an application of which you are the assigned owner or an administrator, you can
recalculate all calculated fields within the records.
Important: All calculated fields in all records within the application, level (for leveled
applications), or sub-form will be recalculated, even fields that have been selected with the As
Needed option at the field level. This may impact system performance.

2. If the application is a leveled application, in the Select Data Level section, select the data level
to recalculate.
Note: If your application is not a leveled application, this section is not available.
3. Go to the On-Demand Recalculation section.

4. Click Launch Full Recalculation.

5. Click Yes to confirm the recalculation.
References in Formulas
Calculated fields can be applied in any application, questionnaire, or sub-form. Design the formula
of the field to reference fields that reside within the application, a sub-form embedded in the
application, or a related application. If creating a calculated field for a sub-form, design the formula
of the field to reference fields that reside in the sub-form or in a related application.
Use the REF function to reference fields in an application, fields in related applications or
questionnaires, fields in a parent or child level, and specific values from values list fields.
Field references in formulas

By referencing fields and field values in a calculated field formula, you can produce calculated
values that are based on other conditions within the application, questionnaire, or sub-form.
Example: Formula containing field references
IF(CONTAINS(ANY, [Location], VALUEOF([Location], "New York")),"Yes","No")

In individual records, this formula produces the value "Yes" or "No" in the calculated field
depending on whether the value "New York" is selected in the "Location" field. If the value "New
York" is selected, the calculated field returns the value "Yes." If the value "New York" is not
selected, the calculated field returns the value "No."
The following table provides a list of field types that can be referenced in
an application or questionnaire.
l Cross-Reference l Related
l Date (with or without time information) Records
l First Published Date (with or without time l Scheduler

information) l Sub-Form
l Last Updated Date (with or without time l Text
information) l Tracking ID
l Multiple Reference Display Control l User/Groups
l Numeric List
l Record Permissions l Values List
l Record Status

The following table provides a list of Field types that can be referenced in
a sub-form.
l Cross-Reference l Record
l Date (with or without time information) Status
l First Published Date (with or without time l Related

information) Records
l Last Updated Date (with or without time l Text

information) l Tracking ID
l Multiple Reference Display Control l Values List
l Numeric
Example: Calculations with dependent fields in the same level
The following table describes an example scenario of calculations with dependent

fields in the same level.
Application has two fields Risk and Criticality.
Scenario [Total Risk] is a calculated field dependent on the value of [Criticality]
SUM([Risk], [Criticality])
User changes the value of Criticality and clicks Save.

Action 1
Where [Risk] = 12 and [Criticality] = 7
[Risk] is calculated immediately, and the updated value is displayed.

Results
[Risk]=19
Cross-Application references in formulas

When you create a calculated field in an application, questionnaire, or sub-form, you can reference
fields residing in related applications or questionnaires, enabling you to perform cross-application
calculations. The Available Fields list in the formula builder displays all fields that are available for
reference in your formula, including cross-reference and related records fields. By expanding a
cross-reference or related records field in the formula builder, as shown in the following figure, you
can select fields from the related component for reference in your formula.

l 1 - Cross-Reference field to the Risk Assessments application

l 2 - Fields available for reference from the related application
When you reference a field from a related application or questionnaire in a formula, the field
reference displays as follows: REF([Cross-Reference Field Name], [Field Name]).
Example: Formula that references a field from a related application
IF(CONTAINS(REF([Risk Assessments], [Overall Risk Exposure]),VALUEOF

("High")),"No","Yes")
This formula examines the Overall Risk Exposure field in the Risk Assessments cross-reference
field for the value "High." If the value is found, the calculated field is populated with the value
"No." Otherwise, the field is populated with the value "Yes."
Referencing leveled applications
The calculation engine also allows you to reference fields from leveled applications. When you
reference a field from a related leveled application in a formula, the field reference displays as
follows: REF([Cross-Reference Field Name], [Field Name], [Data Level Name]).
Example: Formula that references a field from a related leveled application:
AVERAGE(REF([Response Measures], [Severity Rating], [Responses]))

This formula averages the values of the Severity Rating field for related records within the
Responses data level of the related application. If there are three records related to the parent
record, with values of "2", "9" and "4" in the Severity Rating field within the Responses data level,
this calculation returns a value of "5".

Referencing sets of values
Reference fields are particularly handy for calculations that require a set of values, rather than a
single value, as input. In this case, reference a cross-reference field that points to a field that
contains several values as input. For example, the LARGE function returns the k-th largest value in
a data set. The syntax, LARGE(values,k), requires a set of values as input.
Example: Formula using a REF statement that points to a cross reference field:
LARGE(REF([Data Set],[Values]),3)
In this example, Data Set is a cross-reference field and the records in the Values field are 3, 5, 3, 5,
4, 4, 2, 4, 6 and 7. This calculation returns the third largest value in the data set provided, which is 5.
Example: Cross-Referenced field updated by user
The following table describes an example scenario of a cross-referenced field updated by a user.
User drills into [Severity Rating] in Application B.

[Severity] = 12.
Action 1
User with Read and Update permissions returns to Application A in Edit mode and
Action 2
clicks Save.

Results
[Total Risk]=23
Cross-Level references in formulas

When you create a calculated field in a leveled application, reference fields in a parent or child
level using the REF function.
AVERAGE(REF([Vendors], [Assessments], [Risk Rating])

This formula, created for a calculated field in the parent Vendors level of a two-level application,
references the Risk Rating field in the child Assessments level. The formula produces a numeric
value showing the average Risk Rating in all Assessment records associated with a parent-level
Vendors record.
Values list value references in formulas

When creating a calculated field in an application or sub-form, reference specific values from
values list fields within your formula. RSA Archer dynamically maintains these field-value
references, meaning that if you modify a value within a values list and that value has been
referenced in a formula. RSA Archer automatically updates the value within the formula so it
remains a valid field-value reference. For example, if you change the value "Important" to "Urgent"
within your global or field-specific values list, any formula that references the value "Important"
updates to reference the value "Urgent" instead.
Formula using the VALUEOF function
To reference a values list value in a formula, use the VALUEOF function and surround the value
name in quotes.
IF(CONTAINS(EXACT, VALUEOF([Risk Rating], "High")),"Yes","No")
This formula examines the Risk Rating field, which is a values list field, for the presence of the
value "High." If the formula finds this value, it populates the calculated field with "Yes." If not, it
populates with "No."
In addition to monitoring a values list field for the presence of a specific value, the VALUEOF
function enables you to set a values list field selection dynamically based on other conditions within
the record.
Example: Dependent on value in a values list
The following table provides an example formula of the VALUEOF function.
IF(CONTAINS(ANY, [Location], VALUEOF([Location], "New York")), (VALUEOF
Formula
[Area],"Local", (VALUEOF[Area],"Global"))
This formula evaluates the Location field for the presence of the value New York.
If the value is present and selected, the value Local is selected in the calculated Values
Results List field.
If the value New York is not found, the calculated field is populated with the value
Global.
Formula for a calculated values list field
IF(CONTAINS(ANY, [Location], VALUEOF([Location], "New York")), "Local", "Global")

This formula examines the Location field for the presence of the value "New York." If the value is
present and selected, the value "Local" is selected in the calculated Values List field. If the value
"New York" is not found, the calculated field is populated with the value "Global."
If the values list values that you want to reference in a calculated field formula have associated
numeric values, you can reference those numeric values using the SELECTEDVALUENUMBER
function. For example, you have an Affected Departments field with the values "Accounting," "IT"
and "Sales," and those text values have been assigned the numeric values 10, 8 and 6, respectively.
Formula using the SELECTEDVALUENUMBER function
AVERAGE(SELECTEDVALUENUMBER([Affected Departments]))
If the values "Accounting" AND "IT" have been selected in the Affected Departments field, this
formula would populate the calculated field with the value "9."
Example: Average of numeric values in selected field
The following table describes an example scenario.
The Affected Departments field has the values Accounting, IT, and Sales and those
Scenario
text values are assigned the numeric values 10, 8, and 6, respectively.
Formula AVERAGE(SELECTEDVALUENUMBER([Affected Departments]))
If the values Accounting and IT are selected in the Affected Departments field, this
Results
formula populates the calculated field with the value 9.

If you are working with an application, a questionnaire, or a sub-form that contains multiple
calculated fields and the formula for one calculated field is dependent on the result of another
calculated field, you must specify the order in which you want to compute the calculated fields.
Note: When you add a new calculated field to an application, a questionnaire, or a sub-form, it
displays at the bottom of the list in the Field Calculation Order listing.




order you want.
4. Click Save.
Troubleshooting Tips for Calculations

When working with formulas, you may encounter error messages.
Common mistakes
Syntax errors cause many of the common mistakes. The formula syntax changed from version 4.x to
5.x.
The following table provides a list of common mistakes that occur when using the DATE, ROUND,
STRING, and VALUEOF functions.
Function Description
DATE Dates and times are converted to Coordinated Universal Time (UTC) in the RSA
Dates and times are converted to the locale of the user when the date or time is
displayed in a field. For example, the locale is Central Time and the date entered in
a Date field called Due Date is 8/3/2012 9:00 PM. The date and time stored in the
database is 8/4/2012 2:00 ARE. Any user viewing this record with this field sees the
user’s time zone, for example, EST 8/3/2012 10:00 PM.
When manipulating date and time and displaying them in a field type other than a
Date field, dates and times are displayed in UTC. For example, a calculated text
field with the formula DATEFORMAT([Due Date], “YYYY-MM-DD HH-MM
AM”) referencing the Due Date from the formula above returns 08-04-2012 2:00
AM.
A numeric calculated field with the formula DAY([Due Date]) returns 4.

Function Description
ROUND Rounds a number to a specified number of digits. When the number to the right of
the decimal point is 5 or greater, the number is rounded up to the nearest integer.
If the num_digits parameter is greater than 0 (zero), the number is rounded to the
specified number of decimal places. If the num_digits parameter is equal to 0, the
number is rounded to the nearest integer. If the num_digits parameter is less than 0,
the number is rounded to the left of the decimal point to the specified number of
decimal places.
For example, if the num_digits parameter is -1 and the number is 101.5, the number
is rounded to 100.
STRING When using string manipulations, consider the data that is stored in the field. For
example, a Text Area field named Description contains <strong>Hello</strong>, and
the formula is LEN([Description]). Although the user only sees Hello, the
calculation results are 22, which is the total number of characters in the string.
VALUEOF A common misconception of the VALUEOF is that it returns true or false if the
referenced value is selected in the referenced field. Often a formula is written as IF
(VALUEOF[Color], “Blue”, 1,0) and should be written as IF([Color] = VALUEOF
[Color], “Blue”, 1,0).
The only purpose of the VALUEOF function is to make a formula resilient to value
changes in a Values List. If the text of a value is changed in a custom or global
values list by an administrator, this function automatically updates the formula to use
the new text for the value.
For example, if the value "Blue" is referenced in a formula with the VALUEOF
function, and that value is subsequently changed to "Red" in the values list, the value
reference of "Blue" is automatically changed to "Red" in the formula.
Common error messages

The following are common scenarios that may cause formula calculations to fail:
Invalid value
The following table describes an invalid value scenario.
Formula DATEDIF([Open Date],[Due Date],HOUR)
Error Value is not a valid number: B2 Parameter name: serialDate
Cause One of the date fields does not have data.

Use the ISEMPTY function to check for empty dates and to avoid .calculating against
Resolution
an empty date.
Multiple values
The following table describes a multiple value scenario.
Formula DATEDIF([First Published],REF([Incidents],[Open Date]),HOUR)
A parameter "!2!A1:A2" expected to be a single value was multiple

Error
values. Parameter name: !2!A1:A2
DATEDIF expects only one value, and this record relates to multiple
Cause
incidents.
Use an interim function to generate one value for the second

Resolution
parameter, for example, MAX..
Divide by zero
The following table describes a divide by zero scenario.
Formula 1 + 10/[Value]
Error A calculation within the formula returned the non-numeric value infinity.
Cause The value is 0.
Resolution Use zero checks to avoid dividing by zero.
Reference outside logical expression

The following table describes a reference outside logical expression scen-
ario.
Formula IF(VALUEOF([Risk],”Medium”), “true”, “false”)
Error _invalid expression
Cause Using the VALUEOF function without an equality operation.
Write the formula as follows:

Resolution
IF([Risk]=VALUEOF([Risk],”Medium”),”true”,”false”)
Reference to more characters than exist

The following table describes a reference to more characters than exist scenario.
Formula SUBSTRING([Description],1,10)

Error Index and length must refer to a location within the string. Parameter name: length
Description field contains less than specified number of characters. In this case, the
Cause
Description field has less than 10 characters.
Use LEFT or RIGHT function instead or use these functions in combination with
Resolution
LEN to avoid reading passed the end of a string.
Deciphering error messages

The calculation engine stores data in cells or ranges much like an Excel spreadsheet. These
references are not visible to a user, making it more difficult to decipher error messages. The
calculation engine stores dates as numbers in cells.
For example, a formula that compares two dates might look like:
Using the formula as an example, the Open Date might be stored in B2 and the Due Date stored in
B3.
An error message for this formula might look like:
In this example, B3 is the parameter cell for Due Date and DATEDIF is expecting a valid serial
date.
Dependencies resolution
One of the most powerful facets of working with calculations is the ability to reference one or more
calculated fields in another calculated field formula.
For example, a final score value might be computed by summing the values of several calculated
section score fields.

In this example, there are inherent calculation dependencies. Each of the section score values must
be computed before the final score can be computed. You can specify the order in which
calculations are performing. After the field calculation order is established for an application, field
dependencies simply manage themselves.
Circular references
Circular references are sometimes difficult to detect. Circular references are caused by formulas
that form either a direct or indirect loop.
l A direct loop is formed when a series of field references form a closed circuit.
l An indirect loop can sometimes result when a series of field references includes a reference to a
field that is set to Always recalculate.
RSA Archer does not allow formulas that might result in circular references. Whenever a possible
circular reference condition exists, a validation message is displayed.
Validation messages help reconcile circular references. The validation message includes the field
name and module name of both the field and the field to which it references.
The following table describes examples of validation messages.
Calc Depend
Field Module Level
Always All
{fieldref01} {modulename01} {levelname01} No No
The Calc Always column contains the value of the Always Recalculate flag set at the calculated
field. The Depend All column contains the value set by RSA Archer for a questionnaire that has
questions dependent on any calculated field.
To see the circular reference details, validate the calculation in the formula builder.
The following table describes a possible validation message for a condition
that occurs where using the fields from two different applications that ref-
erence each other.
Calc Depend
Field Module Level
Always All
{Rating} {Risk Management} {levelname01} No No
{Controls} {Policy Management} {levelname02} No No
{Rating} {Risk Management} {levelname01} No No

Example: Always recalculate
When the Always flag is set on a calculated field, the field recalculates every time a record is
saved. The formula indirectly results in a circular calculation that cannot be resolved. A validation
error is reported when this condition exists.
Note: Clicking Apply will not cause contents to recalculate.
The following figure shows an indirect loop caused by a circular reference. This condition results in
a circular reference because Rating is indirectly dependent on Criticality. Because Rating is set to
Recalculate Always, it calculates every time that Criticality calculates.
Attempt to save Formula 3. A circular reference is detected, and a validation message is displayed
that may read like the following:
"Circular Calculation Detected: The following displays the path of the circle:"
The following table describes a circular calculation.
Calc Depend
Field Module Level
Always All
{Criticality} {Risk Management} {levelname01} Yes No
{Rating} {Risk Management} {levelname01} Yes No
{Criticality} {Risk Management} {levelname01} Yes No

Example: Circular reference with multiple formulas
A circular reference containing three formulas in three different applications where each formula
references a field in a cross-referenced application.
Example
The following table provides example formulas.
(Field 1 in Application A references Field 2 in Application B)
Formula 1:
Field 1 recalculates on every save
Formula 2: (Field 2 in Application B references Field 3 in Application C)
Formula 3: (Field 3 in Application C references Field 1 in Application A)
In this example, the circular reference is created by Field 3 referencing Field 1.

Attempt to save Formula 1. A circular reference is detected, and a validation message is displayed
that may read like the following:
"Circular Calculation Detected: The following displays the path of the circle:"
The following table describes a circular calculation.
Calc Depend
Field Module Level
Always All
{Rating} {Vendor Management} {levelname01} No No
{Criticality} {Risk Management} {levelname01} No No
{Rating} {Vendor Management} {levelname01} No No

Example: Direct-Loop circular reference
Cross-Reference Field
The Cross-Reference field type enables you to create associations between records in the same
application (internal references) or records in one or more different applications (external
references).
l When you create a cross-reference field that forms an external relationship with another
application, a related-records field is automatically added to the related application. The related-
record field provides a mirror image of the cross-reference field. In an individual record of the
related application, you can see all records that are cross-referenced to that record.
l When you create an association between records in the same application, a related-record field is
automatically created in the application.
l When you create a cross-reference field that references a leveled application, you have the option
to reference one level or all levels of that application. If you select one level, the Display Fields,
Filters, and Sorting controls contain only the fields from the selected level.
l When users select record references through a cross-reference field, a Record Lookup page is
displayed that enables them to select records from a list or to search for specific records in the
related application by a keyword search. You can also create dynamic filters so that users only
see records that are relevant to them in a record look-up.
Example: Associating records

l If you have a cross-reference field configured to create internal references in a Trouble Tickets
application, you can associate one ticket to other related tickets.

l If you have a cross-reference field in a Violations application that is configured to create external
references to an Investigators application, you can select investigators for individual violation
records by selecting those investigators through the cross-reference field.
Example: Related record relationship to cross-referenced fields

When you have a cross-reference field in a Violations application that is related to an Investigators
application, users can select investigators for individual violation records through the cross reference
field. When users access a record in the Investigators application, they can view all violation
records that have been cross-referenced to that particular investigator in the related-records field.
Validation rules for cross-reference and related records fields

When validating the new rules for the related record, RSA Archer only validates records that were
added to or removed from the reference field of the original relationship. For example, a user in
Application A creates a cross-reference field, and then removes related record B1 in Application B.
The only record that is validated is B1, because it changed.
The following table describes validation rules.
Rule Description
Minimum Validates the removed or added relationships do not violate the Minimum
Selections (rule Selections rule for the related record when both of the following apply:
for a reference l The user attempts to save a record with a reference field change.
related field)
l A Minimum Selections rule is enabled for the reference field in the related
application.
The following table provides an example.

Scenario Results
A user creates a Cross-Reference When the user attempts to save
field in Application A. Record A1, a message is displayed,
The user sets the value in the indicating that the Minimum
Minimum Selections field to 2 for the Selections rule for B1 is violated. The
associated Related Record in violation occurs because the removal
Application B. of Record A1 causes the number of
records to fall below the Minimum
Record B1 has two references and is Selections value of 2.
related to Record A1 and Record A2.
The user edits Record A1 and
attempts to remove Record B1 from
the Cross-Reference field.

Rule Description
Maximum Validates that the removed or added relationships do not violate the Maximum
Selections (rule Selections rule for the related record when both of the following apply:
for a reference l The user attempts to save a record with a reference field change.
related field)
l A Maximum Selections rule is enabled for the reference field in the related
application.
Example
l Scenario. A user creates a Cross-Reference field in Application A.

The user sets the value in the Maximum Selections field to 2 for the
associated Related Record field in Application B. Record B1 has two
references and is related to Record A1 and Record A2.
The user edits a third record, A3, and adds Record B1 to the Cross-Reference
field.
l Results. When the user attempts to save Record A3, a message is displayed,
indicating that the Maximum Selections rule for B1 is violated. The violation
occurs because adding Record A3 causes the number of records to exceed the
Maximum Selections value of 2.

Rule Description
Required (rule This rule validates that the removed relationships do not violate the Required
for a reference- rule for the related record when both of the following apply:
related field) l The user attempts to save a record with a reference field change.
l A Required rule is enabled for the reference field in the related application.
Example
Scenario
A user creates Application A with a cross-reference.
The user sets the associated Related Record field in Application B to Required.
Record B1 is related to Record A1.
The user edits Record A1 and removes Record B1 from the cross-reference.
Results
When the user attempts to save Record A1, a message is displayed, indicating
that the Required rule for Record B1 is violated. The violation occurs because
the removal of Record A1 causes the field (which is required) to have no data.
Adding Cross-Reference Fields

Use cross-reference fields to create associations between records in the same application (internal
references) or records in one or more different applications (external references).
1. Go to the Fields tab of the application to which you want to add a cross-reference field.

2. Click Add New.

l To add a new field, click Create a new Field from scratch and click Cross Reference from

l To add a field from an existing field, click Copy an existing Field and select the cross-
4. Click OK.


Display
Description
Control

Column
8. In the Options section, select the applicable options:
Options

Option Action
application.

Option Action
Bulk
Update
Enable Enables this field to be available for creation from Advanced Search Results.
Bulk
Create

Inline Edit
Editable
Grid
Display

Option Action
for editing.
Remove

Record Lookup Configuration options

Options Description
Display Specifies the fields of data from the relationship application that is displayed on the
Fields Record Lookup page for users when they select related records in the Cross-
Reference field.
of fields in the Selected list will be the left-to-right order of fields in the Record
Lookup page.
Note: If the relationship application is a leveled application, and you select fields
Filters Determines the filtering criteria for selecting records for display on the Record
Lookup page.
Sorting Specifies the fields by which cross-referenced records are sorted in the Record
Lookup page.
For example, in an "Investigators" Cross-Reference field, you can sort the display
of referenced records alphabetically by investigator name.
Display Determines how the cross-referenced records are displayed on the Record Lookup
Format page:
l Column-Hierarchical. Presents the records in a columnar layout where fields are
displayed across the page from left to right, and the field values are presented
l Column-Flat. Presents the records in a simple columnar layout without any
grouping of values.
10. In the Grid Display Properties section, select the fields you want to display in the record look-up
for the cross-reference field.

Grid Display options

Options Description
Record Indicates the related record displays using the Record Lookup configuration.
Lookup
Note: This option is not available for calculated cross-reference or related record
fields.
Display Indicates which related record fields to display, instead of Record Lookup
Fields configuration. This is available if Record Lookup is unchecked.
Note: Fields with the Enable Inline Edit option enabled appear here. If your field is
not available, go to the record in question and update the options on that field.
Sorting Specifies the default sorting order of related record fields to be displayed. This is
available if Record Lookup is unchecked.
11. In the Configuration section, specify the range of selections a user can make.

Option Description
Field For Single Column option: Specifies the height of the field in a single-column
Height display. This setting impacts the display of the field only when users add or edit
records in the application. For example, if you set the field height to three lines,
and a user makes four selections in the field, a scroll bar is displayed.
control.
control.


Dynamic Filters for Cross-Reference Fields

Dynamic filters limit what users see while working with records. These filters are created by an
RSA Archer administrator to enable users to find records with cross-referenced content. A dynamic
filter can be one or more fields in the current application and a cross-referenced application.
l Dynamic filters combine single-select and advanced operator logic to pinpoint the exact record
that the user sees in a Record Lookup.
l Dynamic filters can be applied using inline edit fields.
l Dynamic filters in inline edit fields are built off of values committed in the database.
Dynamic filter requirements

l Users must have permission to all related applications and fields.
l Both applications must have the same field type that will be used in the dynamic filter.
l A Cross-Reference field must exist in one of the applications.
l A Values List field used as the compare filter must be a global values list and exist in all
applicable applications.
Example: Dynamically filtered records

The following table provides an example.
A user for Vendor Management wants to update a record for any high priority incidents
Scenario:
that were documented for an engagement during the month of August.
The administrator must first create the dynamic filter in the Cross-Reference Field of
one of the applications.
Action 1: All applications must contain the same field types that will be used for dynamic
filtering. If the dynamic filter is a values list, the Values List field must be a global
values list that is referenced in both applications.
Action 2: The user runs a record look up in the Vendor Management solution.
Only the relevant records that are dynamically filtered are shown in the record lookup
Results
results for that user.

High-level view of the configuration of a dynamic filter

A dynamic filter shows related records from a cross-referenced application with particular values
from a Global Values List. The Values List field used as the compare filter must be a Global Values
List and exist in both Application A and B.
When a user works with cross-reference or related records in a module that has a dynamic filter,
users see only the records relevant to them.
The platform administrator creates a dynamic filter on a Cross-Reference field in Application A.
A user runs a search in record lookup in Application A.

Search results of the record lookup show only the records with High and Crticial values in
Application B.

Rules for creating dynamic filters

When creating dynamic filters for cross-referenced applications, the following table describes the
conditions that must apply.
Supported
Supported Operator Types Special Conditions
Field Type
Basic Date l Field Value Match Must not include time.

l Field Value Does Not Match
l Field Value Greater Than
l Field Value Less Than
IP Address l Field Value Match Must both be IPv4 or

l Field Value Does Not Match IPv6. Both
IP addresses must be
the same type.
Numeric l Field Value Match

Text l Field Value Match Do not use with Text

l Field Value Does Not Match Area fields.
User/Groups l Field Value Match

List l Field Value Does Not Match
l Field Value Contains
l Field Value Does Not Contain
Values List l Field Value Match Must reference the

l Field Value Does Not Match same global values
list.
Field Value Contains
l Field Value Does Not Contain Depth and Field Value
l Field Value Contains Depth x Does Not Contain
Depth are available
l Field Value Does Not Contains Depth x
for hierarchical values
lists only.

Supported
Supported Operator Types Special Conditions
Field Type
Advanced Cross- l Field Value Match Must reference a

Reference l Field Value Does Not Match common level in the
same application.
Related l Field Value Match Must reference a

Records l Field Value Does Not Match common level in the
same module.
Matrix l Field Value Match Must reference same

l Field Value Does Not Match column values list and
same row values list.
Not supported for
l Field Value Does Not Contain calculated cross-
reference fields.
Record l Field Value Match

Permissions l Field Value Does Not Match
Creating Dynamic Filters for Cross-Reference Fields

Create dynamic filters to show only the records to which a user has permissions. For example, you
can limit the number of items from which a user can choose, by showing the user only the items that
are applicable to that user.
1. Go to the Options tab of the cross-reference field you want to add the dynamic filter.

c. Select an application or questionnaire.
d. Click the Fields tab, and select the cross-reference field.

3. In the Record Lookup Configuration section, enter the filtering criteria for the dynamic filter.
Option Description

Evaluate

Operator
Logic
4. (Optional) Do one or more of the following:

l To add another filter, repeat step 3.
l To add another line, click Add New and repeat step 3.
l To add Advanced Operator Logic, enter the expression in the space provided.
5. Click Save.
Advanced Operator Logic
When creating filters, you can use custom operator logic to form relationships between the individual
filters. By default, multiple conditions are related with the AND operator, as are multiple actions.
However, by creating custom operator logic, you can also use the OR and NOT operators, as well
as parenthetical groupings.
Note: The OR operator is supported only when you are filtering fields within a single level of a
leveled application or in a flat application. If you are filtering fields across different levels and
applications, you must use only the AND operator. Ultimately, the results of a search across
multiple levels and applications depend on the filters you apply and the relationships the search
process builds between the filtered fields.
Operator logic statements are evaluated left to right with parenthetical groupings evaluated first. By
using advanced operator logic with your filters, you can eliminate extraneous data that may be
imported with your data feed or included in your search results.

You enter the custom operator logic in the Advanced operator logic field.
Important: Custom operator logic must validate before you can save or apply changes to your data
filter. If your custom operator logic does not validate, you are prompted with an "Invalid Operator
Logic" error message.
Example: Single operator expression

You are importing assets from an external source into the Assets application. You want to import
assets from your external file only if they are labeled as being in a production environment or if they
are customer impacting.
To set up this process, you define data filters to evaluate both the System Environment and Security
Class elements in your external data file for the values you want. Without using operator logic, your
conditions are related with the AND operator, and the data feed imports items that are both in a
production environment AND have a high security class. By using operator logic with the OR
operator, you achieve the result you want: Assets that are in a production environment OR have a
high security class are imported into the Assets application.
Example: Multiple operators with nested parenthetical expressions

You also can use nested parenthetical expressions in your operator logic. Nested parenthetical
expressions allow you to combine the results of two separate logical conditions, thereby creating an
additional logical condition, as shown in the following example.

Based on the above criteria, the following table details the result of the operator logic.
(1) System (2) Security (3) (4) Operating (5) Server
Result
Environment Class Manufacturer System Room
Production Medium IBM RHEL 4.0 Denver Imported

Facility
Testing High Dell Windows Server Denver Imported

2003 Facility
Testing High Dell Windows Server Chicago Not

2003 Facility Imported
Production Medium Dell CentOS Denver Not

Facility Imported
The Data Feed Manager evaluates the nested parenthetical expressions first. In the last example in
the previous table, since neither 3 or 4 evaluate to "TRUE" in the nested parenthetical expression,
the primary parenthetical expression evaluates to "FALSE," and thus the entire logical condition
fails and the data is not imported, even though all of the other conditions are met.
Example: Multiple operators with a parenthetical expression

You can use additional operators by incorporating parentheses in your operator logic, as shown in the
following example.
Based on the above criteria, the following table details the result of the oper-
ator logic.
(1) System
(2) Security Class (3) Manufacturer Result
Environment
Production Medium IBM Imported
Testing High IBM Imported
Production High Dell Not Imported
Testing Medium IBM Not Imported

The system evaluates the parenthetical expression first. In the last example in the previous table,
since neither 1 or 2 evaluate to "TRUE," the entire condition fails even if 3 evaluates to "TRUE".
Related Records Field

When you create a cross-reference field that forms an external relationship with another application,
a related records field is automatically added to the related application. Likewise, if you create a
cross-reference field that forms an internal application relationship, a related records field is
automatically created in the application that has the cross-reference field. To update a related record
associated with a calculated cross-reference field, you must update the cross-referenced record and
perform a recalculation.
The related records field is a mirror image of the cross-reference field, meaning that it allows you to
see all of the records that have been cross-referenced to a particular record.
For example, you have a cross-reference field in a Trouble Tickets application that references
records in a Technicians application. In the Trouble Tickets record, users can assign one or more
technicians through the Technicians cross-reference field. Users can then open any technicians
record, and through the related records field, see each trouble ticket record assigned to a technician.
Note: If you create a cross-reference field that forms an external relationship with a leveled
application, you have the option to reference a specific level or to reference all levels. If you
reference a specific level, a related records field is created at the data level specified. If you
reference all levels, a related records field is created at each data level in the related application. In
the case that more data levels are subsequently created in the leveled application, a related records
field is added to each new level.
You cannot add a related records field in an application, questionnaire, or sub-form. Instead, it is
automatically added when the application, questionnaire, or sub-form is selected for reference
through a cross-reference field. When a related records field is added, it is listed in the Available
Fields list on the Layout tab. As an application owner, you must move the related records field into
the application layout before it is displayed to end users. You can also rename the field and select
fields from the related application, questionnaire, or sub-form whose values you want to display in
the related records field.
Note: If a related records field is configured to display in the layout and a user does not have access
to records in the related application, questionnaire, or sub-form, the related records field is not
displayed for that user.
Users that have create permissions in the related application can add new records in that application
from the related records field. The cross-reference field value in the newly created record defaults
to the record where the user added it. Using the previous example, a user creates a new trouble
tickets record from the "Gloria Young" technicians record. The "Gloria Young" record is selected by
default in the Technicians cross-reference field in the new trouble tickets record.

If the Lookup feature is enabled for a related records field, users who have read permissions in the
related application can select records from a list or to keyword search for specific records in the
related application by clicking Lookup. As an application owner, you can configure the fields that
are displayed for users in the Record Lookup page, and you can create filter criteria to limit the
number of records users can select from. You can also define the minimum and maximum number of
related records a user can select.
Cross-Reference Mismatches
A common mistake when manually recreating cross-reference fields in multiple instances is to
accidentally switch the location of the cross-reference and related records fields. For example, the
following figure shows a cross-reference field that was created in application A and a related record
field in application B in the source (development) instance. In the target (test) instance, the cross-
reference field was inadvertently created in application B and the related record field in application
A.
If you create a package in the source instance and install it in the target instance, the package
installation creates new cross-reference and related record fields in the target instance. The existing
cross-reference and related records fields are not modified or deleted. The following figure shows
duplicate fields created because the original fields were switched in the target instance.
To prevent this situation, before creating and installing the package, manually update the source
instance (recommended) or the target instance so that both instances match.

Record Permissions Field

Record permissions enable you to grant user access to an application to many users through their
access roles when it is not appropriate for those users to have access to every record in the
application.
Use a record permissions field to control user access at the record level. For example, you have a
Vendor Profiles application. You can give all vendor relationship managers access at the application
level, and then use a record permissions field to ensure that vendor relationship managers can only
see records of the vendors with which they work.
This field type provides permissioning models for granting record-level access to users and groups.
Manual permissions model

Permits your users to grant record-level permissions by selecting users and groups in the field. The
application owner must select at least one user or group from which users can select. You can also
define rules that control the level of permissions the selected users and groups receive based on
record content.
For each user or group that you define as an available selection in the record permissions field, you
can select the level of record access that should be granted to that user or group.
By default, all users and groups selected in a record permissions field have read access to their
assigned records. However, you can also grant update and delete privileges. You can also define
rules that control the level of permissions the selected users and groups receive based on record
content.
Important: When converting from a user/group list field to a record permissions field, users are not
automatically granted access to the record. You must remove the users and groups from the
promoted field, and then add them again to activate record permissions for the newly promoted field.
Inherited permissions model

Inherits record permissions from related levels or applications and displays as a read-only field to
your users. The value of the field is automatically populated by one or more record permissions
fields that you define. When you select this option, you must select at least one Record Permissions
field in a related application or data level from which to inherit permissions.
If you have existing records in the application that you are managing, a process is triggered to set
permissions for those records. If you delete a parent-level record with child-level records that inherit
permissions from that parent, the permissions in the child-level records are deleted.
Inheriting permission rules
Inherited permissions method allows your users to set permissions in one record and have those

permissions automatically apply to related records.

l Unrestricted: Inherits record permissions from all related records. If you set the permissions in a
record, those permissions automatically apply to all related records.
l Restricted: Inherits record permissions from selected related records. If you set the permissions in
a record, those permissions automatically apply to the specified related records.
Recalculation conditions for inherited record permission field values
l A record permissions field configuration is changed, and that field is referenced by the inherited
record permissions field.
The recalculation occurs only if the available users or groups are changed for a manual selection
record permissions field or if the rules are changed for an automatic selection record permissions
field.
l A record permissions field is deleted, and that record permissions field is referenced by the
inherited record permissions field.
l A record permissions field is changed to restricted or unrestricted, and the permissions are edited
in the Field Population section.
Important: Inherited record permissions fields are not tracked in a history log field. If a history log
field is configured to track the record permissions field before it was changed to use inherited
permissions, the record permissions field is removed from the history log configuration, and all data
for the field is deleted. Further changes to the record permissions field values are not tracked in the
history log.
After you select the Inherited Permissions model for a record permissions field, you cannot change
the permission method.
Automatic permissions model

Assign record-level access automatically based on one or more rules and appears as a read-only
field to your users.
l When configuring a field using this method, define one or more rules for assigning record access
based on data conditions within a record.
l When creating a rule for assigning record-level access, create one or more conditions for rule
fulfillment. A condition consists of a field to evaluate and one or more values to watch for in that
field.

After defining one or more conditions for rule fulfillment, select the users and groups who have
access to records in which the specified conditions are met. When selecting users and groups, you
can also specify whether those users and groups have read-only access to their assigned records or
whether they have update and delete access.
When using the rule-driven selection method, you must also select one or more default users or
groups who have access to records in which none of the rules are met. You can also specify whether
those users and groups have read-only access to their assigned records or whether they have update
and delete access.
Permissions are recalculated for individual records each time a value changes that causes a new rule
to prove true. In addition, record permissions are recalculated for the entire application if any one of
the following occurs:
l A new automatic selection record permissions field is created or activated in an application.
l A permissions rule is added, deleted, or updated in an active record permissions field.
l An inactive automatic selection record permissions field is activated.
l A record permissions field that is configured with the manual selection method is reconfigured to
use the automatic selection method.
Record permissions can affect the behaviors of other elements used in applications, questionnaires,
or sub-forms.
Rules for using record permissions with other elements

The following table describes rules for using record permissions with other elements.
Element Rules
Calculations Record permissions fields are not recalculated in archived applications or

questionnaires.
In a forced recalculation of a record permissions field, users must have update
permissions to perform the recalculation.

Element Rules
Conditional For record permissions fields that are selected for inclusion or exclusion in an
Layout ACL action, only the data committed in the database determines whether a user
Actions is included or excluded from the ACL action.
Only the data committed in the database determines whether an ACL action is
applied to the specified user.
Any user that is selected in a record permissions field is excluded if the field is
excluded.
An Apply Conditional Layout (ACL) action does not give users added field
permissions, but it can restrict them.
l If a field is set to display and the user does not have read permissions to the
field, the field is still hidden from the user.
l If a user has full permissions to a field that is set to read only in an ACL
action, the user cannot modify the field.
l If a field is not displayed because of an ACL action, a user with field
permissions can still search the field and functions. For example, a data feed
and Web API can still reference the field.
Data Feed Record permissions are evaluated and may limit the source data retrieved from
the application.
Data Imports Record Permissions fields must be configured with the manual permissions
model.
When an empty value is imported into a Record Permissions field, the field is
empty in the new or updated record regardless of whether the field is configured
with one or more default values.
When no value is selected in the Record Permissions field, only users who are a
system administrator or application owner can access the record.

Element Rules
Notifications Record Permissions fields cannot be included in the subject line of the
notification.
For Scheduled Report Distributions, the content of an attached report is based on
the record permissions of the user who creates the report. A dynamic recipient
list is based on the values of a record permissions or an email address stored in a
field. Recipients can only view records for which they have record permissions.
Only a record being saved executes Generate Notification actions in a data-
driven event. This action executes at the end of the record save process and is the
only action that executes after calculated fields and record permission fields are
computed.
Packaging User/Groups field population may be added to Record Permissions fields, but the
packaging installation does not remove the existing ones.
If a User/Groups field in the target instance is configured as a Record
Permissions field in the package, the package installation changes the field to the
Record Permissions type.
When installing a package that contains Record Permissions fields, verify that
users and groups already exist in the target instance. If they do not, these fields
may not install properly. If necessary, create the users and groups in the target
instance before installing the package.
Questionnaires Record permissions fields are not recalculated in an archived questionnaire.

and A target application must have a User/Groups list or Record Permission field
Campaigns before you can assign a submitter or reviewer for each questionnaire record
triggered by a campaign.
By default, questionnaires include two User/Groups List fields: Submitter and
Reviewer. These fields facilitate a two-stage workflow process. You can define
the users and groups available for selection in these fields, and you can promote
the fields to Record Permissions fields if you want to use them to control access
to questionnaire records. In addition, you can add User/Groups List or Record
Permissions fields to expand the content review process according to your risk
management methodologies.
Search and User/Groups list and Record Permissions fields, which normally display as a link
Reporting to the profile page when populated, do not display as links when Inline Edit is
enabled,.
If an application contains a Record Permissions field, users can only access the
fields to which they have permissions in the application.

Element Rules
Workflows Record permissions apply for records in the workflow process. All users with
proper access privileges can view a record in the workflow process. Only users
that have been assigned a record in the workflow process can accept or reject it.
Example: Record permissions assigned by data conditions

The following table describes scenarios of record permissions assigned by data conditions.
Example Assigning record permission automatically by a data condition
Scenario You define a rule in a Document Repository application that assigns full record-level
1: access to the Documentation group when the Document Status is Draft.
Results: The appropriate record-level access is granted for all records in the Document
Repository application when the Document Status is Draft.
Scenario You define another rule that assigns read-only record access to the Everyone group
2: when Document Status is Final.
Results: The appropriate record-level access is granted for all records in the Document
Repository application when the Document Status is either Draft or Final.
Example: CRUD permissions through field status

The following table describes scenarios of CRUD permissions through field status.
Example Field status determines CRUD permissions
Scenario The status of a field is In Progress.

1:
Results: Users and groups selected in the Record Permissions field have read and update rights
to the record.
Scenario The status of the same field is Completed.

2:
Results: Users have only read rights.

Example: Inherited permissions for cross-reference applications

The following table describes a scenario of inherited permissions for cross-reference applications.
Example Using inherited permissions for cross-reference applications
Scenario: You have a Vendor Profiles application that cross-references your Contracts and
Assessments applications. Vendor relationship managers need access to records in all
three applications for the vendors they work with.
Solution: To simplify the process of granting record permissions for these applications, you can:
1. Create a record permissions field that allows manual selection in the parent
Vendor Profiles application.
2. Create record permissions fields in the child Contracts and Assessments
applications that inherit permissions from the related vendor profile.
Results: When a user gains access to the ABC Company vendor profile, that user
automatically gains access to the contracts and assessments related to ABC Company.
Example: User restriction to a specific group

The following table describes a scenario of user restriction to a specific group.
Example User in a specific group with permission only in that group
Scenario: You select the Sales, Marketing, and Management groups as available selections in
the field.
Results: If a user adds a record in the application and that user is a member of only the
Marketing group, the Marketing group is the only group available to that user for
selection in the record permissions field.
Adding Record Permissions Fields

Use a record permissions field to control user access at the record level.
You can add a record permissions field to an application or questionnaire.
1. Go to the Fields tab to which you want to add the record permissions field.


2. Click Add New.

l To add a new field, click Create a new Field from scratch and click Record Permission from
l To add a field from an existing field, click Copy an existing Field and select the record
permission field you want to copy.
4. Click OK.
7. In the Display Control section, select the control for displaying the record permissions field.
Display
Description
Control
Buttons
Boxes
8. In the Options section, select the behavior and validation rules for the record permissions field.


Option Action
application.
Bulk
Update

Inline Edit
9. In the Configuration section, set the minimum and maximum selection values.


Option Description
control.
control.

Configuring Automatic Permissions for a Record Permissions

Field
Assign record-level access automatically based on one or more rules and appears as a read-only
field to your users.
l When configuring a field using this method, define one or more rules for assigning record access
based on data conditions within a record.
l When creating a rule for assigning record-level access, create one or more conditions for rule
fulfillment. A condition consists of a field to evaluate and one or more values to watch for in that
field.
After defining one or more conditions for rule fulfillment, select the users and groups who have
access to records in which the specified conditions are met. When selecting users and groups, you
can also specify whether those users and groups have read-only access to their assigned records or
whether they have update and delete access.
When using the rule-driven selection method, you must also select one or more default users or
groups who have access to records in which none of the rules are met. You can also specify whether
those users and groups have read-only access to their assigned records or whether they have update
and delete access.

Permissions are recalculated for individual records each time a value changes that causes a new rule
to prove true. In addition, record permissions are recalculated for the entire application if any one of
the following occurs:
l A new automatic selection record permissions field is created or activated in an application.
l A permissions rule is added, deleted, or updated in an active record permissions field.
l An inactive automatic selection record permissions field is activated.
l A record permissions field that is configured with the manual selection method is reconfigured to
use the automatic selection method.
Selection rules for automatic permissions

Automatic selection rules of the record permissions field applies to the Manual or Automatic
permission models. A selection rule consists of one or more data conditions to watch for within
application records and specific permissions the users or groups selected in the record permissions
field should have if the specified conditions are met.
You can create multiple rules for dynamically modifying rights based on record content. When you
configure multiple rules, the user is granted the highest rights allowed by the rules.
For example, you have one rule that gives the selected user read-only rights and another rule that
gives the selected user read and update rights. If both rules prove true, the user has read and update
rights.
If you add multiple rules, the user is granted the highest rights allowed by the rules. Make sure that
at least one user has rights to a record by adding a default user or group. When none of the rule
conditions are true, rights are granted to the default user or group.
assigned records. Click the applicable checkbox for update, delete, or both.
You must also select a default user or group that is used when users add new records. The default
section can be the record creator or for any selected group or user.
When working with groups, you can include the sub-groups of a selected group in the list of
available values for the record permissions field. To include a sub-group, select Cascade for the
group in the Users/Groups list.
Note: When you select the Cascade option for a group that contains sub-groups, those sub-groups
are available for selection in the Record Permissions field. When a user interacts with the record
permissions field while adding or editing a record, the user can select the parent-level group,
individual, or both sub-groups nested under the parent group. If a user selects only the parent group,
record access is not granted to members of sub-groups. Only individual users who are members of
the selected parent group have access to the record.

Task 1: Select the permissions model
1. Go to the Permissions section of the record permissions field.

c. Select the application that contains the record permissions field.
d. Click the Fields tab and select the record permissions field.
e. Click the Options tab.
2. In the Permission Model field, click Automatic.

3. Click Apply.
Task 2: Add selection rules for changing the access level of the record permissions
field
1. In the Rules section, click Add New.
2. In the Rule Information section, enter a rule name and a description.
3. In the Conditions field, do the following to create one or more rules:
a. In the Field To Evaluation box, select the field to evaluate for one or more specific values.
b. In the Operator box, select the filter operator.
c. In the Value(s) box, select the values for the condition
4. In the Field Population section, click Lookup.
5. Do one or both of the following to select the users and groups:
l To add a group, expand the Groups node and click the Group or Groups that you want to add.
l To add users, expand the Users node, and click the users that you want to add.
Note: To search for a specific role, enter the role name in the Find field and, if applicable,
select the type from the adjacent list. Click . The results of your search appear in the
Available list in the Search Results node.
6. Select the privileges for each user and group.

7. From the Users/Groups list, select Default to define a user or group as the default selection for
the field.
8. (Optional) Click Cascade to include the sub-groups of a selected group.
9. Click Apply.

Task 3: Add default users and groups to the record permissions field
Complete this task to assign one or more users and groups who are granted record permissions by
default if none of the rules that you specified are met.
1. In the Default Users/Groups section, click Lookup.
To search for a specific role, enter the role name in the Find field and, if applicable, select the
type from the adjacent list. Click . The results of your search are displayed in the Available
list in the Search Results node.
3. Click OK.
4. Select the permissions you want to assign to the user or group.
Configuring Inherited Permissions for a Record Permissions

Field
Inherits record permissions from related levels or applications and displays as a read-only field to
your users. The value of the field is automatically populated by one or more record permissions
fields that you define. When you select this option, you must select at least one Record Permissions
field in a related application or data level from which to inherit permissions.
If you have existing records in the application that you are managing, a process is triggered to set
permissions for those records. If you delete a parent-level record with child-level records that inherit
permissions from that parent, the permissions in the child-level records are deleted.
Inheriting permission rules
Inherited permissions method allows your users to set permissions in one record and have those
permissions automatically apply to related records.
l Unrestricted: Inherits record permissions from all related records. If you set the permissions in a
record, those permissions automatically apply to all related records.
l Restricted: Inherits record permissions from selected related records. If you set the permissions in
a record, those permissions automatically apply to the specified related records.

Recalculation conditions for inherited record permission field values
l A record permissions field configuration is changed, and that field is referenced by the inherited
record permissions field.
The recalculation occurs only if the available users or groups are changed for a manual selection
record permissions field or if the rules are changed for an automatic selection record permissions
field.
l A record permissions field is deleted, and that record permissions field is referenced by the
inherited record permissions field.
l A record permissions field is changed to restricted or unrestricted, and the permissions are edited
in the Field Population section.
Important: Inherited record permissions fields are not tracked in a history log field. If a history log
field is configured to track the record permissions field before it was changed to use inherited
permissions, the record permissions field is removed from the history log configuration, and all data
for the field is deleted. Further changes to the record permissions field values are not tracked in the
history log.
After you select the Inherited Permissions model for a record permissions field, you cannot change
the permission method.

2. In the Permission Model field, click Inherited.

3. Click Apply.
Task 2: Define rules for inheriting permissions from a related record

1. Select one of the following:
l Click Unrestricted to inherit permissions from all related records.
l Click Restricted to inherit permissions from selected related records.

2. In the Field Population section, select one or more Record Permissions fields to display in the
Selected list from the Available list.
3. Click Save.
Configuring Manual Permissions for a Record Permissions Field

Permits your users to grant record-level permissions by selecting users and groups in the field. The
application owner must select at least one user or group from which users can select. You can also
define rules that control the level of permissions the selected users and groups receive based on
record content.
For each user or group that you define as an available selection in the record permissions field, you
can select the level of record access that should be granted to that user or group.
assigned records. However, you can also grant update and delete privileges. You can also define
rules that control the level of permissions the selected users and groups receive based on record
content.
Automatic selection rules for manual permissions

Automatic selection rules of the record permissions field applies to the Manual or Automatic
permission models. A selection rule consists of one or more data conditions to watch for within
application records and specific permissions the users or groups selected in the record permissions
field should have if the specified conditions are met.
You can create multiple rules for dynamically modifying rights based on record content. When you
configure multiple rules, the user is granted the highest rights allowed by the rules.
For example, you have one rule that gives the selected user read-only rights and another rule that
gives the selected user read and update rights. If both rules prove true, the user has read and update
rights.
If you add multiple rules, the user is granted the highest rights allowed by the rules. Make sure that
at least one user has rights to a record by adding a default user or group. When none of the rule
conditions are true, rights are granted to the default user or group.
assigned records. Click the applicable checkbox for update, delete, or both.
You must also select a default user or group that is used when users add new records. The default
section can be the record creator or for any selected group or user.

When working with groups, you can include the sub-groups of a selected group in the list of
available values for the record permissions field. To include a sub-group, select Cascade for the
group in the Users/Groups list.
Note: When you select the Cascade option for a group that contains sub-groups, those sub-groups
are available for selection in the Record Permissions field. When a user interacts with the record
permissions field while adding or editing a record, the user can select the parent-level group,
individual, or both sub-groups nested under the parent group. If a user selects only the parent group,
record access is not granted to members of sub-groups. Only individual users who are members of
the selected parent group have access to the record.

2. In the Permission Model field, click Manual.

3. Click Apply.
Task 2: Select users and groups and display rules

2. From the Available list, select the users and groups that you want to be available for selection in
the record permissions field and click OK.
3. In the Users/Groups field, click the applicable level of access that you want each user and group
to have to a record if they are selected in the record permissions field.
4. Select the applicable option to exclude or restrict users and groups and click Apply.
5. Click Apply again.
6. In the Permissions section, click Manual as the permission model.
Task 3: Add selection rules for changing the access level of the record permissions
field
1. In the Rules section, click Add New.

2. In the Rule Information section, enter a rule name and a description.

3. In the Conditions field, do the following to create one or more rules:
a. In the Field To Evaluation box, select the field to evaluate for one or more specific values.
b. In the Operator box, select the filter operator.
c. In the Value(s) box, select the values for the condition
6. Select the privileges for each user and group.

7. From the Users/Groups list, select Default to define a user or group as the default selection for
the field.
8. (Optional) Click Cascade to include the sub-groups of a selected group.
9. Click Apply.
Updating Permissions
A modification to the rights granted by a manual record permissions field does not automatically
apply to existing records, only to new records added after the change. In order to apply the change to
existing records, you must update the field and save the records. The following procedure updates
the field for all records.
1. To update your existing records, run an advanced search that includes only the application key
field and the manual permissions field.
2. Export the results to a CSV file.
3. Run a data import on the CSV file.
Converting a User/Groups List to a Record Permissions Field

You can convert a user/groups list field to a record permissions field to limit record access to only
those users or groups selected in the field. The record permissions field is populated with the users
and groups configured for the user/groups List field.
The record permissions field also is configured to use the manual selection method, meaning that end
users are able to interact with the field to assign record permissions.

Convert a user/groups list to a record permissions field


2. Select the user/groups list field that you want to promote to a record permissions field.
3. In the Action field in the General Information section, click Promote to Record Permissions
field.
4. Remove the users and groups from the promoted field.
5. Add the users and groups to activate the record permissions for the newly promoted field.
6. Click Save.
Values Lists
Values lists allow administrators to define the values that users are allowed to select from in a
Values List, Matrix, or Cross-Application Status Tracking field. There are two types of values lists.
The following table describes the two types of values lists.
Type Description
Global Global values lists can be accessed and reused by other administrators. A global values
list can be used to populate Values List, Cross-Application Status Tracking, and Matrix
fields in an application.
For example, if you create a global values list that includes project statuses (pending, in
process, under review, completed, and so on), and you use this global values list in an
Exception Requests application, other administrators can use this values list in
applications they create, such as an Incidents application.
If you grant a user or group access rights to the Manage Global Values Lists page, these
individuals have access to all global values lists in the RSA Archer. If you want a user
to have access to specific global values lists and not all lists, select the appropriate
CRUD access for the individual global values list on the Manage Access Roles page.

Type Description
Field- A field-specific values list is considered “local” to its related Values List or Matrix
Specific field, meaning that it cannot be used again to populate other fields. Custom values lists
are useful in cases where the values do not make sense in the context of another
application or field. For example, a field-specific values list with the values “Draft” and
“Final” may be useful only for a Status field in a Document Repository application.
From the Application Builder, you can quickly establish global and field-specific values lists by
entering the values manually or by importing them from an external XML file.
Adding Values List Fields

Values lists include the values that users are allowed to select from in a values list, matrix, or cross-
application status tracking field.
1. Go to the Fields tab of the application to which you want to add a Values List field.

2. Click Add New.

l To add a new field, click Create a new Field from scratch and click Values List from the
l To add a field from an existing field, click Copy an existing Field and select the values list
4. Click OK.
7. In the Display Control section, select the option for displaying the field:


Display
Description
Control
Buttons
Boxes
behavior:
Options

Option Action
application.

Option Action
Bulk
Update

Inline Edit

l Days = 1 day
l Months = 30 days
l Years = 365 days
to the Options tab.

Option Action
9. In the Configuration section, specify the minimum and maximum number of selections a user can
make.

Option Description
control.
control.

Adding a Global Values List

Use global value lists for items that are common to other applications or questionnaires.
1. Go to the Manage Global Values Lists page.

b. Under Application Builder, click Global Values Lists.

2. Click Add New.

l To use the settings of an existing global values list as a starting point, select Copy an existing
Values List and select the existing values list from the Available Actions list.
l To select new settings for a global values list, select Create a new Values List from scratch.
4. Click OK.
Adding Values to Values Lists

You can create the values that are displayed to users as the available selections in global, field-
specific, and questionnaire values lists. The process for adding values to these types of lists is
identical.
1. Go to the Values tab of the values list you want to update.
The following table describes how to get to the Values tab, depending on the type of values list.
Global Field-Specific Questionnaire
a. From the menu bar, click a. From the menu bar, click a. From the menu bar, click
. . .
b. Under Application Builder, b. Under Application b. Under Application
click Global Values Lists. Builder, click Builder, click
Applications. Questionnaires.
c. Select the application. c. Select the questionnaire.
d. Click the Fields tab and d. Click the Fields tab and
select thevalues list field. select the values list field.
e. Click the Values tab. e. Click the Values tab.
2. In the Values section, click Add New.

3. In the Text Value field, enter the value as you want it to display in the values list.
4. (Optional) In the Description field, enter a description.
If the field is configured to display description links, users will be able to view this description
by clicking the linked value.

5. By default, Active is selected, which makes the value available for selection on the user
interface. If you do not want users to be allowed to select the value, clear Active.
Once you edit records with an inactive value in the value list field, the inactive value is removed.
6. (Optional) To set the value you are working with as a default selection when the values list is
displayed to users, select Default Selection.
Note: When a user adds a new record in an application or questionnaire that contains a Values
List field with a default value, the default value automatically is selected in the Values List
field, regardless of the user’s access to the field. For example, if a user has read-only access to
a Values List field with a default value of “In Progress,” when the user saves the record, the
value of this field is set to “In Progress” even though the user cannot edit the field. Users with
full access to the field can change the default value.
7. To associate a numeric value with your text value, enter the appropriate number in the Numeric
Value field.
For example, if your text value is "High," you might assign it a numeric value of "10." The
Numeric Value field accepts positive, negative, and decimal values. Using the Calculations
feature, you can reference these numeric values in calculated field formulas.
8. To apply color to the text of the value, follow these steps:
a. Click to the right of the Text Color field.

The Color Selector opens. This dialog box provides a small grouping of basic colors and an
interface for defining custom colors.
b. To select a predefined color, click the color in the Basic Colors control group.
c. To define a custom color, click the Custom tab and enter an RGB or HTML color code in the
fields provided.
A preview of your custom color is displayed in the color swatch.
d. Click OK to save your color choice and close the Color Selector dialog box.
Note: If you associate a color with a values list item, the color is displayed in records in view
mode and on a record node in Relationship Visualization. Values list items are not displayed in
color when users add or edit records unless the user has read-only access to the field.
9. To include an image to represent your value, in the Image field, click and in the Graphic
Selector dialog box, select from the following options:
l Select a Graphic from a Library. In the Available Graphics control group, select the option
next to the graphic that you want to assign to the values list item and click OK.
l Add a New Graphic. In the Available Graphics control group, click Add New to browse for
and select the file. Once you have selected a file, click Open to add the graphic to the Files to

Upload list. Click OK to begin the upload of the file.

Once the file is uploaded, you can select the file to be the image that displays for the value.
Note: If you associate an image with a values list item, the image is displayed in records in view
mode in place of the value name. Values list items are not displayed as an image when users add
or edit records unless the user has read-only access to the field.
10. If you want users to enter descriptive text associated with the value:
a. Select Other.
b. From the Height list, select the height for the text box.
c. In the Default Text field, enter the text that you want to be displayed by default next to the
values list control.
Note: Enabling this property causes the values list control to display a required text box on the
user interface. For example, if you have a value of "N/A," you can use the Other option to force
users to enter information supporting their selection of the "N/A" value.
Only one value for each values list may have the Other option enabled. Changing the Other
option from one value to another results in the loss of all data entered in the “Other” field
associated with the original value. For example, you have a values list where the value “N/A” is
enabled with the Other option. If you enable the value “None of the Above” with the Other
option, all data contained in the “Other” field associated with the “N/A” value is erased.
Arranging Values in Values Lists

When you have a large list of values, you can group the values in a nested, or hierarchical structure
to make them easier to find. You may define as many levels of values as you need and specify
which values are “children” and which are “parents.” You can also choose whether the parent value
is selectable. When values are in a hierarchical structure, they are displayed in this structure when
viewing and editing the field.
You can also configure the display order of the values in global, field-specific, and questionnaire
values lists by sorting items alphanumerically, placing them in a specific order, assigning values a
color from the custom color palette, or arranging them randomly to support certain questionnaire
formats. The process for sorting values in these lists is identical.
Note: Both active and inactive values are available for selection when configuring a values list. To
avoid confusion, RSA recommends deleting unused inactive values from the values list.

Nest values in a values list
1. Go to the values list that you want to update.

The following table describes how to get to the values list, depending on the type of values list.
. . .
select the values list select the values list
field. field.
2. Click the Values tab.

3. In the Values section, select the value you want to nest.
l Drop the value to the position in the values list.
l Drop the value directly on top of the field to make the value a child of another value.
5. To make a parent value that functions as the title for a list of child values unavailable for
selection, do the following:
a. Select the parent value.
b. Clear the This value is available for selection checkbox.
Configure the sort order for a values list
1. Go to the values list you want to update.

a. From the menu bar, click a. From the menu bar, a. From the menu bar, click
. click . .
c. Select a values list. Applications. Questionnaires.
d. Click the Fields tab. d. Click the Fields tab.
e. Select the Values List e. Select the Values List
field. field.

3. In the Values section, select the applicable option for displayed the list of items.
Option Description
Custom Lists the values in the specific order that you define. To adjust the order of
values, click and drag the value to the position in the list.
Ascending Lists the values in ascending alphanumeric order. For example, the values
"High," "Medium," and "Low" would be displayed in the following order: High,
Low, Medium.
Alphanumeric sort is not supported for values lists that contain values in multiple
languages.
Descending Lists the values in descending alphanumeric order. For example, the values
"High," "Medium," and "Low" would be displayed in the following order:
Medium, Low, High.
Random Lists the values in a different order each time the list is displayed. This variation
in display order minimizes the chance that end users detect patterns.
4. Click Save.

Converting Field-Specific Values Lists into Global Values Lists

Because field-specific lists are specific to the field in which they are created, they cannot be reused
in other Values List fields. However, to reuse a field-specific values list, you can convert the field-
specific values list to a global values list, making it available for use in any Values List, Cross-
Application Status Tracking, or Matrix field.

2. In the Field column, click the field that you want to configure.
3. In the Action field on the General tab, click the Promote to Global Values List link.
4. Click Save.
Defining Field-Specific Column and Row Values for a Matrix Field

A matrix field allows you to display a two-dimensional array of checkboxes, allowing users to plot
or rank responses relative to the two factors posed by the dimensions. During the field creation
process, you can select to populate a Matrix field column and row values with global values lists or
to create custom column and row values. If you select to create field-specific values, you can define
those values from the Fields tab on the Manage Applications page. Field-specific column and row
values are considered local to the Matrix field because you cannot reuse these values for other
fields.
Note: If you selected to use global values lists to populate the Matrix field column and row values,
the Column Values and Row Values links are not displayed on the Fields tab of the Manage
Applications page.
Add field-specific column or row values for a matrix field

1. Go to the Fields tab of the application or questionnaire that you want to update.



2. In the Field Type column, do one of the following:

a. To define values for a column, click Column Values.
b. To define values for a row, click Row Values.
4. In the Text Value field, enter the label.
5. (Optional) In the Description field, enter the description of the value/
6. (Optional) In the Default Selection field, click Select this value by default.
7. In the Numeric Value field, enter the value.
8. (Optional) the Text Color field, select the color for the text of the value.
9. (Optional) the Image field, click Add to attach and image to the value.
10. (Optional) the Other field, click Require users to enter supporting information when they select
this value.
11. Click Save.
Edit field-specific column or row values for a matrix field

1. Under the All Values list, select the value you want to update.
2. Change the property of the value.
3. Click Save.
4. Repeat all steps for other values you want to change.
Export field-specific column or row values for a matrix field




l To export column values, Click Column Values.
l To export row values, click Row Values.
4. In the Text Value field, enter the label.
5. (Optional) In the Description field, enter the description of the value.
6. (Optional) In the Default Selection field, click Select this value by default.
7. In the Numeric Value field, enter the value.
8. (Optional) the Text Color field, select the color for the text of the value.
9. (Optional) the Image field, click Add to attach and image to the value.
10. (Optional) the Other field, click Require users to enter supporting information when they select
this value.
11. Click Save.
Import field-specific column or row values for a matrix field




l To define values for a column, click Column Values.
l To define values for a row, click Row Values.
3. In the Values section, click Import.
4. Under the All Values list, select the value you want to update.
5. Click Add New
6. Select the XML file you want to upload and click Open.
7. Click OK.
8. Update the value properties as needed.
9. Click Save.
Inactivate field-specific column or row values for a matrix field



l To define values for a column, click Column Values.
l To define values for a row, click Row Values.
3. Under the All Values list, select the value you want to inactivate.
4. In the Active field, clear the Make the value available for selection checkbox.
5. Repeat steps 2 and 3 for other values you want to inactivate.
6. Click Save.


Importing Values into Values Lists

You can define the values list properties by importing the properties from an external XML file. The
following conditions apply when importing a values list:
l Existing values list with a node name that matches a value in the XML file will be updated with
the properties contained in your import file.
l Values can be imported in global, field-specific, and questionnaire values lists. The process for
adding values to these types of lists is identical.
l Values in your XML file that do not match an existing value in the list are imported as new
values.
Values can be imported in global, field-specific, and questionnaire values lists. The process for
adding values to these types of lists is identical.
XML example and attributes

Your XML file must have a structure similar to the following example.
The following table describes each attribute and whether it is required or optional.
Attribute Required/Optional Description
name Required The name of the value as you want it to display in the
values list. It maps to the Text Value field on the Edit
Value page.
active Required Defines whether the values list item is available for
selection on the user interface. It maps to the Active
field on the Edit Value page. Use the value "true" or
"false" with this attribute.

value Optional The numeric value associated with the text value
name. For example, you could associate the numeric
value "10" with the text value "High." This attribute
maps to the Numeric Value field on the Edit Value
page.
description Optional Description of the value. It maps to the Description

field on the Edit Value page.
selectedDefault Required Defines whether the values list item is the default
selection. It maps to the Default Selection field on the
Edit Value page. Use the value "true" or "false" with
this attribute.
textColor Optional The HTML color code to apply to the value. It maps to
the Text Color field on the Edit Value page.
status Required Defines whether the properties of this value can be

modified. A value of “0” means administrators can edit
the value. A value of “1” means that the value is
"locked;" only the name and description of the value
can be modified. A value of "2" means that the value is
"static;" no properties can be modified.
otherTextEnabled Optional Associates the "Other" text field with the values list
item. It maps to the Other field on the Edit Value page.
Use the value "true" or "false" with this attribute. Only
one value per values list can be defined as "Other."
otherTextHeight Optional Defines the height of the "Other" text field. This
attribute can be used only in conjunction with the
otherTextEnabled attribute.
otherTextDefault Optional Defines the default text for the "Other" text field. This
attribute can be used only in conjunction with the
otherTextEnabled attribute.

image Optional The name of the image file associated with the values
list item. When you import a values list item that has
an image attribute (the filename of the image), RSA
Archer maps the image attribute to a file name on the
server. RSA Archer displays the image associated with
the filename on the server. If an exact match cannot be
found, no image is displayed. This attribute does not
accommodate the import of new or updated images.
Import a values list

1. Go to the Values List page of the following values list you want to update.
The following table describes how to get to the values list, depending on the type.
. . .
field. field.
2. In the Values section, click Import.

3. Click Add New.
4. Select the XML file.
5. Click Open to add the file to the Files to Upload list.
6. Click OK.
Exporting Values from Values Lists

You can export a values list to an external XML file using the export feature for global, field-
specific, and questionnaire values lists. You can make changes to the values in the XML file and re-
import the list to quickly update your values.

1. Go to the Values List page of the values list you want to update.
The following table describes how to get to the values list, depending on the type.
. . .
b. Under Application Builder, b. Under Application b. Click Questionnaires.
click Global Values Lists. Builder, click c. Select the questionnaire.
c. Select a values list. Applications.
d. Click the Fields tab and
c. Select the application. select the values list
d. Click the Fields tab and field.
select the values list e. Click the Values tab.
field.
e. Click the Values tab.
2. In the Values section, click Export.

3. Select to Open or Save the XML file.
Deleting Values from Values Lists

You can delete a value from global, field-specific, and questionnaire values lists. When you delete a
value from a global, field-specific, or questionnaire values list, that value no longer is available for
selection. Only non-selected values can be deleted. If you attempt to delete a value that has been
selected in one or more records, RSA Archer provides an informational message stating that the
value may not be deleted.
Important: You cannot delete values from a values list that are used in an advanced workflow.
You can delete multiple values from a global, field-specific, or questionnaire values list by exporting
the values list as an XML file and deleting the values you want to keep, leaving a list of values you
want to remove. The Bulk Delete feature enables you to upload the revised XML file, and removes
the list of unwanted values from the values list accordingly.
Note: Regular maintenance of your values list is important to avoid confusion when configuring your
values in charts. RSA recommends that you maintain your values lists by deleting unused inactive
values.

Note: Both active and inactive values are available for selection when configuring a values list. To
avoid confusion, RSA recommends deleting unused inactive values from the values list.
Delete a value from a values list
1. Go to the Values tab of the values list you want to update.

The following table describes how to get to the Values tab, depending on the type of values list.
. . .
field. field.
2. In the Structure pane in the Values section, select the value that you want to delete.
3. In the Properties pane, click Delete for the value that you want to delete.
Delete multiple values from a values list
1. Go to the values list you want to update.

a. From the menu bar, click a. From the menu bar, a. From the menu bar, click
. click . .
c. Select a values list. Applications. Questionnaires.
d. Click the Fields tab. d. Click the Fields tab.
e. Select the Values List e. Select the Values List
field. field.

3. Export and delete values list values.
a. In the Values section, click Export > Save.
b. Delete values from the exported values list.
c. Save the revised XML file.
4. Add the revised XML file as follows:
a. On the Values tab, click Bulk Delete.
b. Click Add New.
c. Select the revised values list XML file.
d. Click Open.
e. Click OK.
Scheduler Field
Use the scheduler field to create triangular relationships between the application to which it belongs,
a resource application, and the Appointment application to facilitate scheduling resources.

Example: Relationships with parent application

The Audit Planning & Quality use case uses the Appointment application for scheduling resources
for engagements. In this example, the Engagements (parent) and Contacts (resource) applications
share a relationship with the Appointment application through the Scheduler field in the parent
application.
Example: Relationships with multiple parent applications

For example, in addition to the Engagements application, you want to schedule resources for another
application. In this case, you would create a scheduler field in both applications as the parents of the
resource application. Then, you would create a Scheduler field in the Contacts application that is
shared between both parent applications.
When you schedule appointments for either application, the appointments are listed in the Contacts
application in the resource view. An appointment can only be associated with one parent and one
resource.
To assign resources to any parent application, you must configure a scheduler field with the schedule
view and add it to the layout of that application. Any module with the scheduler field configured in
the schedule view is considered a parent application.

The following table describes different applications.

Term Definition
Parent The application with the scheduler field configured in the schedule view to which
you want to schedule resources.
Resource The application with the scheduler field configured in the resource view containing
the resources you want to schedule. A resource application can never be the parent.
Appointment The application where the appointments reside.

Application
Displaying appointments
You can display appointments in either the schedule or resource view.
l The schedule view displays appointments in a Gantt-like chart with the resource along the left
side and the appointments in segmented columns based on start and end dates. In this view, users
can schedule appointments directly by moving the start and end date columns, and can assigning
resources by dragging and dropping appointments from one resource to another. Users cannot edit
appointments of other parent applications in this view.
l The resource view displays a list of appointments for all resources or the appointments for a
particular resource when viewed by that user. Appointments are grouped by the parent application
and listed in a table (grid) with the following information: Appointment, Name, Start date, End
date, Duration, and Type.
Adding Scheduler Fields

Create a scheduler field in the resource application so that users can see all of the appointments to
which they have been scheduled, regardless of the parent application.
Use the triangular reference in searches, calculations, and inherited record permissions.
You can add a scheduler field for an application or questionnaire.
Note: You cannot use the Scheduler field as a filter, in a data-driven event, or a rule for a data-
driven event.
Note: After you create a scheduler field, you cannot edit the Display Control or Configuration
options. You must delete the scheduler field, which removes the triangular relationships. After
creating the scheduler field, you must add it to the application layout.
Task 1: Add the scheduler field
1. Go to the Fields tab of the application or questionnaire to which you want to add the Scheduler

field.

2. Click Add New.

l To add a new field, click Create a new Field from scratch and click Scheduler from the
l To add a field from an existing field, click Copy an existing Field and select the scheduler
4. Click OK.
7. In the Display Control section, select the display format.
Display
Description
Control
Schedule Schedule Grid: Displays appointments in a Gantt-like chart with the resource along
Grid the left side and the appointments in segmented columns based on start and end
Resource dates. In this view, you can see all assigned resources for each parent record. To
Grid assign resources to any parent application, you must configure a scheduler field
with the schedule view and add it to the layout of that application. Any module with
the scheduler field is considered a parent application.
Resource Grid: Displays appointments in a list grouped by parent applications for
all resources or the appointments for a particular resource when viewed by that
user. In this view, your users can see all appointments assigned to them through
this view regardless of the application to which they are assigned. Users can also
see any appointments that are not assigned to a resource.
8. In the Configuration section, select the applicable available reference.


Option Description
Available Designates the application to which a relationship is created when the

Reference appointment is viewed in the schedule view. This designation creates a triangular
relationship among this application.
For example, if you are creating the Scheduler field in the Engagements
application with the schedule view, it becomes the parent application. You can
then specify Contacts as its resource, which creates a triangular relationship
between Engagements and Contacts applications and the Appointment application.
If you select the Resource Grid as the Display Control, this designation
automatically establishes a relationship between the current module and the
Appointment application.
Option Action

l If you selected Resource Grid as the display control, go to the next step.
l If you selected Schedule Grid as the display control, complete the following:
a. (Optional) In the Record Lookup Configuration section, define the selection and sorting
criteria for displaying records from the related application from which you want users to

select from Record Lookup.

Options Description
Display Specifies the fields of data from the relationship application that are
Fields displayed on the Record Lookup page for users when they select related
records in the Scheduler field.
To select fields for display, click in the Display Fields field and select
order of fields in the Selected list will be the left-to-right order of fields in
the Record Lookup page.
Filters Determines the filtering criteria for selecting records for display on the
Record Lookup page.
To set filters for the records to be displayed in the field, select the values for
the following fields:
l Field to Evaluate
l Operator
l Values
You can also create a dynamic filter for filtering record lookup.
Sorting Specifies the fields by which referenced records are sorted in the Record
Lookup page.
b. In the Schedule Display Configuration, select the resource fields that you want to display.


Option Description
Display Defines the columns of data that display in the Resource column of the
Fields schedule view.
Use the below the Selected list to arrange fields. The top-to-bottom
order of fields in the Selected list displays as the left-to-right order of fields in
the Related Record Field table.
11. Click Apply.
Task 2: Add the scheduler field to the application or questionnaire layout

2. Move the scheduler field from the Available Fields list to the location on the layout where you
want the Schedule or Resource object to appear.
3. Click Save.
Trending
Trending is a method of tracking status changes for a numeric or values list field. Trending charts
enable you to observe patterns in data over a specified period of time. The chart reflects a plot point
for each time a field value is saved. When a field is enabled for trending with a duration period,
RSA Archer captures data for the specified field and retains the data for the duration period as
trending data.
The trending data can be displayed on a chart in the record after the Add Trending Chart layout
object is added to the application layout. Viewing trended data on the chart enables you to see trends
in the data in order to make informed business decisions. These trending charts are displayed in a
record when the Enable trending options for this field option is selected for a Numeric or Values List
field. The trending chart title is displayed when the Show Title option is selected in the Trending
Chart Description dialog box. If no trended data exists for the field when you view the record, the
message "No Trending Data Available" is displayed in this section.
Plot points displayed on the trending chart represent each time the trended value is saved. You can
hover over a plot point to view a tooltip consisting of the following details after saving the record.

l The field value.

l The timestamp (MM/DD/YYYY HH:MM:SS AM/PM) from when the value was initially
selected.
l The timestamp (MM/DD/YYYY HH:MM:SS AM/PM) from when the value was changed (the
value "Now" displays instead of a timestamp when the value has not been changed since the
previous save occurrence).
l The user (Last name, First name) who saved the value.
Trended Numeric fields with a null value are currently displayed on a trending chart with a plot point
at 0. To ensure that the data on the trending chart is accurate, select the Required field option on the
Manage Field page.
The removal of any trended data occurs after an asynchronous job runs. This asynchronous cleanup
job removes both expired trended data and any trended data for fields that the user has disabled
trending.
Note: If you are attempting to display a trending chart for a Values List field that has a large number
(approximately 2500) of historical changes, an error may occur.
Example: Trending chart duration

You might create a trending chart called "Safety Incidents" to track the number of safety incidents
that occur at a facility before safety policies are instituted. If the duration period was specified as
one year (365 days), you might view the trending chart and observe that the number of safety
incidents at the facility has decreased during the one year duration period. You might conclude that
the safety policies are working.
Example: Changing the duration of a trending chart

To expand on the first example, the duration period is changed from one year to one month. The
trending data on the chart spans the one year duration period plus the one-month duration (30 days).
On the 31st day, the trending data shows only the one-month period once an asynchronous job runs.
This once-daily cleanup job removes both expired trended data and any trended data for fields that
the user has disabled trending.
Example: Trending update

You might not update a trending-enabled field until after the period of time specified in the duration
period. When the update takes place after the duration period ends, the chart reflects data for a
longer time span, and any removal of data will not occur until a new value is added.

Enabling and Disabling Trending on a Field

You can enable or disable trending to track status changes for the value of a numeric or values list
field. You must set a duration period when enabling trending on the field.
You can disable trending on a numeric or values list field that has trending enabled so that trending
data is no longer retained for the field. An asynchronous cleanup job that runs once per day removes
both expired trended data and any trended data for fields that the user has disabled trending. When
trending is disabled on a trending-enabled field, the trending chart on the application layout is
replaced with a Placeholder layout object with the same span properties.
Enable trending on a numeric or values list field
Note: If the trended field was disabled and then enabled, no trending data is retained from the last
time the field was set to trending-enabled and the asynchronous job ran. The trending duration period
must be set each time trending is enabled.

2. Select the trended field (numeric or values list field) that you want to enable trending.
4. Click Enable trending options for this field checkbox and enter the duration period.
5. Click Save.
6. Click OK to continue.
Disable trending on a trended field

2. Select the trended field (numeric or values list field type) for which you want to disable trending.

3. Clear the Enable trending options for this field checkbox.

4. Click Save.
5. Click OK to continue.

Chapter 6: Sub-Forms
A sub-form is a special grouping of fields that can be embedded in any application to collect
information in individual records. When users add or edit a record in an application that contains a
sub-form, they can add data to the sub-form multiple times.
You can customize a sub-form layout by doing the following:
l Add and arrange sections, fields, help text, objects, and custom controls.
l Add custom objects using HTML or JavaScript code to create buttons or other objects.
l Add placeholders to create blank spaces between fields or sections.
l Add tab sets to group related tabs.
l Add tabs to group related fields.
l Set visibility properties to hide a field from users without deactivating or deleting the field.
You can manage a sub-form by doing the following:

l Assign ownership rights for the sub-form to other administrative users.
l Embed the sub-form in an application by creating a sub-form field in the selected application and
linking that field to the predefined sub-form.
l Establish basic sub-form structure, which includes naming, describing, and activating the sub-
form.
Adding Sub-Forms
From the Manage Sub-Forms page, you can create an original sub-form, or create a sub-form by
copying and modifying the properties of an existing one. If you select to copy a sub-form, your new
sub-form contains all of the fields and structural components of the copied sub-form, but it does not
include any attachment files or sub-form entries.
Task 1: Add a sub-form
1. Go to the Manage Sub-Forms page.

b. Under Application Builder, click Sub-Forms.
2. Click Add New.


l To add a new sub-form, click Create a new Field from scratch, and enter the Name and select
a Language for the new sub-form.
l To copy an existing sub-form, click Copy an existing Sub-Form and select the sub-form you
want to copy.
4. Click OK.
5. In the General Information section, enter the name, alias, and description.
6. (Optional) In the Options section, enable spell check.
Task 2: Add fields and objects to the sub-form layout
Note: To protect data integrity, the application prohibits field type changes. For example, you cannot
change a date field to a text field.
1. Go to the Layouts tab of the sub-form to which you want to add a field.

c. Select the sub-form.
d. Click the Layouts tab.
2. Click Add New Field and do the following:

a. Select the field type you want to add.
b. Define the field for the sub-form.
c. Continue this process until all fields that you want are defined.
d. Save the fields.
3. Move the fields that you want onto the layout.
4. From the Add New Layout Object list, move the object you want onto the layout.

Adding and Removing Documentation from Sub-Forms

You can attach or remove supporting documentation to a sub-form.
Add documentation to a sub-form
1. Go to the General tab of the sub-form to which you want to attach a file.


3. Select the document file or files that you want to add to the sub-form.
4. Click OK.
Remove documentation from a sub-form
1. Go to the General tab of the sub-form from which you want to remove a file.

2. In the Documentation section, locate the file that you want to remove from the sub-form and
click the Delete icon in its row.

Assigning or Revoking Sub-Form Owners

Sub-form owners can edit and customize sub-forms to which they are assigned. The creator of a sub-
form is automatically granted ownership rights to that sub-form. Ownership rights can be revoked by
other assigned owners. Owners do not automatically have access rights for the content stored in the
sub-form.
Assign sub-form owners
1. Go to the Administration tab of the sub-form you want to modify.

2. In the Sub-Form Owners field, click .

3. From the Available list, select the users or groups you want to assign ownership.
Revoke sub-form owners
1. Go to the Administration tab of the sub-form you want to modify.

2. In the Sub-Form Owners field, click .

3. From the Selected list, click Remove to the right of the user or group you want to revoke
ownership.


Changing the Sub-Form Status

When a sub-form is no longer needed but you do not want to delete it, you can change the sub-form
status from active to inactive.
Change the status of a sub-form

1. Go to the General tab of the sub-form you want to modify.

2. In the Status field of the General Information section, select the status for the sub-form.
The following table describes each status.
Status Description
Active Users can enter data in sub-forms with Active status. Active sub-forms can be
displayed in an application.
Inactive Inactive sub-forms cannot be displayed in an application. If a sub-form that is

already embedded in an application is inactive, the field that displays the sub-form is
also inactive. When a sub-form status is set to Inactive, data stored in a sub-form is
hidden from view until the sub-form and the corresponding sub-form field are
reactivated.

Deleting Sub-Forms
When you delete a field from a sub-form, all record data stored in that field is lost. If you delete a
system field type, data stored in the field is maintained in the database and continues to populate the
field in new and updated records, even though the data is not visible through the user interface.

Before deleting a sub-form, note the following important information:

l Sub-forms that are referenced by sub-form fields in applications cannot be deleted. You must first
delete the sub-form fields that reference the sub-form. View the referenced sub-form fields from
the Related Applications section on the General tab of that sub-form.
l Owners who have delete permissions can delete sub-forms to which they are assigned.
Delete a sub-form
1. Go to the Manage Sub-Forms page.

2. Select the row of the sub-form that you want to delete.
3. Click .
4. Click OK.

Chapter 7: Data Driven Events

Data driven events (DDEs) allow you to react dynamically to data conditions or values in the
system. A DDE is the conceptual combination of a rule and one or more linked actions.
l A rule is a set of one or more data conditions or values that must be met for the rule to evaluate to
true. Rules are evaluated in a specified rule order.
l An action is a predefined operation that is executed when linked to a rule. Actions are executed
only when the rule to which they are linked is evaluated as true.
Data driven events are associated with individual layouts in an application or questionnaire. Data
driven events are configured on the Events tab of the Manage Layout page and provide
administrators and application owners the ability to:
l Dynamically control page layout based on the state of content.
l Conditionally filter or set field values based on the state of content.
l Generate email notifications.
The Data Driven Event feature includes a utility, the Event Analyzer, for troubleshooting DDE
rules. The Event Analyzer provides a real-time view of rule evaluations and actions that are applied
as a result of user interaction with the content edit page.
DDE guidelines
When building DDEs, consider the following guidelines:
l Required fields that are hidden from the end user in an application are still required. Users cannot
save the record when this condition exists.
l Fields that are hidden in an application and are set to be required by an Apply Conditional Layout
(ACL) action are only required conditionally. When hidden fields are conditionally required by an
ACL, users can save the record.
l A rule condition that evaluates a Text field with the Display Control set to Text Area may result
in inconsistencies due to rich text markup when an operator other than Contains or Does Not
Contain is used.
l Tabs can be dynamically shown or hidden based on the current state of content, including nested
tabs. When a data driven event hides all sections on a tab, the tab is also hidden.
l Actions linked to the rule targeting a private field may not execute because not all users can
access the private field. Field permissions can be different for each user.
l Date and Values List field values that are set by an action can still be edited by the end user
unless the field is set to not be edited. For example, all other values in a Values List are filtered
by an action.

Data Driven Event Process Flow

A rules session is a single, uninterrupted pass of evaluating rules in a specified order and executing
linked actions for rules that are true. The rule and its corresponding actions are processed at
different times during the Record Edit and Record Save processes depending on the type of action
being invoked. It is important to understand how DDEs are processed when adding, updating, or
saving a record.
Process flow rules
Note: Off-layout refers to the fields that are available for selection but are not included in a section
layout.
l Off-layout and private fields to which the user does not have field permissions:
o Can be used as a rule condition to evaluate.
o Cannot be directly set.
l Calculated values are always evaluated after executing Save or Apply with the exception of
Generate Notification actions.
l Generate Notification actions are only executed by a record being saved. This action is executed
at the end of the record save process and is the only action executed after calculated fields and
record permission fields are computed.
l System fields can be used as rule conditions. The First Published Date and Last Updated Date
fields are not available until after the record is saved. Generate Notification actions are entirely
different from other actions and execute after these values are calculated.
Insert scenario - add new

When new content is loaded (Insert Scenario), a SINGLE pass of rules with SETS (Set Date and Set
Values List Selection) and FILTER (Filter Values List Items) actions occurs. Conditional layout is
processed against the result of the SINGLE pass.

Example: Add new process flow


Note:
1. During the load process, all valid rules are evaluated. For any rule that evaluates to true, the
filter or set action of the rule is applied (subject to set and filter conflict handling).
2. Because filter and set actions can potentially change content values, the ACL action must be
evaluated against the "latest" state of the content.
3. A user modification triggers a SINGLE pass of rules with SETS (Set Date or Set Values List
Selection) and FILTER (Filter Values List Items) actions. SET actions are applied only when the
user modified field is contained in a condition of the rule.
4. If the user modifies at least one field value that is used in a condition of a rule, the load process
is repeated. The SET actions are applied only if the field the user modified is contained in a
condition of the rule.
Update scenario - edit

When content is loaded (Update Scenario), a SINGLE pass of rules with FILTER (Filter Values
List Items) actions occurs. Conditional layout is processed against the result of the SINGLE pass.

The following figure shows the Update Scenario – Edit process flow.


Note:
1. During the load process, filter actions are applied (subject to conflict handling).
2. Because filter and set actions can potentially change content values, the ACL action must be
evaluated against the "latest" state of the content.
3. A user modification triggers a SINGLE pass of rules with SETS (Set Date or Set Values List
Selection) and FILTER (Filter Values List Items) actions. SET actions are applied only when the
user modified field is contained in a condition of the rule.
4. If the user modifies at least one field value that is used in a condition of a rule, the load process
is repeated. The SET actions are applied only if the field the user modified is contained in a
condition of the rule.
Data Driven Event Rules and Actions

When a DDE is triggered, each rule is evaluated and its linked actions are executed as applicable.
The action is only executed when the rule is true.
l Rules and actions are stored in separate libraries. A single rule can have any number of actions
linked to it. Additionally, a single action can be linked to any number of rules.
l Rules and actions are defined in the context of a specific application or questionnaire and are not
available to other applications or questionnaires. In leveled applications, rules and actions are
defined in the context of a specific level and are not available to other levels.
To create, edit, or delete both rules and actions, your user account must specify that you:
l Are an application owner
l Have update rights on the Manage Application page
l Have ownership rights to the questionnaire (if working on a questionnaire)
Depending on how rules are configured in an application or questionnaire, it is possible that the
actions defined for those rules could conflict with each other. It is important to understand the
effects and expected behaviors that can occur when an action is executed. Each action type includes
rules to consider when defining actions and suggestions for conflict resolution.
Relationships between rules and actions

A single rule can have any number of actions linked to it. Additionally, a single action can be linked
to any number of rules.

Recommended practices for rules and actions

Keep these practices in mind when defining data drive event (DDE) rules and actions.
l A default display action to show sections is not required. By default, all layout objects are shown.
The only time that you need to explicitly show a layout object is when another ACL action needs
to be overridden.
l RSA does not recommend using rules with the changed operator in ACL or Filter Values List
Items actions. The action is inconsistent from one save to another because the rule is true before
the save and false after. For additional information on changed operators, see rules for evaluating
changed operators.
l Do not associate rules evaluating only calculated fields with the Set Date or Set Values List
Selection actions. This action type is never executed because calculations are not updated until
after these actions are executed. These actions require a triggering field to be included in the rule
linked with the action.
l Do not associate rules with calculated fields and Changed Operators with actions other than
Generate Notification actions. These rules are never true at that time because calculations are not
evaluated until after the actions are executed.
Rule-related tasks
l Adding Rules to Data Driven Events
l Setting the Rule Order of Data Driven Events

Action-related tasks
l Adding Apply Conditional Layout Actions
l Adding Filter Values List Item Actions
l Adding Generate Notification Actions
l Adding Set Date Actions
l Adding Set Values List Selection Actions
Data Driven Event Rules

A rule is a set of one or more data conditions or values that must be met for the rule to be true.
Actions are executed only when the rule to which they are linked is true.
Example: Rule that always evaluates true

If your business practice requires a rule to always evaluate to true, create a rule with the filter
criteria set to Record Status equals New OR Updated, as shown:
A rule can be linked to one or more action types. Rules are evaluated sequentially according to the
priority in which they are assigned in the Rule Order dialog box.
l Rules are owned by the application or questionnaire to which they are linked, and are not
available to other applications or questionnaires.
l Rules are evaluated and actions are executed in a rules session.
l A rules session is a single uninterrupted pass of evaluating rules in a specified order and
executing linked actions for any rules that are true.
l A rules session is invoked when a record is added, changed, or saved.
l Rules can be copied and edited to make similar rules.
l Rules can be based on field types that allow for a user selection or data entry.
The following fields cannot be used in a rule:

l Access History l Image

l Attachment l Multiple Reference Display Control
l CAST (Detail) (MRDC)
l CAST l Questionnaire Reference (QRFT)

(Scorecard) l Scheduler
l Discussion l Tracking ID
l External Links l Voting
l History Log
Note: Sub-forms can be used in a rule, but not the fields in the sub-form.
Rule tasks for DDEs

l Adding Rules to Data Driven Events
l Setting the Rule Order of Data Driven Events
Data Driven Event Rules Evaluation

Rules are evaluated based on user interaction and calculated fields.
Rules for executing actions based on user interaction

The following table describes the user interactions and resulting rule actions.
User
Resulting Action
Interaction
On New All rules are evaluated.

Set, filter, and ACL actions are executed.
On Edit All rules are evaluated.

Filter Value List Item and ACL actions are executed.
On Field All rules are evaluated.

Modification Set actions linked to rules containing the modified field as a rule condition, Filter
Value List Item, and ACL actions are executed.
On Save Calculated fields are calculated.

All rules are evaluated.
Generate Notification actions are executed.

Rules for executing action based on calculated fields

The following table describes the user interactions and resulting rule actions.
User
Resulting Action
Interaction
On New Calculated field value is null.

Rules evaluating a null value or evaluating the absence of a specific value (Does
Not Equal, Does Not Contain) are evaluated to true and linked set, filter, and ACL
actions are executed.
On Save Calculated field value is updated by the Content Save process.

Generate Notification actions is executed based on the updated calculated field
value.
On Edit Calculated field value was already updated by the Content Save process.
Filter and ACL actions are executed based on the updated calculated field value.
On View Calculated field value was already updated by the Content Save process.
ACL actions are executed based on the updated calculated field value.
On Field Calculated field values cannot be directly modified by the end user.
Modification
Rules for evaluating changed operators

The Changed operator only evaluates the previously saved value of a field against the current value
of the field. For new content, the initial state of the value is considered empty.
Important: RSA Archer may automatically change the contents of a field when you have entered
Edit mode, but before you have actually made any edits. The following table contains four sample
scenarios.

The following table describes scenarios and their results.

Scenario Result
Rule 1 has the Changed operator Rule 1 is evaluated as true from User Input 1
set to Changed Rule 1 is evaluated as false from User Input 2
Field A currently has a value of Only the first change triggers the data driven event and not
null (empty) the second one because the final state of the value is the
User Input 1 - User changes the same as its original state
value of Field A to 2
User Input 2 - User removes the
value of 2 in Field A
Rule 1 has the Change operator set Rule 1 is evaluated to True immediately when User 1 edits
to Changed the record
Field A is configured to auto- The system has automatically removed Enterprise
restrict groups Management as the selected value in the field
Field A currently has the
Enterprise Management group
saved in the record
User 1 edits the record, but is not
a member of the Enterprise
Management group
Rule 1 has the Changed operator Rule 1 is evaluated to true when the user clicks on the field
set to Changed The system has automatically changed the HTML in the field
Field A is a text field that has to be normalized
invalid HTML brought in from a
data import
User 1 edits the record and clicks
on Field A
Rule 1 has the Changed operator Rule 1 is evaluated to true immediately when User 1 edits the
set to Changed record
Field A currently has a User Previously selected User in Field A is automatically removed
selected in the field from the field
The selected User is deleted from
the system
User 1 edits the record

Adding Rules to Data Driven Events

Complete this task to add a rule to a data driven event.
Add a rule to the data driven event
1. Go to the Rules tab of the application that you want to update.

l If the application is not enrolled in Advanced Workflow, click the Layout tab.
l If the application is enrolled in Advanced Workflow, click the Layouts tab, and select the
layout with which you want to associate the event.
e. Click the Rules tab.
2. Click Add New.

l To add a new a rule, click Create a new Rule from scratch.
l To add a rule from an existing rule, click Copy an existing Rule and select the rule you want
to copy.
l If the application is not leveled, go to the next step.
l If the application has multiple levels, select the level where you want to create the rule.
5. Click OK.
6. In the General Information section, enter the name and description of the rule.
7. In the Criteria section, use the fields provided to specify the field to evaluate, the operator, the
value or values and, if applicable, the relationship to the subsequent row of filter criteria. Each
row on this page represents one set of filter criteria.
a. Specify filter criteria in the first row. If needed, enter a second set of filter criteria in the
second row.
b. To add additional rows for specifying more filter criteria, click Add New.
Note: This link is only enabled when the action is available.
c. To change the relationship between the rows of filter criteria, in the Advanced Operator
Logic field, enter a new value. The default value is "And."

d. To delete a condition, click in that row.
Note: The system automatically renumbers the criteria rows, but you may need to modify any
advanced operator logic accordingly.
For example, if your business practice requires a rule to always evaluate to true, create a
rule with the filter criteria set to Record Status equals New OR Updated, as shown in the
following figure.
8. In the Linked Actions section, click Select Actions.

9. Select one or more actions that you want to link to this rule and click OK.
10. Click Save.
Remove actions from a rule

You can disassociate an action from a rule without deleting the action.

2. Click the rule that you want to update.

3. In the Linked Actions section, click next to the action that you want to disassociate from the
rule.
4. Click Save.
Delete a data driven event rule

If you no longer need a rule, you can delete it. Deleting a rule does not delete the actions linked to it.

The actions continue to exist in the Action Library and maintain their links with other rules.

2. Click the row and view the description of the rule that you want to delete.
3. Click for that rule.

4. Click OK.
Setting the Rule Order of Data Driven Events

The rule order of a data driven event determines the specific order in which the applicable actions of
each rule are executed. Use rule order to dynamically or conditionally control when actions are
executed based on a business process. You set the rule order on the Rule Order dialog box.
Rules are evaluated sequentially according to the priority in which they are assigned. Rule 1 is
ranked higher in priority than Rule 2, Rule 2 is ranked higher than Rule 3, and so forth.
Example: Setting the rule order

You have five rules. Each rule is evaluated individually starting with the highest priority (Rule 1)
and finishing with the lowest priority (Rule 5). The appropriate actions of each rule are executed
before the next rule in sequence is evaluated. This process continues until all rules are evaluated and
the applicable actions of each rule are executed.

Rules can contain actions that conflict with each other. Use the conflict resolution for the particular
action.
Set the rule order of a data driven event


2. Click Configure Rule Order.

3. Click one or more rules and drag and drop to the position you want.
4. Click OK.
5. Click Save.
Data Driven Event Actions

An action is a predefined operation that is executed when linked to a rule. Actions are:
l Stored in a library and can be used with multiple rules
l Executed only when linked to a rule that is true
l Reusable across multiple rules
l Owned by the application or questionnaire and are not available to other applications or
questionnaires
Fields that are defined in an application or questionnaire are used in an action. For example, fields
can be added to a section on the layout of an application or questionnaire, and then be conditionally
required or hidden by an Apply Conditional Layout (ACL) action.

Action types
The following table describes Action Types.
Action Type Description
Apply Configures dynamic record layouts based on the state of the record.
Conditional
Layout
Filter Values List Restricts the values available for selection in a Values List field to a subset of
Items the values defined for the field.
Generate Generates an email notification that is sent to specified users.

Notification
Set Date Configures and sets a value for a Date field that can be overridden.
Set Values List Configures and sets a value for a Values List field that can be overridden.
Selection
Action tasks
l Adding Apply Conditional Layout Actions
l Adding Filter Values List Item Actions
l Adding Generate Notification Actions
l Adding Set Date Actions
l Adding Set Values List Selection Actions
Delete an action
If you no longer need an action, you can delete it from the system. Deleting an action removes it
from the Action Library and disassociates it from any rules to which it is linked. You can
disassociate an action from a rule without deleting the action.
1. Go to the Actions tab of the layout that contains the action that you want to delete.



e. Click the Actions tab.
2. In the Action Library section, in the row of the action that you want to delete. click .
3. Click OK.
Apply Conditional Layout Action

The Apply Conditional Layout (ACL) action enables you to configure dynamic record layouts based
on the state of the record. ACL actions only affect view and edit modes. You and application owners
can choose to force sections or fields to display or not display, make fields required, or make
sections or fields read only. ACL actions can be configured to be applied to specific users, groups,
or both so that presentation can vary for different users. Using this action, you can:
l Determine which sections, fields, custom interface objects and text box objects are displayed.
l Override the read/write permissions for fields.
l Set the Required Field status for fields.
l Assign specific users, groups, and fields to the actions so that the presentation can be different to
different users.
l Exclude users, groups, or fields from viewing the layout.
Example: ACL action

The following table describes ACL action.
Action Description
ACL The ACL action has a Record Permissions field selected with a default value of
Action User A.
Setup

Action Description
Initial When the record is initially created, there is no value committed in the database for
Record the Record Permissions field. The ACL action does not apply to any users.
Creation
Post- After the record is saved, User A is committed in the database for the Record
Record Permissions field. The ACL action is applied only to User A.
Creation
With the exception of Required field settings, ACLs serve only as a cosmetic treatment to ease data
entry and viewing a form in a particular application or questionnaire. Fields that are hidden by an
ACL action are still available in search results and filters for defining reports, searches, and
notifications. Data that is hidden by an ACL action to a user cannot be printed or exported by that
user. Field access permissions are still applied for printing and exporting.
The Layout Configuration section enables you to select which sections and fields in the application
to display as a result of this action.
Key things to consider

When working with this section, keep the following things in mind:
l The key icon indicates a key field and the calculator icon indicates a calculated field.
l The user must have edit privileges to edit a field. The settings on this page do not grant edit
privileges to an account that does not already have those privileges.
l Be careful if choosing to hide a required field. The field is still required, even if it is not
displayed.
l The settings in this section do not change the layout of the page. To change the layout, use the
Layout tab of the Manage Application page.
l If the layout of the application has multiple tabs, the Layout Configuration section includes
multiple tabs.
l Placeholders may still be displayed for a screen object even though the object is not displayed.
Adding Apply Conditional Layout Actions
An Apply Conditional Layout action modifies the elements that display within a record and adjusts
the properties of specific fields.
Important: If a field with a base setting of Required is not visible to the user, the user cannot save
the record. To solve this, either modify the application to display the required field for the user, or
change the field settings so that it is no longer required.

After the action is saved, you can link the action to the applicable rule. The relationship between
rules and actions are specified on the Manage Action page. If the action has been linked to a rule,
the associated rules are listed in the Associated Rules section.
1. Go to the Actions tab of the layout that you want to update.

layout with which you want to associate the action.
2. In the Action Library section, click Add New.

l To add a new action, click Create a new Action from scratch and click Apply Conditional
Layout from the Available Actions list.
l To add an action from an existing action, click Copy an existing action and select the ACL
action you want to copy from the Available Actions list.
4. Click OK.
5. In the General Information section, enter the name and description for this action.
6. In the Layout Configuration section, do the following:
a. Select the sections that you want to display.
b. For each section that you display, select the fields that are required, read only, or hidden. The
options available may vary for different types of fields.
7. In the Qualified Users/Groups section, select the users, groups, or fields that you want to include
or exclude from this conditional layout.

Apply Conditional Layout Rules
Sections and fields that are hidden by an ACL action are still available in search results and filters
for defining reports, unless otherwise controlled by field permissions. If a field contains multiple
conflicting Apply Conditional Layout actions, RSA Archer executes the action that is highest in the
following order of precedence:
1. Section-level Read Only
2. Section-level Display*
3. Section-level Do Not Display
4. Section-level Use Default Settings
5. Field-level Required
6. Field-level Read Only
7. Field-level Display
8. Field-level Do Not Display
9. Field-level Use Default Settings
*When a Section-level Display action takes precedence, field-level settings are respected. For
example, if an action sets a section to Do Not Display and another action sets a field within the
section to Read Only, the section is not displayed because the section-level Do Not Display setting
takes precedence.
Section-Level options
Sections determine how fields are organized on the layout of an application or questionnaire. A
section-level option can override a field-level option.
The following table describes section-level options.
Option Description
Use All fields and objects in the section are displayed. Individual fields and objects in the
Default section can have field-level options configured.
Settings
Display All fields and objects in the section are forced to display (subject to the user having field
permissions to that field). Individual fields and objects in the section can have field-level
options configured.

Option Description
Read All fields in the section are displayed as read only and are not available for editing.
Only Affects all of the fields in the section, but does not impact the non-field objects in the
section, such as custom interface and text box objects. Individual fields in the section
cannot have field-level options configured. Objects in the section function as originally
configured.
Do Not All fields and objects in the section are not displayed. Individual fields and objects in the
Display section cannot have field-level options configured.
Field-Level options
Fields are defined in an application or questionnaire and then used in an action. Fields are added to
sections on the layout and can be conditionally required or hidden by an ACL action. A section-level
option can override a field-level option.
Example: Field-level option
The following table provides an example of a field-level option.

Field A in Section 1 has a field-level setting of Required.
Scenario
Field A is moved to Section 2 that has a section-level setting of Do Not Display.
The Required setting of Field A is removed, and Field A inherits the Do Not Display
Result
section-level setting.
The following table describes available field-level options.

Option Description
Use Default Field behaves as defined.

Settings
Display Field is forced to display (subject to the user having field permissions to that
field).
Required Field is required.

The Required option is not available for fields that cannot be set to Required in
an application.
Read Only Field is displayed as read only and is not available for editing.
The Read Only option is not available for fields that are inherently read only, for
example, System fields.

Option Description
Do Not Field is not displayed.

Display
Field-level rules
l An ACL action does not give users added field permissions, but it can restrict them. If a field is
set to Display and the user does not have read permissions to the field, the field is still hidden
from the user. If a user has full permissions to a field that is set to Read Only in an ACL action,
the user cannot modify the field.
l If a field is not displayed because of an ACL action, a user with field permissions can still search
the field and functions, such as data feed, and Web APIs can still reference the field.
l A field that is defined as required in an application can be set to one of the following options: Use
Default Settings, Display, Do Not Display, and Read Only. If a required field is set to Read Only
or Do Not Display and is hidden, the field is still required and a user cannot save the record.
l For the user to save the record, do either of the following:
o Modify the ACL action to display the field.
o Change the field in the application so that it is not required.
l Text box objects, custom objects, and trending charts have the following options: Use Default
Settings, Display, and Do Not Display. Placeholder objects cannot be modified by an ACL action
and do not have any available options.
l Changes to an application can affect previously configured field-level options. If a field with
field-level options is moved to a new section, the field-level options are evaluated according to
ACL Conflict Resolution rules of precedence. Specifically, field-level options are affected when
the new section has section-level options that are more restrictive than the field-level options of
the field.

User/Group access rules

An ACL action must have at least one user, group, or field (user/groups or record permissions)
specified to save the action. The specified user, group, or field determines to which users the ACL
action applies. If one or more of the following conditions are true, the ACL action is applied for a
user:
l The user is directly specified in the ACL action.
l The user is a member of a group specified in the ACL action (or is a member of a descendant
group if the Cascade option is specified).
l The user or a group of which the user is a member is specified in a User/Groups List or Record
Permissions field that is specified in the ACL action.
When a User/Groups List or Record Permissions field is selected in an ACL action, only the data
committed in the database is used for determining whether an ACL action is applied to the specified
user.
Users, groups, or fields can be excluded from viewing the layout. The ACL action is not applied to
any user, group, or field that is excluded.
Exclude user/group/field rules

The Exclude option enables administrators to exclude users, groups, or fields from an Apply
Conditional Layout (ACL) action. At least one user, group, or field must be included. The Everyone
group cannot be excluded. If a user, group, or field is explicitly selected for exclusion, the user,
group, or field will be excluded.
The following table describes rules. These rules are applied to each element.
Rule Behavior
Exclude The ACL action will not be applied to a user who is explicitly excluded.
User

Rule Behavior
Exclude The ACL action will not be applied to all users who belong to the group that is explicitly
Group excluded.
The Cascade option is not selected by default.
l If the Cascade option is selected for a group that is included, all users belonging to a
sub-group and any member of the group is included.
l If the Cascade option is selected for a group that is excluded, all users belonging to a
sub-group and any member of the group is excluded.
A user who is explicitly included will be excluded if the group is excluded.

The following table provides an example of excluding a group.
User A is a member of the Audit Management group.
Scenario User A is selected for inclusion in the ACL action.
The Audit Management group is selected for exclusion in the ACL action.
The ACL action does not apply to User A because the Audit Management
Results group is selected for exclusion and User A is a member of the Audit
Management group.
Exclude Any user that is selected in the user/groups list or record permissions field will be
Field excluded if the field is excluded.
A user who is explicitly included will be excluded if the user is selected in the field and
the field is excluded.
When a user/groups list or record permissions field is selected for inclusion or exclusion
in an ACL action, only the data committed in the database is used for determining
whether a user is included or excluded from the ACL action.

Conflict Resolution for Apply Conditional Layout Actions
Multiple ACL actions can apply to the same user at the same time. When multiple ACL actions
attempt to apply conflicting behaviors, RSA Archer executes the action that is highest in the
following order of precedence:
1. Section-level Read Only
2. Section-level Display*
3. Section-level Do Not Display
4. Section-level Use Default Settings
5. Field-level Required
6. Field-level Read Only
7. Field-level Display
8. Field-level Do Not Display
9. Field-level Use Default Settings
*When a Section-level Display action takes precedence, Field-level settings are respected.
Example: Section set to Do Not Display

The following table provides an example of a Section set to Do Not Display.
Action Sets a section to Do Not Display.
1
Action Sets a field in the section to Required.

2
The section is not displayed and the field is not required because Action 1 (section-level
Result
Do Not Display) takes precedence.
Example: Section set to Display

The following table provides an example of a Section set to Display.
Action 1 Sets a section to Display.
Action 2 Sets the same section to Read Only.
Result The section is read only because Action 2 (section-level Read Only) takes precedence.

Example: Section level with precedence

The following table provides an example of a Section level with precedence.
Action Sets a section to Display.
1
Action Sets field X and field Y in the section to Do Not Display.

2
Action Sets field X in the section to Required.

3
The section is displayed, field X is set to required, and field Y is not displayed.
Because Action 1 (section-level Display) takes precedence, the section is displayed and
Result field-level settings are respected.
Because Action 3 (field-level Required) takes precedence over Action 2, Field X is set to
Required. There is no conflict with Field Y, so it is set to Do Not Display by Action 2.
Filter Values List Items Action

The Filter Values List Items action restricts the values available for selection in a values list field to
a subset of the values specified for the field.
Example: Filtering a values list using a filter values list items action
The following table provides an example of filtering a values list using a filter values list items
action.
Field A is a Values List field with the following available values: Red, Orange,
Yellow, Green, and Blue.
Scenario
Action 1 is a Filter Values List Items action that filters the list to Red and Blue.
Action 1 is linked to Rule 1.
When Rule 1 is true, Field A is automatically filtered to the values of Red and Blue
Result
making them the only values available for selection.
Filter Values List Items rules

l A calculated field cannot be the target of a Filter Values List Items action. If a Filter Values List
Items action is defined and the target values list field is later changed to a calculated field,
RSA Archer deletes the Filter Values List Items action.

l If a child value in a hierarchical values list is selected in a Filter Values List Items action and the
parent value is not, the parent value is displayed after the action is executed but is not available
for selection.
l If a values list field is the target of a Filter Values List Items action and is deleted, the Filter
Values List Items action is also deleted.
l If a value list value is selected in a Filter Values List Items action and is deleted, that value is
removed from the Filter Values List Items action. If that value is the only value selected in the
action, the field is also deleted from the Filter Values List Items action.
l If a values list has an existing selection that is not in the filtered subset of values for the Filter
Values List Items action, the existing selection is removed when the Filter Values List Items
action executes.
Example: Replacing a value in a values list through a Filter Values List Items action
The following table provides an example of replacing a value in a values list through a Filter Values
List Items action.
Field B is a values list field with the available values of Red, Orange, Yellow, Green,
and Blue.
Scenario Field B currently is set to Green.

When Rule 1 is true, the current value (Green) of Field B is replaced by the filtered
Result
values of Red and Blue making them the only values available for selection.
The Cumulative Filters option on the Options window allows Filter Values List Items actions that
target the same field in different rules to have a cumulative effect.

Example: Cumulative filters
The following table provides an example of cumulative filters.

Field C is a values list with available values of Red, Orange, Yellow, Green, and Blue.
Field C currently is set to Orange.
Action 1 is a Filter Values List Items action that filters the list to Red. Action 1 is
linked to Rule 1.
Scenario Action 2 is a Filter Values List Items action that filters the list to Orange. Action 2 is
linked to Rule 2.
Action 3 is a Filter Values List Items action that filters the list to Yellow. Action 3 is
linked to Rule 3.
The Cumulative Filters option is selected.
When all three rules are true at the same time, the following occurs in this order:
1. When Rule 1 is true, the list is filtered to Red being available for selection, and the
current value of Orange is not selected.
2. When Rule 2 is also true, the list is filtered to Red and Orange being available for
Result selection, and the current value of Orange is selected.
3. When Rule 3 is also true, the list is filtered to Red, Orange, and Yellow, making
these values available for selection.
As an end result, the values Red, Orange, and Yellow are available values for selection
and the current selection (Orange) remains selected.
Adding Filter Values List Item Actions
You can create a Filter Values List action that limits the items available in a Values List field. For
example, if a Values List field contains these values by default: Red, Green, Yellow, Orange, and
Blue, you can create a Filter Values List action that excludes Orange and Blue and displays only the
Red, Green, and Yellow values.
If multiple Filter Values List actions target the same field within in the same rule, they have a
cumulative effect. For example, if the example Filter Values List described above is executed, and
then an additional Filter Values List action is executed that displays only Blue, the field displays the
Red, Green, Yellow, and Blue values. However, if the Filter Values List actions are not in the same
rule, the system only executes the Filter Values List action that is highest in the rule order.
You cannot select a calculated values list field. After the action is saved, you can link the action to
the applicable rule. The relationship between rules and actions are specified on the Manage Rules
page. If the action has been linked to a rule, the associated rules are listed in the Associated Rules
section.

1. Go to the Actions tab of the layout that contains the event you want to update.


l If you want to add an action, select Create a new Action from scratch, and click Filter Values
List Items from the Available Action Types list.
l If you want to add an action from an existing action, select Copy an existing action and select
a filter values list items action from Available Action Types list.
4. Click OK.
5. In the General Information section, enter the name and description for this action.
6. In the Values List Filter section, complete the following:
a. From the Field list, select the field that you want to filter by.
b. In the Value(s) field, click to select the values that you want to make available for selection
in the filtered list.
Conflict Resolutions for Filter Values List Items Action
When there are multiple Filter Values List Items actions linked to the same rule, the actions are
cumulative.

Example: Filter Values List Items action linked to the same rule
The following table provides an example of the Filter Values List Items action linked to the same
rule.
Field C is a values list field with available values of Red, Orange, Yellow, Green, and
Blue.
Scenario Action 1 is a Filter Values List Items action that filters the list to Red and Blue.
Action 2 is a Filter Values List Items action that filters the list to Orange and Yellow.
Action 1 and Action 2 are linked to Rule 1.
When Rule 1 is true, Field C is automatically filtered to values Red, Orange, Yellow,
Result
and Blue making them the only values available for selection.
Example: Values list targeted by Filter Values List Item and Set Values List Selection
actions
If multiple Filter Values List Items actions targeting the same values list field are linked to different
rules that are true at the same time, only the Filter Values List Items action linked to the rule with
the highest rule order is applied.
The following table provides an example of the Values list targeted by Filter Values List Item and
Set Values List Selection actions.
Field D is a Values List field with available values of Red, Orange, Yellow, Green,
and Blue.
Scenario Action 2 is a Filter Values List Items action that filters the list to Orange and Yellow.
Rule 1 is ranked higher than Rule 2.
When both Rule 1 and Rule 2 are true at the same time, Field D is automatically
Result
filtered to values of Red and Blue making them the only values available for selection.
Example: Values list targeted by Filter Values List Item and Set Values List Selection
actions
If a Set Values List Selection action and a Filter Values List Items action targeting the same Values
List field are in conflict, only the Filter Values List Items action is applied.

The following table provides an example of the Values list targeted by Filter Values List Item and
Set Values List Selection actions.
Field E is a Values List field with available values of Red, Orange, Yellow, Green,
and Blue.
Action 1 is a Set Values List Selection action that sets the values of Green and Blue.
Scenario
When both Rule 1 and Rule 2 are true at the same time, Field E is automatically filtered
to values of Red and Blue making them the only values available for selection.
The field is also automatically set to a value of Blue. (There is no conflict between
Result
Action 1 and Action 2 for the value of Blue.)
Green is not selected because there is a conflict between Action 1 and Action 2, and
therefore only the Filter Values List Items action (Action 2) is applied.
Generate Notification Action

The Generate Notification action enables administrators to configure an email notification. When a
record is added or updated that meets defined rule conditions, the notification is sent to intended
recipients after the content is saved.
Generate Notification actions differ from other data driven event (DDE) actions in the following
ways:
l Rule order does not affect a Generate Notification action.
l Calculated field values are computed after clicking Save or Apply. The server order of operations
executes Generate Notification actions after the calculated fields are computed and system fields
are updated. When Generate Notification actions execute, the conditions are evaluated against
already calculated values of the calculated fields.
Because Generate Notification actions execute after calculated fields are computed, it is possible to
have two actions (one being a Generate Notification action) linked to the same rule where one
action executes and the other one does not.

The following table provides an example scenario and the result.

Field A is a calculated field with a formula of [Field C] + 1.
Field C has an initial value of 2.
Field B has an initial value of Green.
Scenario Field A has a value of 3 (calculated field: 2 + 1 = 3).
Rule: Field A = 5.
Action 1 is Set Values List Selection that sets Field B to Blue.
Action 2 is Generate Notification.
User edits this record and changes the value of Field C to 4.

The Set Values List Selection action executes before Field A is recalculated. Field A is
3 before being recalculated, and the rule evaluates to false (3 does not equal 5), so
Field B is not set to Blue.
When the user clicks Save, the following occurs:
1. The record is processed.
Result
2. Field A is calculated (4 + 1), and its value is set to 5.
3. The rule evaluates to true, and the Generate Notification action executes. (Set
Values List Selection actions are only executed by user interaction, so the server
does not set Field B to Blue.)
Action 1 did not execute, but Action 2 did execute even though both of these actions are
linked to the same rule.
Note: There is no conflict resolution for Generate Notification actions. These action types are
executed when content is saved for rules that are true.
Generate notification rules

End users cannot subscribe or unsubscribe from generated notifications. Generated notifications are
automatically sent to all of the intended recipients.
Because calculations are done before rules are evaluated, it is possible that a rule is true in
View/Edit mode, but is false when the Generate Notification action is evaluated. This condition is
also the case in reverse.
If multiple Generate Notification actions are linked to rules that are true, saving one record causes
multiple notifications to be sent for the record. Each distinct Generate Notification action causes a
notification to be sent.

Example: Generate notification actions linked to separate rules
The following table provides an example of generate notification actions linked to separate rules.
New Record A is added.
Action 1 is a Generate Notification action with its frequency set to Instantly.
Scenario Action 2 is a Generate Notification action with its frequency set to Instantly.
When Record A is saved and both Rule 1 and Rule 2 are true, two notifications are sent
Result
(one for Action 1 and one for Action 2).
Example: Multiple generate notification actions linked to same rule
The following table provides an example of multiple generate notification actions linked to the same
rule.
Scenario Action 2 is a Generate Notification actions with its frequency set to Instantly.
When Record A is saved and Rule 1 is true, two notifications are sent (one for Action 1
Result
and one for Action 2).
Example: Generate notification action linked to multiple rules
The following table provides an example of generate notification action linked to multiple rules.
Scenario
When Record A is saved and both Rule 1 and Rule 2 are true, only one notification is
Result
sent because both rules are linked to the same Generate Notification action (Action 1).

Adding Generate Notification Actions
You can create a Generate Notification action that delivers alert emails to select users when a
record is added or updated. It can also send reminder emails based on date values. Recipients cannot
opt out of receiving these emails.
To set up a notification from which users can choose to unsubscribe, use the Notifications feature
instead.
Task 1: Add a generate notification action
1. Go to the Actions tab of the layout that contains the event that you want to update.


l To add a new action, select Create a new Action from scratch, and select Generate
Notification from the Available Action Types list.
l To create an action from an existing action, click Copy an existing action and select the
generate notification action you want to copy from the Available Action Types list.
4. Click OK.
5. In the Letterhead field of the Template Design section, select the letterhead for the notification.
6. In the Body Layout field, click to open the Body Layouts dialog box.
7. Select the applicable layout and click OK.
8. Click Apply.
Task 2: Define the content of the notification

You can define the content of a Generate Notification action using static and dynamic content. Static
content is text that remains the same for every notification, while dynamic content is content that

changes based on the unique parameters.

1. Go the Content tab of the Generate Notification action.

e. Click the Actions tab, and select the action.
f. Click the Content tab.
2. In the Template Design section, select the subject and content for the notification.
a. In the Subject line, enter the text you want to show as the subject of the notification.
Note: You cannot include the following fields in the subject line: Attachment, Cross-
Application Status Tracking, Image, Record Permissions, Sub-Form, Questionnaire
Reference, Access History, and History Log.
b. In the Body field, enter the content you want to show in the notification as text or reference
links.
l To enter a field, select the field or template you want for the admin type from the Toolbar
field.
l To enter a report, select the report you want from the Toolbar field.
l To enter a link, select the link you want from the Toolbar field.
You can also include fields (but not reports or links) in the subject line as dynamic information.
To enter a field, place your cursor in the location, click the Select a Field arrow and select the
appropriate field from the list.
3. Click Apply.
Task 3: Define the email properties of the notification
1. Go to the Delivery tab of the Generate Notification action.


e. Click the Actions tab, and select the action.
f. Click the Delivery tab.
2. In the Email Properties section, enter the email properties for this notification.
a. In From Address field, enter the email address from which this notification will be sent.
b. (Optional) In the Alias Field, enter the name you want to use as the sender for the email from
address.
c. (Optional) In the Importance field, select the status you want to associate to this
email: Normal, High, Low.
d. (Optional) In Read Receipt, select whether an acknowledgment is sent after the notification
is opened by the recipient.
l If you want to receive acknowledgment, select Enable Return Receipt.
l If you do not want to receive acknowledgment, select Disable Return Receipt, the default
selection.
3. In the Delivery Schedule section, define the frequency and its values for sending this
notification.
a. In the Frequency field, select the period in which you want to send the notification. Your
selection determines what you do next.
b. Enter the applicable values for the frequency you selected.
Note: Instantly and Reminder are not available for Scheduled Report Distributions.
The following table lists the actions for each frequency.

Frequency Action
Instantly Go to the next step.
Daily a. In Time, set the time that you want to send the notification.
b. In Time Zone, select the Coordinated Universal Time (UTC) time zone.

Frequency Action
Weekly a. In Day, select the day of the week that you want to send the notification.
b. In Time, set the time that you want to send the notification.
c. In Time Zone, select the Coordinated Universal Time (UTC) time zone.
Monthly a. In Day, select the day of the month (1 through 31) that you want to send
the notification. Because not all months have 31 days, you might want to
consider 28 or before.
Quarterly a. In Time, set the time that you want to send the notification.
Note: A quarterly notification is sent on the first day of January, April,

July, and October.
Reminder a. In Time, set the time that you want to send the notification.
c. In Criteria, do the following:
i. In Field, select the date field to be used for evaluating the filtering
condition.
ii. In Operator, select the applicable operator, Equals, Does Not Equal,
Less Than, or Greater Than.
iii. In Day, select the number of days on which to evaluate the
occurrence.
iv. In Target, select After Date or Before Date.
d. (Optional) To add another condition, click Add New and repeat the steps
for adding criteria.
e. (Optional) To delete a criteria row, click .
Note: When you choose Reminder for your frequency, Email Recipients
Options can only be set to Separate Emails.
c. In Digest Content Published, do one of the following for records that satisfy the specified
Notification filter criteria and were generated or changed within the time period as defined
by the Frequency and Time settings:

l Select Any Version to include any records that satisfied filter criteria since the last sent
digest.
l Select Current Version Only to include only records that meet filter criteria at the time
digest notification is sent.
4. Click Apply.
Task 4: Define the recipient rules for the notification

Recipients can be a dynamic or static list based on the notification type. A dynamic list is based on
the values of a Users and Groups list and record permissions or an email address stored in a field.
1. In the Email Recipient Options section, specify whether the notification is sent as separate
emails to each recipient or one email to all recipients.
Send Each Notification As

You can set email recipient options to determine whether you want send a separate notification
email to more than one recipient or send one email to multiple recipients.
The following table describes the properties.
Property Description
Send Each l Separate Emails - Sends a separate email to one or more recipients.
Notification Addressees receive an email that has been customized for permissions,
As culture, time zone, and locale. This option allows you to use only the To field
for recipient email addresses.
l One Email - Sends an identical email to multiple recipients. This option is
primarily intended for a limited number of recipients and is not customized for
permissions, culture, time zone and locale. If there is no content in the
notification that all recipients have permission to view, the notification is not
sent.
This feature allows you to use the To, Cc, and Bcc fields for recipient email
addresses. The maximum allowable number of recipients for this option,
expressed as a total from all three addressee fields, is determined in the
RSA Archer Control Panel.
2. In the Recipients section, do the following for To, CC, and BCC:
a. (Optional) In Dynamic, do one or more of the following:
l Expand the Groups tree and select the groups you want to receive the notification.
l Expand the Users tree and select the users you want to receive the notification.

l Expand the Fields tree and select the fields that contain the dynamic recipient based on
record permissions or email address.
b. Click OK.
c. (Optional) In Static, enter email addresses of the recipients you want to receive the
notification. When entering more than one email address, use a semi-colon to separate the
email addresses of recipients.
3. Click Save.
Set Date Action

The Set Date action enables administrators to specify a value for a date field based on the state of
the record. The end user can then override this value.
Important: When a data driven event includes a rule with a Set Date action and is used in a
questionnaire, the Review Date and Submit Date fields must be included in the General section of
the questionnaire. By default, this section includes these fields.
Set Date options

Option Description
Current Date Sets the date field to the current date (and time to 12:00 A.M., if
enabled).
Set to Number of Days Sets the date field to the current date plus the specified number of days
from Current Date from the current date (and time to 12:00 A.M., if enabled).
Set to Specific Date Sets the date field to the date specified (and time, if enabled).
Set to Date Field to Removes any value currently set in the date field.
Blank
Set Date action rules

l A calculated field cannot be the target of a Set Date action. If a Set Date action is defined and
the target date field is later changed to a calculated field, the Set Date action is deleted.
l If a date field that is the target of a Set Date action is deleted, the Set Date action is also deleted.
l A rule cannot have multiple Set Date actions linked to it that target the same date field.
l A Set Date action replaces any current value specified in the field.
Example: Setting the date through a Set Date action


Field A is a Date field with the date of 12/25/2011.
Scenario Action 1 is a Set Date action that sets the date to 1/15/2012.
Result When Rule 1 is true, Field A is automatically set to a value of 1/15/2012.
Conflict resolution for Set Date

If multiple Set Date actions targeting the same date field are linked to different rules that are true at
the same time, only the Set Date action linked to the rule with the highest ranking in the rule order is
applied.
Example: Set Date action linked to multiple rules
Field B is a Date field.
Action 1 is a Set Date action that sets the date to the Current Date.
Action 2 is a Set Date action that sets the date to 1/15/2012.
Scenario
When both Rule 1 and Rule 2 are true at the same time, Field B is automatically set to
Result
the Current Date.
Adding Set Date Actions
You can create a Set Date action that changes the value displayed in a date field. You can set the
value to the current date, to a number of days from the current date, to a specific date, or set the
field to blank. If the date field is configured to include date and time, you can set the date, time, and
time zone.
You cannot link more than one Set Date action for the same date field in the same rule. If a rule set
has multiple Set Date actions for the same date field, only the first Set Date action is executed.
Important: A calculated field cannot be the target of a Set Date action. If a Set Date action is
defined and the target date field is later changed to a calculated field, the Set Date action is deleted.

Add a set date action



l If you want to create a new action, click Create a new Action from scratch and click Set
Date from the Available Action Types list.
l If you want to create a new action from an existing action, click Copy an existing action and
select the set date action from the Available Action Types list.
4. Click OK.
5. In the General Information section, enter the name and description of this action.
6. From the Field list in the Date Selection section, select the field that you want to modify.

7. From the Date Option list, select the date that you want to insert.
Option Description
Current Date The current date is displayed.
Set to Number of Days In the Future Days field that displays, specify the appropriate
from Current Date number of days in this field.
Set to Specific Date In the Specific Date field that displays, specify the appropriate
date.
If the field is configured for date and time, additional fields
display. Specify the time, if applicable.
Set Date Field to Blank If that field is a required field, the system prompts the user to
insert a date.
8. Click Save.
Set Values List Selection Action

The Set Values List Selection action enables you to specify one or more values for a values list field
based on the state of the record. The end user can then override this value.
Example: Setting values in a values list

The following table describes the example scenario and result.
Field A is a values list field with available values of Yes, No, and Not Applicable.
Scenario Action 1 is a Set Values List Selection action that sets the value to Yes.
Result When Rule 1 is true, Field A is automatically set to a value of Yes.
Set Values List Selection action rules

l A Set Values List Selection action can set No Selection as a value. If you select No Selection,
you cannot select other values for the action.
l A calculated field cannot be the target of a Set Values List Selection action. If a Set Values List
Selection action is specified, and the target values list field is changed later to a calculated field,
the Set Values List Selection action is deleted.
l A rule cannot be set to less than the minimum selections specified for the field. If a rule has a Set
Values List Selection action linked to it that sets 1 field value, but the Minimum Selections setting

of the field is specified as 2, the rule cannot be saved. The existing Set Values List Selection
action must be modified to set a second value, or a second Set Values List Selection action that
sets an additional value must be linked to the rule.
Note: Changing the Minimum Selections and Maximum Selections fields after a rule is defined
does affect the validity of the Set Values List Selection action. These fields can be changed and
then saved without appearing to be in conflict with the action values specified. You must make
certain that all action values match the defined parameters of the rule.
l If a values list field that is the target of a Set Values List Selection action is deleted, the Set
Values List Selection action is also deleted.
l If a Value Lists value is selected in a Set Values List Selection action and is deleted, that value
is removed from the Set Values List Selection action. If that value is the only value selected in
the action, the field is also deleted from the Set Values List Selection action.
l A Set Values List Selection action replaces any current value selected in a field.
Example: Updating a value in a values list

Field C is a Values List field with available the values of Rejected, Approved, and In
Process.
Scenario Field C is currently set to In Process.

Action 1 is a Set Values List Selection action that sets the value of Approved.
Result When Rule is true, Field C is automatically set to the value of Approved.
Conflict resolution for Set Values List Selection action

Example: Set Values List Selection actions linked to same rule
If multiple Set Values List Selection actions are linked to the same rule targeting the same values
list field, the first action replaces the initial setting of the field, and subsequent actions are
cumulative.


Field D is a Values List field with available values of Reason 1, Reason 2, Reason 3,
Reason 4, and Reason 5.
Field D currently has a value of Reason 1.
Action 1 is a Set Values List Selection action that sets the value of Reason 2.
Scenario
Action 2 is a Set Values List Selection action that sets the values of Reason 3 and
Reason 4.
Action 3 is a Set Values List Selection action that sets the value of Reason 5.
Action 1, Action 2, and Action 3 are linked to Rule 1.
When Rule 1 is true, Field D is automatically set to the values of Reason 2, Reason 3,
Result
Reason 4, and Reason 5.
Example: Set Values List Section action linked to different rules

If multiple Set Values List Selection actions targeting the same Values List field are linked to
different rules that are true at the same time, only the Set Values List Selection action linked to the
rule with the highest ranking in the rule order is set.
Field E is a Values List field with available values of Value 1, Value 2, and Value 3.
Action 1 is a Set Values List Selection action that sets the value of Value 1.
Action 2 is a Set Values List Selection action that sets the value of Value 2.
Scenario
When both Rule 1 and Rule 2 are true at the same time, Field E is automatically set to
Result
Value 1.
Adding Set Values List Selection Actions
You can create a Set Values List Selection action that selects one or more specific values within a
values list field. This action changes the default value in the field. The user can edit this value, if
needed. For example, if a values list field has the options Yes, No, and Not Applicable, you can
create a Set Values List Selection action to automatically set the value in the field to Yes.
If multiple Set Values List Selection actions linked to the same rule affect the same values list field,
they have a cumulative effect. For example, if one action sets the value to Red and a subsequent
action in the same rule sets the value to Blue, the final value is Red and Blue.
Important: You can only select a values list field and cannot select a calculated values list field.

Add a set values list selection action



l To add a new action, click Create a new Action from scratch and click Set Values List
Selection from the Available Action Types list.
l To add an action from an existing action, click Copy an existing Action and select the set
values list selection action you want to copy from the Available Action Types list.
4. Click OK.
5. In the General Information section, enter the name and description of the action.
6. In the Values List Selection section, from the Field list, select the field that you want to modify.
7. Click in the Value(s) field to select the value or values that you want displayed for selection.
Note: If you select No Selection, you cannot select other values for the action.
8. Click Save.
Troubleshooting Data Driven Events Using Event Analyzer

The Event Analyzer provides a real-time view of rule evaluations and actions that are applied as a
result of user interaction with the content edit page. The analyzer is only available for applications
and questionnaires that have valid configured Data Driven Events (DDEs). The analyzer only
captures browser-executed actions. It does not analyze Generate Notification actions. The initial
state of the content or server evaluation or processing is not logged to the console window.
Event Analyzer
The Event Analyzer dialog box shows a real-time summary of the rules and actions in an application

and how the conditions are evaluated. The Event Analyzer dialog box shows the following
information:
l Rules evaluated
l Conditions evaluated (true or false)
l Actions executed
Use the Event Analyzer to validate the actions against the conditions of DDE rules in real time. If a
problem is detected, you can make the necessary modifications to the DDE and validate the rule
again until the expected results are achieved.
Any change a user makes to the content that triggers a rule to be evaluated is logged to the analyzer
console window.
The information logged to the analyzer console window includes:
l Any rule that was evaluated.
l The true or false result of each individual filter condition in the rule.
l Any corresponding actions that were applied as a result of the overall rule evaluating to true.
Troubleshoot DDEs using Event Analyzer
1. Open the application that contains the data driven events that you want to troubleshoot.
c. From the applications list, click the application.
d. From the Record Browser, select the record.
2. Display a record in Edit mode.

3. Press CTRL+ALT and click the mouse button.
4. Click Enable to start monitoring data driven event activity.
5. Interact with the record to execute any data driven events within the application.
6. Click Clear at any time to reset the information displayed in the dialog box.
7. When finished, click Disable in the Event Analyzer dialog box.
Note: You can also close the record to automatically disable the monitoring process.

Chapter 8: Layouts
By default, each application and questionnaire contain a Layout tab, which enables users to create a
single layout for an application or questionnaire. When a user adds an advanced workflow to an
application or questionnaire, the Layout tab becomes the Layouts tab, enabling users to create
multiple layouts per application or questionnaire.
From both the Layout and the Layouts tab, you can create an intuitive interface for users as they add
and edit records in an application, questionnaire. You can specify which fields appear on and off the
layout, whether they display in tab sets, sections, supporting text or custom controls.
Note: Sub-forms only have a Layout tab as they do not support the advanced workflow feature.
Other important features on each tab include:

l You can hide fields from the end-user view without deactivating or deleting a field, which can be
especially useful with calculated fields that you want to calculate in the background without
displaying to your users.
l You can define tab sets and specify the default tab to display when users add or edit records.
l You can provide page-level and field-level help using text boxes, which you can place anywhere
on the layout.
l You can use page shading options to further customize the look of individual pages.
l You can use the icons to identify the field type when creating your layout.
Customizing the layout includes:

l Adding Fields to the Layout
l Adding Objects to the Layout
l Adding Tab Sets on the Layout
Adding Additional Layouts

Multiple layouts are available for applications or questionnaires that contain an advanced workflow.
Applications that do not contain an advanced workflow have only a single layout, called the Default
Layout. In order to access the multiple layouts functionality, you must first create an advanced
workflow. When you create an advanced workflow, the Layout tab in the application becomes the
Layouts tab. Multiple layouts can be created from the Layouts tab or from within the Workflow
Process Designer. The multiple layouts functionality enables administrators to present different
information for users depending on which step the user is on in the workflow process. For example,
a Close Incident step may need a layout that shows some limited information about the incident and
asks the user for closure comments.

Important: When modifying layouts from within the Workflow Process Designer, you cannot add
new fields or update existing fields. You can only add or remove existing objects to or from the
layout and arrange existing objects on the layout. If you wish to modify field attributes or add new
fields, you must do this from the Layouts tab.
Add a layout from the Layouts tab
1. Go to the application or questionnaire to which you want to add an additional layout.

2. Create an advanced workflow. For more information, see Create an advanced workflow.
3. Click the Layouts tab.
4. Click Add New.
5. In the Creation Methods section, select a method for creating a layout, and click OK.
6. Complete the General tab.
7. Click Save.
Add a layout from the Workflow Process Designer
1. Go to the application or questionnaire to that contains the advanced workflow to which you want
to add an additional layout.

2. Click the Advanced Workflow tab.

3. Create an advanced workflow. For more information, see Create an advanced workflow.
4. Select the User Action or Wait for Content Update node for which you want to add a new layout.
5. In the Node Properties menu, click .

6. In the Creation Methods section, select a method for creating a layout, and click OK.
7. Complete the General tab.
8. Click Save.

Adding Fields to the Layout

You can drag-and-drop existing fields, or add a new field onto the page layout of applications,
questionnaires, and sub-forms. After you have added a field to the layout area, you can also move it
up or down, from column to column, or from tab to tab. You can also configure the field to span
across multiple columns in the layout.
Important: The designated key field in the application must be on the page layout. Always include
the key field when adding fields on the layout.
Note: If you want a field to remain active, but do not want the field to be visible to users, you can
leave the field in the Available Fields list instead of placing the field on the page layout. For
example, you can have a system field that is referenced in a formula for a calculated field. It would
be important for the field to remain active so the system can continue to populate the value of the
field and use those values in calculations, but you might want to hide the field from your users' view.
Key guidelines for adding fields to the layout

l To drag a field onto the layout, click the field in the Available Fields list and drag it to the
position on the layout you want.
Note: For questionnaires, the Review Date and Submit Date fields must be on the layout to be
updated by the Set Date action of a data driven event. In addition, the Set Date actions for setting
the review date and setting the submit date are created in DDE rules for Set Review Date and Set
Submit Date. By default, the Review Date and Submit Date fields are in the General Information
section of the page layout.
l If you are working in a two-column layout and want a field to span across columns, do the
following:

1. Click the drop down arrow on the field.

2. Select Edit Span Properties and select one of the following options from the Column Span
section.
Option Description
Do not span columns The element consumes only one column of space.
Span two columns The element always spans across the two columns.
3. Select one of the following options from the Row Span section.
Option Description
Do not span The element consumes only one row of space.

rows
Span The element consumes the number of rows you select from the Rows
span box.
Add fields to the layout
1. Open the layout that you want to update.

e. If you have advanced workflow enabled, open the layout that you want to update, and click
the Designer tab.
2. (Optional) For a leveled application, select the data level from the Level list in the left pane for
the layout you want to update.
3. From the Available Fields list, click the field you want on the layout and drag it to the location
you want.
4. Continue this process until all fields that you want are on the layout.

Create a new field from the layout

the Designer tab.
2. In the Available Fields list, click Add New Field.

3. Select the field type.
4. Finish configuring the field based on the field type.
Adding Objects to the Layout

You can drag-and-drop objects, such as fields, tab sets, sections, text boxes, placeholders, custom
objects, and trending charts on the layouts of applications, questionnaires, and sub-forms. After
adding an object to the layout area, you can move the object up or down, from column to column, or
from tab to tab. You can also configure some objects to span across multiple columns in the layout.
Key guidelines for adding objects to the layout

l To move a single object, click the object and drag it to the location you want.
l If you are working in a multi-tab layout and you want to move an object from one tab to another,
click and drag the object to the tab you want.
l If you are working in a two-column layout and want a custom object, placeholder, text box, or
trending chart to span across columns, do the following:

1. Click the drop down arrow on the layout object.

2. Select Edit Span Properties and select one of the following options from the Column Span
section.
Option Description
Do not span columns The element consumes only one column of space.
Span two columns The element always spans across the two columns.
3. Select one of the following options from the Row Span section.
Option Description
Do not span The element consumes only one row of space.

rows
Span The element consumes the number of rows you select from the Rows
span box.
Add tab sets to the layout

Tab sets provide a means for grouping related tabs and fields, especially when there is a large
number of fields, to help users quickly find the fields they need to add or edit in a record.
For more information on adding tab sets, see "Adding Tab Sets to the Layout" in the RSA Archer
Add sections to the layout

Add sections as headings to group related fields together. For example, create a section called
“Contact Information” to group together a contact's phone, fax, and email information.


e. If you have Advanced Workflow enabled, open the layout that you want to update, and click
the Designer tab.
2. In the left pane, expand the Add New Layout Object list.
3. Click and drag the Add Section option to the layout area.
4. In the Section Name field, enter the heading that you want to display in the layout.
5. In the Default Visibility field, select the Expanded or Collapsed option depending on whether you
want the section to be expanded or collapsed by default.
6. (Optional) Do one or both of the following to add panel text or help text to the section:
l To add an information panel to provide your users with additional details about the section,
select Panel Text and enter the text that you want to display.
l To add Help text to provide your users with detailed instructions and background information
about the section, select Help Text and enter the text that you want to display.
7. (Optional) Customize your text and add dynamic elements, such as images and Flash animation,
using the options available in the Rich Text Editor toolbar.
8. Click OK to close the Section Description dialog box.
Add text boxes to the layout

Text boxes provide guidance or additional information that users need to successfully interact with
fields.

the Designer tab.

4. Click and drag the Add Text Box option to the layout area.
5. In the Text Box Name field, enter a name for the text box.
6. In the Text field, enter the text that you want to display in the text box when it is displayed for
users as they add, edit, or view records.
7. Select one of the following options.
Field Description
Edit Mode Displays the custom object when editing a record.
View Mode Displays the custom object when viewing a record.
Both Displays the custom object when viewing or editing a record.
8. Click OK.
Add placeholders to the layout

Placeholders create space between other layout objects, such as fields, sections, text boxes, and
custom objects.

the Designer tab.

4. Click and drag the Add Placeholder option to the layout area.
Add custom objects to the layout

Custom objects enable you to enter code you have written to create buttons or other objects. For
example, you can create Next and Previous buttons using JavaScript code so that your user can click
to move from tab to tab when adding or editing records.
Note: RSA recommends that only trusted administrators create and edit custom layout objects, as
this flexibility introduces a potential attack vector.

the Designer tab.
2. If you are working in a leveled application, from the Level list in the left pane, select the data
level that contains the layout you want to manage.
The fields and other page elements for that level are displayed in the layout area and in the
Available Fields list.
4. Click and drag the Add Custom Object option to the layout area.
5. In the Name field, enter a name for the custom object.
This name is displayed on the Layout tab of the Manage Applications or Manage Questionnaires
page, but it is not displayed for users when they add, edit, or view records in the application.
6. In the Description field, enter a description for the object.
7. In the Code field, enter or paste the HTML or JavaScript code for the object.
8. In the Display section, select one of the following modes for the object to be displayed as users
add and edit records in the application.


Field Description
Edit Mode Displays the custom object when editing a record.
View Mode Displays the custom object when viewing a record.
Both Displays the custom object when viewing or editing a record.
9. Click OK.
Add trending charts to the layout

On a trending chart, you can view historical data for a Numeric or Values List field that has trending
enabled, in order to identify patterns in the data for a specified period of time. Trending charts must
be added to another container object, such as a section.

the Designer tab.
3. Click and drag the Add Trending Chart option to the layout area.
4. In the Name field, enter the heading that you want to display in the layout.
5. From the Trending Field list, select the trending-enabled field for which to display chart data.
6. (Optional) In the Show Title field, click the Display the chart name as the title when users open
the application or questionnaire.
7. Click OK.


Add report objects to the layout

Report Objects allows you to embed reports directly within records. The system applies default
filters based on the filters used to create the base report. However, administrators can override
default filters, as well as the advanced operator logic. When viewing a report object record, users
can click on the report, which opens a new search results page with the filters already applied.
Based on user permissions, users can modify the report.

the Designer tab.
3. Click and drag the Add Report Object option to the layout area.
4. In the Name field, enter a name for the report object.
Note: This name displays on the Layout tab of the Manage Applications or Manage
Questionnaires page, but does not display for users when they add, edit, or view records in the
application.
5. In the Description field, enter a description for the record object.

6. Under Report Selection, select the report from the Available Reports column.
Note: Only one report can be selected.
Note: Only global and search based reports are available for selection.
7. (Optional) Add or update filter options for how you want to view the report.
Note: If the selected report has default filters, they are automatically populated as existing
filters.

a. In the Field to Evaluate field, select the field to evaluate for one or more specific values.
b. In the Operator column, select the filter operator. For more information, see "Report
Operator Field Types" in the RSA Archer Online Documentation.
c. In the Value(s) column, select the values for the condition. Depending on the operator type,
the selection can be a value or a field.
d. (Optional) To create additional conditions, click Add New and repeat steps a-c.
e. (Optional) If you create more than one condition, apply logic to your filter criteria in the
Advanced Operator Logic section. For more information, see "Advanced Operator Logic" in
the RSA Archer Online Documentation.
8. In the Load Report section, select one of the following modes for the report object to be
displayed as users add and edit records in the application.
The following table describes the modes.
Field Description
Immediately Displays the report object when the page loads.
On Demand Displays the report object on user click.
9. In the Display section, select one of the following modes for the record object to be displayed as
users add and edit records in the application.
The following table describes the modes.
Field Description
Edit Mode Displays the report object when editing a record.
View Mode Displays the report object when viewing a record.
Both Displays the report object when viewing or editing a record.
10. Click OK.

Adding Tab Sets on the Layout

Tab sets provide a means for grouping related tabs and fields, to help users quickly find the fields
they need to add or edit in a record.

Note: If a user does not have access to any of the fields on a tab, the tab is not displayed when the
user adds or edits records. Using data driven events, tabs can be dynamically shown or hidden based
on the current state of content, including nested tabs. When a data driven event hides all sections on
a tab, the tab is also hidden.
Important: If you want to add a new section to the layout and give it the same name as a new tab
set, you must add the section before you add the tab set.
Add a new tab set on the layout

b. Under Application Builder, click Applications, Questionnaires, or Sub-Form.
the Designer tab.
2. Add placeholders to the layout.

l For the application, questionnaire, or sub-form, continue to the next step.
l For a leveled application, select the data level from the Level list in the left pane that contains
the layout that you want to manage. The fields and other page elements for that level are
displayed.
4. Click and drag the Add Tab Set option to the layout area.
5. In the Tab Set Name field, enter a name for the tab set.
6. From the Height list, select one of the following options:
l To use default height settings for the tabs in the tab set, select All from the Height list, and
click OK.
l To select the height in pixels for the tabs in the tab set, select the value, and click OK.
7. Drag and drop the tab on to the Layout tab to arrange tab sets on the page:
a. In the layout section, click the tab set that you want to move and drag it to its new location.
b. Arrange the tab sets until they are displayed in the correct order.


Add tabs to a tab set

The default tab is the first tab your users see when they add or edit records. It does not have to be
the first tab in the tab set. If a user does not have access to any of the fields on the default tab, the
default tab is not displayed and the tab that has the key field on it is displayed as the default.

the Designer tab.
2. Add placeholders to the layout:

displayed.
3. Click the New tab in the tab set that you added.
4. In the Tab Name field, enter a name for the tab
5. (Optional) In Default Tab field, click Display this tab by default when users first access the page
to display a tab by default when users open the application, questionnaire, or sub-form.
6. Click OK.
Add fields to a tab set


.
b. Under Application Builder, click Applications, Questionnaire, Sub-Forms.
the Designer tab.
2. Add placeholders to the layout.

displayed.
3. Add a section to the tab.
4. Drag and drop the fields on to the Layout page to add fields.
5. Arrange the fields until they display in the correct order.
Report Object Operator Types

You can use a variety of filter operators, such as Equals and Contains, to filter your results to only
the information you want. You can build filters through a series of conditional statements. Filter
values are not case sensitive. For more information on what fields can be used with which operators,
see Report Object Filters. Additionally, you can then relate your statement through the use of
advanced operator logic.
The following table describes the report object operator types.
Operator
Description
Type
Contains Includes any record that has a value that matches the specified filter values.

Operator
Description
Type
Contains Includes any record with a value within a specified hierarchical global values list
Inclusive value. This operator considers the entire hierarchy below the value specified as a
match.
For example, if using a values list for Location that has three levels (Country >
State/Province > City) and you want to find all records in Missouri, Contains Inclusive
United States > Missouri returns the results:
l United States, Missouri
l United States, Missouri, Kansas City
l United States, Missouri, St. Louis
l United States, Missouri, Columbia
Does Not Includes any record that does not have a value that matches the specified filter values.
Contain
Does Not Includes any record that does not have a value within a specified hierarchical global
Contain values list value, and also excludes the entire hierarchy below the value specified.
Inclusive For example, Does Not Contain Inclusive United States > Missouri returns any
selection at the Country, State, City level not under Missouri.
Equals Includes records with values that exactly match to the specified filter values. For
Date fields, date and time values can be included in the filter.
Does Not Includes only the records with values that do not match the specified filter values. For
Equal Date fields, date and time values can be included in the filter.
Current Includes only records of the current interval. Available intervals include:
l Minutes
l Hours
l Days
l Months
l Quarters
l Years

Operator
Description
Type
Last Includes records based on the selected interval previous to the current interval.
Available intervals include:
l Minutes
l Hours
l Days
l Months
l Quarters
l Years
This filter does not include records of the current interval. For example, if you filter
"Last" "3" "Days", the results include the previous three days, but do not include the
current day. To include the current day, add another filter condition to the search
criteria that includes the "Current" "Day".
Next Includes records based on the selected interval after the current interval. Available
intervals include:
l Minutes
l Hours
l Days
l Months
l Quarters
l Years
This filter does not include records of the current interval. For example, if you filter
"Next" "3" "Days", the results include the next three days, but do not include the
current day. To include the current day, add another filter condition to the search
criteria that includes the "Current" "Day".
Greater Includes only records with values greater than the specified static filter value. For
Than example, when the Field to Evaluate is a date, and the Operator is Greater Than, the
Value is a specific calendar date.
For Date fields, date and time values can be included in the filter.
Less Than Includes only records with values less than the specified static filter value. For Date
fields, date and time values can be included in the filter.

Operator
Description
Type
Between Includes only records with values within the specified date range, or date and time
range, including the date and time selected.
Time Includes only records with values within the specified time range. Dates can also be
Interval specified to further filter the search. Search results include the selected times and
dates.
After Includes records of all dates after the current day, but does not include the current
Today day.
Prior to Includes records of all dates before the current day, but does not include the current
Today day.
Field Includes only records with values greater than the specified dynamic field value.
Value For example, when the Field to Evaluate is a date, and the Operator is Field Value
Greater Greater Than, the Value is a specific field in the record, such as Last Self-
Than Assessment Date.
Field Includes records with values less than the specified dynamic field value.
Value For example, when the Field to Evaluate is a date, and the Operator is Field Value
Less Than Less Than, the Value is a specific field in the record, such as Next Self-Assessment
Date.
Field Includes records in a range defined by two specified field values.

Value For example, if the Field to Evaluate is Annual Loss Expectancy, the Field Value
Between Between operator allows you to choose a range between two values.
Note: Specified field values must be the same type, for example, date to date or
integer to integer.
Field Includes records that match the specified field value in the current record.
Value For example, if the Field to Evaluate is a location, the Field Value Match operator
Match allows you to return only results that match one of a list of specific locations.
Field Includes records that do not match the specified field value in the current record.
Value For example, if the Field to Evaluate is a location, the Field Value Does Not Match
Does Not operator allows you to return results that exclude one of a list of specific locations.
Match

Operator
Description
Type
Field Includes records where any of the values in the Field to Evaluate are also selected in
Value the Value field(s).
Contains For example, if the fields on both sides of the operator are values list fields using a
category list, the report returns any records where the Category field of the related
application (Field To Evaluate) contains at least one of the values specified in the
Value field of the current record.
Field Includes records where any of the values in the Field to Evaluate are not also selected
Value in the Value field(s).
Does Not For example, if the fields on both sides of the operator are values list fields using a
Contain Risk Category list, the report returns any records where the Category field of the
related application (Field To Evaluate) does not contain any the values specified in
the Value field of the current record.
Field Includes any record with a value within a specified hierarchical values list that is
Value found within the current record. This operator allows you to consider the entire
Contains hierarchy below the value specified as a match.
Inclusive
Field Includes any record that does not have a value within a specified hierarchical values
Value list that is found within the current record and also excludes the entire hierarchy
Does Not below the value specified.
Contain
Inclusive
Field For Filter By Record ID - Filter By Record ID is applied against the current record
Value displaying the report object.
Equals For Cross-reference or Related Record, the filter only returns records where the
Current cross-reference or related record field's only selection is the current record displaying
Record the report object.
For example, use this filter to create a report that shows all Risk By Risk Category
for each business process where its parent Business Unit is the current Business Unit
being viewed.
Field Includes any record with values that do not equal a specified value found in the
Value current record.
Does Not For example, use this filter to create a report that shows all Risks By Risk Category
Equal for each Business Process that also shows a breakdown for all other Business Units
Current other than the current Business Unit viewed.
Record

Operator
Description
Type
Field Includes records that have at least the current record selected in the specified
Value reference field or are filtered by record ID.
Contains
Current
Record
Field Includes records that do not have at least the current record selected in the specified
Value reference field or are filtered by record ID.
Does Not
Contain
Current
Record
Field Includes records that match a specified level of a hierarchical values list. The number
Value of operators available is based on the number of levels in the list.
Contains For example, if you use a values list for Location that has three levels (Country,
Depth x State/Province, City) and you want to find all records in Missouri even when a city
within Missouri is selected, Field Value Contains Depth 2 returns records with the
following selections:
l United States, Missouri
l United States, Missouri, Kansas City
l United States, Missouri, St. Louis
l United Stated, Missouri, Columbia
Field Includes any record that does not match a specified level within a hierarchical values
Value list and also excludes the entire hierarchy below the level specified.
Does Not For example, Field Value Does Not Contain Depth United States > Missouri returns
Contain any selection at the Country, State, City level not under Missouri.
Depth x
Report Object Filters
In addition to standard filters, each Report Object field can utilize dynamic filter operators specific
to Report Objects.

The following table provides a list of which filter operators can be applied
to each Report Object field type.
Field Type Filter Operators
Cross-Reference l Contains
l Does Not Contain
l Equals
l Does Not Equal
l Field Value Match
l Field Value Equals Current Record
l Field Value Does Not Equal Current
Record
l Field Value Contains Current Record
l Field Value Does Not Contain Current
Record
Date l Equals
l Does Not Equal
l Current
l Last
l Next
l Greater Than
l Less Than
l Between
l After Today
l Prior to Today
l Field Value Match
l Field Value Between

Filter by Record l Equals

l Does Not Equal
Record
Hierarchical Values List l Contains

l Does Not Contain
l Equals
l Does Not Equal
l Field Value Match
l Field Value Contains Inclusive
l Field Value Does Not Contain Inclusive
l Field Value Contains Depth x
l Field Value Does Not Contain Depth x
IP Address l Equals
l Does Not Equal
l Field Value Match

Numeric l Equals
l Does Not Equal
l Greater Than
l Less Than
l Between
l Field Value Match
l Field Value Between
Record Permissions l Contains

l Does Not Contain
l Equals
l Does Not Equal
l Field Value Match

Related Records l Contains

l Does Not Contain
l Equals
l Does Not Equal
l Field Value Match
Record
l Field Value Contains Current Record
l Field Value Does Not Contain Current
Record
Text l Contains
l Does Not Contain
l Equals
l Does Not Equal
l Field Value Match
User/Groups List l Contains

l Does Not Contain
l Equals
l Does Not Equal
l Field Value Match

Values List l Contains

l Does Not Contain
l Equals
l Does Not Equal
l Field Value Match
Deleting Layouts
Only layouts that were created by a user can be deleted. You cannot delete the Default Layout. To
delete a layout from an application or questionnaire, you must have delete rights to that layout.
Note: You cannot delete a layout if it is currently associated with an advanced workflow node.
1. Go to the Layouts tab of the application or questionnaire from which you want to delete a layout.

b. Under Application Builder, select Applications or Questionnaires.
d. Click the Layouts tab.
2. Select the row of the layout you want to delete.
3. Click .

Chapter 9: Advanced Workflow

In RSA Archer, some types of application or questionnaire records represent ongoing business
processes. For example, a record in the Findings application must be reviewed, responded to, and
closed. The Advanced Workflow feature enables you to manage the lifecycle of records in these
types of applications or questionnaires by visually modeling your business process and tying the
different steps in that process to actions in RSA Archer. For example, an advanced workflow can do
the following:
l Update values in a record.
l Evaluate values in a record in order to determine which path to follow in your process.
l Send a notification.
l Create a task (and tasks created during an advanced workflow can be mapped to the task driven
landing page of a user).
l Display different layouts to your users, based on which step of the process they are currently on.
l Prompt your users to take an action or make a decision in the record.
You can either use the out-of-the-box workflows available in selected applications or create a
workflow unique to your needs. When you create an advanced workflow, you define all the steps
you want the record to go through and choose when to enroll records in the workflow (for example,
when a new record is created or when a user performs some action).
Note: If you make changes to an existing advanced workflow, RSA Archer creates a new version of
the advanced workflow. Newly enrolled items are then enrolled into the new advanced workflow.
For existing enrolled items, an RSA Archer Admin can either let them finish their old advanced
workflow path or use the Job Troubleshooting tool to delete each item from the advanced workflow.
For more information on using the Job Troubleshooting tool, see "Troubleshooting Errors in Running
Workflows" in the RSA Archer Online Documentation.
Note: Applications and questionnaires can have only one advanced workflow, and leveled
applications can have only one advanced workflow per level.
For more information, see "Advanced Workflow" in the RSA Archer Online Documentation.
Terminology
The following table describes the terms that are unique to Advanced Workflow.
Term Description
Process The blueprint for a workflow. The process defines all of the possible paths that a
content record could follow through the steps of your business process.

Term Description
Job A specific instance of a workflow process. A job represents one actual path that a
content record takes through the steps of the business process.
Depending on how you choose to enroll content records into your advanced workflow,
jobs can be created for new records, updated records, or records initiated by the user.
Note: Jobs in an advanced workflow are not related to the RSA Archer Job Engine.
For information about the Job Engine Manager in RSA Archer, see "Configuring the
Job Engine Manager" in the RSA Archer Control Panel Help.
Node A single unit of work (step) in the workflow process.
Transition The path of the workflow from one node to another.
Action Buttons in the content record that prompt end-users for an action or decision and,
buttons when clicked, determine which path in the workflow to follow. Action buttons are
automatically created when you configure transitions out of a User Action node. For
example, you might create Accept and Reject transitions, each of which corresponds
to a different path in the workflow. If a user clicks the Accept action button in the
record, the workflow follows that path.
Action buttons only appear in the content record if the record is in Edit mode.
Custom Additional layouts that display only the information that a user needs while on a
layouts particular step in the workflow process.
Advanced Workflow interface

The Workflow Process Designer is the interface within an application or questionnaire that you use
to create and build advanced workflows.

The interface is made up of the following elements:

1. The Modeler Toolbox contains the nodes and transitions that you can add to your workflow
process.
2. The Advanced Workflow Grid is where you build your workflow process.
3. The Process Properties panel allows you to define which records are enrolled into your workflow
and displays the process ID and version number. To view the Process Properties panel, click
anywhere in the advanced workflow grid.
4. The Node Properties panel allows you to define settings for the selected node. To view the Node
Properties panel, click a node. The available configuration settings depend on the type of node
you select.
5. The Transition Properties panel allows you to define the settings for the selected transition. To
view the Transition Properties panel, select a transition.
6. The toolbar at the top of the interface allow you to save or revert changes, save or print an image
of your process, and activate or deactivate your workflow.
Nodes
Nodes represent a single unit of work (step) in the advanced workflow. For example, the following
simple workflow has three nodes: Start, Stop, and Update Content.

The following table describes node types offered in Advanced Workflow.

Node Type Description
Start Node Marks the beginning of the process. A Start node is required.
Stop Node Marks the end of the process. A Stop node is required.
Text Allows you to add comments to any part of the advanced workflow diagram.
Evaluate Allows you to determine the path of the advanced workflow based on values in
Content the content record.
For example, in a purchase request application, you could create rules so that if
the amount of the request is under $1000, the workflow follows an "Approved"
path, and if the amount is over $1000, the workflow follows an "Escalate to
Manager" path.
Send Sends a notification to alert users of the current workflow state or of a task that
Notification they need to complete.
Update Updates values in content record fields. The Update Content node supports text,
Content numeric, date, values list, and User/Group fields.
User Action Waits for the user to take an action or make a decision.
In a User Action node, action buttons correspond to the outgoing transitions and
are displayed in the content record. For example, If you create Approve and
Reject transitions out of a User Action node, your users see Approve and Reject
buttons in the content record.
Note: Action buttons only appear in the content record if the record is in Edit
mode.
A User Action node can have a task associated with it that appears on the
landing screen of the assigned user. The task link takes the user directly to the
record, and the lifecycle of that task corresponds to the time spent on the
Transition node.
Wait for Should be used in combination with an Evaluate Content node. If none of the
Content rules in an Evaluate Content node are met, you can configure the default
Update transition to go to the Wait for Content Update node. The Advanced Workflow
job stays at the Wait for Content Update node until content is saved by the user
or the delay timeout is reached, at which point it reverts back to the Evaluate
Content node.

Advanced Workflow system fields

When you enable advanced workflow in an application or questionnaire, three system fields are
added by default:
l Workflow Job Status
l Workflow Current Node
l Workflow Process Version
These system fields are added when you enable advanced workflow in an application or when you
upgrade any application that already has advanced workflow enabled. Once advanced workflow is
enabled, these three fields appear in the Available Fields menu and can be dragged on and off a
layout. You can use these fields to identify records based on workflow data, which can help you
make decisions critical to a business process
The fields are read-only and their properties cannot be changed or edited.
You can use these fields as search criteria the same way you do with other fields and system fields.
For example, if you want to generate a list of pending jobs, you can filter your search by Workflow
Job Status.
The following table describes how these fields interact with other functionality.
Functionality Description
Calculated Workflow fields are not supported in calculated fields, even though the system
fields does not prevent you from selecting them. The status of a workflow job could
change while the content record has not been recalculated.
Data-Driven Workflow fields can be used to filter the records sent in a data-driven event.
Events (DDEs) Changes to workflow fields cannot be used to trigger a data-driven event.
Field Audit Workflow fields are not supported in the field audit feature. Even though the
system does not prevent you from selecting them, the results are unpredictable
and not supported.
History Log Workflow fields are supported in the history log field. By default, the advanced
workflow recorded values are disabled. You must enable them in order to record
advanced workflow values in the history log field. The values are recorded by
the system in the history log field according to the retention policy
Notifications Workflow fields can be used to filter the records sent in a notification. Changes
to workflow fields cannot be used to trigger a notification.

The following table describes the individual fields.

Supported
Field Field
Description Search
Name Type
Filters
Workflow The current status of the workflow job for a record. Values l Equals
Job Status Possible values are: List l Not
l Scheduled equals
l Pending l Contains
l Running l Not
l Complete contains
l Failed l Between
Note: This field does not identify where the record is in

the workflow. For example, it does not indicate which
node is active.
Workflow The state of a record in a workflow job (for example, Text l Equals
Current which node is active). This field displays the name of the l Not
Node node. equals
contains
l Not
contains
Workflow The version of the workflow process used to create the Numeric l Equals
Process job when the record was enrolled in workflow. l Not
Version equals
l Greater
than
l Less than
l Between
l Not
between
Bulk Update Jobs rules for Advanced Workflow

l Node IDs determine updates to the job.
l If the current node exists after running Bulk Update Jobs, the job resumes from the current node.

l Node attributes update with the attributes from the process, such as fields in an Update Content
node.
l Existing nodes pick up new transitions when added, including those from Action transition buttons
on the record page
l Transition attributes update with the attributes from the process, such as permissions and rules.
l Nodes added prior to a current node receive the Skipped status.
l When the current node is deleted, then during Bulk Update Jobs the process finds the last
completed node in the completion path and resumes from there. If there are no completed nodes,
then the process resumes from the Start node.
Capturing Advanced Workflow audit data in the History Log

The History Log field type tracks field-level changes for individual records in an application. Users
with access to history log data are able to track advanced workflow transitions by users as well as
the enrollment status history of the content record. By capturing this data, auditors are able to view
an accurate representation of advanced workflow content changes. When viewing a record history,
the advanced workflow auditing data can be viewed in different formats as well as compared to
other record versions. In order to store advanced workflow auditing data, you must do the following:
1. When building Advanced Workflows, enable the recording of advanced workflow audit
information, assign user permissions, and create a retention policy for the data.
2. When adding a History Log field, enable Display Workflow Tracking in the History Log field.
Using Advanced Workflow with Questionnaires

If you are creating an advanced workflow for a questionnaire, keep in mind that questionnaire
records are first saved when a user clicks Apply after selecting the target of the assessment (or
when the campaign creates and assigns the assessments). If you choose to enroll new records, this
means that the record would be enrolled in advanced workflow before the record is first presented to
the user. Keep this in mind as you design the questionnaire and workflow. For example, if you have
any required fields in the questionnaire, and the workflow proceeds through an Update Content node
immediately upon enrollment, the advanced workflow job will enter an error state (unless the
required fields have been populated by the workflow). If the workflow design requires the use of
required fields, one option is to place the workflow into an Evaluate Content...Wait for Update loop,
which can hold the record in that state until a user has populated the fields. Another option is to use
a different advanced workflow enrollment option.
Workflow vs. Advanced Workflow


workflow process.
Using the Advanced Workflow Interface

This topic provides you with basic information about how to use the Workflow Process Designer
interface. For information on building an end-to-end advanced workflow for your business processes,
see Building Advanced Workflows.
Add a node
1. Go to the Advanced Workflow tab in the application or questionnaire.

d. Click the Advanced Workflow tab.
2. In the Modeler Toolbox, select the node type that you want to add.
3. Double-click in the grid where you want to place the node.
4. Complete the Node Properties section. For more information on configuring specific node types,
see Step 2 of Building Workflows.

Draw a transition
1. Go to the Advanced Workflow tab in the application or questionnaire.

2. In the grid, click and drag an arrow from one node to another. Make sure that you click the lower
section of the start node (a hand cursor appears).
3. Complete the Transition Properties section:
a. In the Type field, change the transition type if applicable.
By default, most transitions have a default type of Successful, meaning that if the previous
node is completed successfully, the transition is followed. You can also set transitions
coming from a Send Notification or Update Content node to Always Complete, meaning that
the transition is followed regardless of whether the node was completed successfully. For
example, you may not want to stop a workflow job if a notification fails to send, in which
case you would set the transition to Always Complete. Finally, you can use the Error
transition type if you plan to create an error path. For more information, see "Create error
paths" in Troubleshooting Advanced Workflows.
b. In the Name field, enter a name that reflects the transition that is occurring in your business
process.
Note: To assist in troubleshooting, RSA recommends that you choose a unique name that
reflects the stage in your business process that the node represents.
c. In the Looping transition field, select Yes if the transition loops back to a previous node in
the process. For more information, see "Step 3: Create a looping transition" in Building
Advanced Workflows.
d. For User Action nodes, configure rules and permissions as applicable. See Building
Advanced Workflows for more information.
Change the viewable area of the grid

1. Click anywhere in the grid.

2. Do any of the following:

l Zoom in or out:
o Using keyboard shortcuts:
n To zoom in, click Ctrl+Plus Sign (+)
n To zoom out, click Ctrl+Minus Sign (-)
o Use the scroll option on your mouse or touch pad.
l To move the viewable area to the right, press → (or press End to jump all the way to the
right).
l To move the viewable area to the left, press ← (or press Home to jump all the way to the
left).
l To move the viewable area up, press ↑ (or press PageUp to jump all the way to the top).
l To move the viewable area down, press ↓ (or press PageDown to jump all the way to the
bottom).
l To move the viewable area in any direction, click and drag the grid.
Maximize or restore the Workflow Process Designer
1. From the top row of the Workflow Process Designer, click .

2. Select Maximize Designer or Restore Designer.
Note: To quickly restore the designer, click Shift+ESC.
Move elements in the grid

1. To move the entire process, click the grid, click Ctrl+A to select all of the elements in the
advanced workflow, hover over the top section of a node (a 4-arrow cursor appears) and then
drag them to the preferred position.
2. To move a single node or transition, click the transition or the top section of the node (a 4-arrow
cursor appears) and drag the node or transition into the preferred position.
Delete elements from the workflow
Note: Delete existing nodes and transitions before you add new ones.
1. Select the node or transition that you want to delete.
Note: You can also press Ctrl+A to select everything in the diagram, or press Shift to select
multiple nodes and transitions.

2. On your keyboard, press Delete.

3. Click Yes to confirm that you want to delete the selected content.
Save workflow with a comment

Adding a comment when you save changes to a workflow can help you determine which version of a
workflow to roll back to, if necessary.
1. From the top row of the Workflow Process Designer, click drop-down menu to the right of
.
2. Click Save with Comment.
3. Enter your comment, and click Save.
Note: You are limited to 64 characters.
Revert unsaved changes

When you click Revert, the Workflow Process Designer reverts your diagram to the most recently
saved version and discards any unsaved changes.
2. Click Revert.
Rollback to an earlier version
Note: Rules on the Evaluate Content node do not carry over after a rollback completes.

2. Click Rollback.
3. Select the version that you want to roll back to.
4. Click Rollback.
5. When prompted, confirm that you want to continue.
Bulk update jobs

The bulk update jobs feature gives you the ability to update existing advanced workflow jobs to
reflect changes made to the advanced workflow process.
Note: RSA recommends using the bulk update jobs feature when there are no pending unsaved
changes.


2. Click Bulk Update Jobs.
Note: Only one update can run at a time. If an existing update is currently running, a warning
dialog box is displayed.
3. If the workflow has changed since the last save, a dialog window appears with three options to
continue. Do one of the following:
l Click Yes to save.
l Click No to continue without saving.
Note: The Workflow Process Designer does not revert unsaved changes. The unsaved
changes remain on the screen until the user reverts or navigates away from the Workflow
Process Designer.
l Click Cancel to abort the update.

4. A warning appears indicating the number of affected jobs that are not running the current version
of the advanced workflow process. If you understand the risks, select the checkbox and click OK
to bring up the Status window.
Note: If there are no jobs on the current version, a dialog box appears indicating no work needs
to be done. Close the window to return to the Workflow Process Designer.
5. The Status window appears with a progress bar to track the progress of the update. Do one of the
following:
l Click Details to get a detailed report about the update.
l Click Close to close the Status window.
l Navigate away from the Status window.
Note: You cannot return to the Status window once you close it or navigate away from it.
Note: View your bulk action history for details on your update. Click the Export button to download
the Bulk Update Jobs Detailed report listing record details. The details on the update are stored for
365 days after creation.
Print or save an image of the workflow

2. Click Print/Save Image.


l To print your workflow, select the display settings you want to use, and click Print.
l To save an image of your workflow, right-click the image, and click Save As. Enter a name
for the image and choose a location, and click Save.
Keyboard shortcuts
If you are using a Mac, use the Command key instead of the Control key as the modifier.
The following table describes available keyboard shortcuts.
Key Description
← ↑ ↓ → (arrow keys) Moves the viewable area one square at a time, in the
direction of the selected arrow.
Ctrl+Plus Sign (+) Zooms in on the entire diagram.
Ctrl+Minus Sign (-) Zooms out on the entire diagram.
Ctrl+0 Resets zoom to the original size.
Ctrl+A Selects all objects (nodes and transitions).
Del Deletes selected objects.
Home Moves the viewable area to the left.
End Moves the viewable area to the right.
PageUp (Ctrl+Home) Moves the viewable area up.
PageDown (Ctrl+End) Moves the viewable area down.
Shift-Z Invokes "zoom to fit"; repeat to return to original position.
Planning and Deploying Advanced Workflows

Before you start building an advanced workflow in an application or questionnaire, RSA
recommends that you plan out your workflow in advance and consider the following best practices.
Note: If you are planning an update of an existing advanced workflow, see Deploying Updates to
Advanced Workflows.

Overall deployment process

The following table describes the three phases RSA recommends you approach in creating and
deploying advanced workflows.
Phase Location Steps
Develop Development 1. Plan your advanced workflow process. See the following sections in
environment this topic.
2. Build the workflow in the application or questionnaire. See Building
Advanced Workflows.
Test Development 3. In the application or questionnaire, create several test records, move
environment them through the steps of the workflow, and verify that each action
you take in the workflow has the intended result.
You can use the Job Troubleshooting tool to see what happens to
each job as it progresses through the workflow. For more information
on job states and resolving errors, see Troubleshooting Advanced
Workflows.
4. Package the application or questionnaire. See Creating Packages.
Deploy Production 5. Install the package. See Installing Packages.

environment 6. Review and activate the workflow. See Activating and Deactivating
Advanced Workflows.
7. Educate your end users on which steps of the workflow they are
responsible for.
Plan your advanced workflow (outside of RSA Archer)

Before you start building an advanced workflow in an application or questionnaire, RSA
recommends that you first plan out the following elements:
Note: You may want to create a swimlane diagram or whiteboard your process.
1. The steps in your process and the nodes you need accomplish those steps.
2. The transitions between steps.
3. The users and groups who will be involved in the process and what level of access they require
for different steps.
4. For notifications that you plan to send, who should receive the notifications and what content the
notification should contain.
5. For nodes that can use custom layouts, what content you want your users to see.

Prepare prerequisite elements in RSA Archer

1. Create any on-demand notifications templates that your workflow requires.
2. (Optional) Create any custom layouts that you need for User Action or Wait for Content Update
nodes.
If your custom layouts are similar to your default layout, you may find it easier to copy the
default layout and modify the copy.
Note: In order to create additional layouts, you must first turn on advanced workflow in the
application or questionnaire. Go to the Advanced Workflow tab and click Click here to create a
new workflow.
Building Advanced Workflows

Advanced workflows are customizable processes that control the life cycle of a record within an
application or questionnaire. An application or questionnaire can have only one advanced workflow,
and a leveled application can have only one advanced workflow per level. Only RSA Archer
Administrators and Application Owners with access rights to the Advanced Workflow feature can
create advanced workflows.
Before you begin
Plan your advanced workflow.
Task 1: Enable advanced workflow in the application or questionnaire
Note: Users can only complete a step in an advanced workflow to which they are assigned if they
have access rights to the associated records. For information on access roles, see Access Roles.
1. Go to the Advanced Workflow tab of the application or questionnaire.

2. Click .
3. Determine when and how records are enrolled in the advanced workflow. In the Process
Properties panel, in the Content Enrollment section, select one of the following options.


Option Description
New Each newly created record is enrolled in the advanced workflow process.
Records
Note: If you are creating an advanced workflow for a questionnaire, keep in mind
that questionnaire records are first saved when a user clicks Apply after selecting
the target of the assessment (or when the campaign creates and assigns the
assessments). If you choose to enroll new records, this means that the record would
be enrolled in advanced workflow before the record is first presented to the user.
Keep this in mind in the further design of the questionnaire and workflow. For
example, if you have any required fields in the questionnaire, and the workflow
proceeds through an Update Content node immediately upon enrollment, the
advanced workflow job will enter an error state (unless the required fields have
been populated by the workflow). If the workflow design requires the use of
required fields, one option is to place the workflow into an Evaluate Content...Wait
for Update loop, which can hold the record in that state until a user has populated
the fields. Another option is to use a different advanced workflow enrollment option.
Updated Records are enrolled in the advanced workflow process after they are updated and
Records saved.
User A record is enrolled in a workflow only if the user clicks a specific button. You can
Initiated also choose to configure a rule that defines the conditions under which the record
can be enrolled (for example, if Values List Field A contains value B) and you can
set permissions to determine which users or groups have access to the button in the
UI to enroll the record (for example, only a Record Creator can enroll the record).
l If you selected User Initiated, do the following:

a. Enter a label for the record enrollment button in the Button Text field.
b. (Optional) Configure rules.
i. In the Rule section, click . The Manage Rule: (New) window appears.

ii. In the General Information section, enter a name and description for the rule.
iii. In the Status field, ensure that Active is selected.
iv. In the Criteria section, select which field to evaluate, an operator, the value or values
to match, and (if applicable) the relationship to the subsequent row of filter criteria.
Each row represents one set of filter criteria.
v. (Optional) To add additional rows for specifying more filter criteria, click Add New.

The system automatically renumbers the criteria rows, but you may need to modify any
vi. Click Save.
vii. For each additional outgoing transition from the User Action node that you want to
create a rule for, repeat steps i - vi.
Note: A rule can be edited or deleted by hovering over the corresponding icons next to
the rule name.
c. (Optional) Configure permissions.
i. In the Permission section, click .

ii. In the Available list, expand the Fields, Groups, or Users tree and click the users or
groups you want to assign.
Note: To search for a specific user or group, enter the name in the Find field and, if
applicable, select the type from the adjacent list. Click . The results of your search
appear in the Available list in the Search Results node.
iii. Click Add.
Note: You can edit or delete permissions by hovering over the corresponding icon next
to the permission name.
l If you selected Updated Records or User Initiated and you want to allow records to be able to
go through the workflow more than once, in the Settings section, select Allow Re-enrollment.
4. (Optional) If you plan to use Advanced Workflow to send notifications or create tasks for users,
do the following:
a. Click the General tab.
b. In the Options section, do the following:
i. To enable notifications, select the Notifications checkbox.
ii. To enable tasks, select the Task Management checkbox.
5. (Optional) If you want the system to record Advanced Workflow audit information in a history
log field, do the following:
a. In the Audit Settings section of the Properties Panel, select Enable Workflow Auditing.
Note: If you disable Enable Workflow Auditing, the advanced workflow audit information is
deleted from the history log, but not immediately. The information is deleted the next time the
ContentWorkflowAuditCleanup job runs.

b. (Optional) Configure Permissions.
i. In the Permission section, click .

ii. In the Available list, expand the Fields, Groups, or Users tree and click the users, groups,
or fields you want to assign.
applicable, select the type from the adjacent list. Click . The results of your search
appear in the available list in the Search Results node.
iii. Click Add.
Note: You can edit or delete permissions by hovering over the corresponding icon next to
the permission name.
c. (Optional) To set a retention policy, select Enable Retention Policy.

i. Select the method of retention.
Option Description
By The advanced workflow auditing information is stored by a selected number

Days of days.
By Jobs The advanced workflow auditing information is stored according to a selected

number of workflow jobs.
A workflow job is one full enrollment, processing, then exiting workflow on a
record. Records can be re-enrolled unlimited number of times if the option is
enabled.
If one of the record processes has not completed, the information in that
active process will not be cleaned up when the
ContentWorkflowAuditCleanup job runs.
ii. Select the numerical value of retention.
Task 2: Add and configure nodes and transitions

A node represents a step in your advanced workflow process. RSA Archer offers different node
types for different types of actions, for example, updating record content or sending notifications.
Note: With the exception of the Start and Stop nodes, you can add any of the following nodes your
business process requires and in any order necessary.

Add a Start node.
1. In the Standard section of the Modeler Toolbox, click Start.

2. In the grid, double-click where you want to place the node.
3. Add the next node in your process, and then connect the two nodes with a transition.
Add a Stop node.
Note: All nodes except for the stop node require outgoing transitions before you can save the
advanced workflow. As you configure other node types, you can create outgoing transitions from
those nodes to a stop node, which allows you to save your work in progress.
1. In the General section of the Modeler Toolbox, click Stop.

2. In the grid, double-click where you want to place the stop node.
3. Draw an incoming transition from the previous node.
4. To validate your workflow, and save your changes, click .
Add an Update Content node.

When Advanced Workflow updates a record field, it supports the following data-driven event (DDE)
actions:
l Apply Conditional Layout
l Filter Values List Items
l Generate Notifications
The following actions are not supported:

l Set Value List Selection
l Set Date
To add an Update Content node:

1. In the General section of the Modeler Toolbox, click Update Content.

3. In the Node Properties panel, in the Name field, enter a unique name that reflects the step in
your business process that the node represents.
Note: Assigning unique names for each node (across all advanced workflows) allows you to
search and report against the current node name.
4. To update Text, Numeric, Date, and Values List fields, do the following:
Important: If an Update Content node is configured to set a Values List field, and a data driven
event is also configured to set the same Values List field, the advanced workflow settings take
precedence. Additionally, if you configure the Update Content node to update a Text field, all
text added by a user will be overwritten by the advanced workflow settings.
a. In the section for the field type that you want to add, click .
b. From the Field list, select a field.
c. Enter or select a value for the field.
d. (Optional) To add additional fields of the same type, select the Add Another checkbox.
e. Click Add.
f. If you selected to add another field repeat steps b, c, and e.
5. To update User/Groups fields, do the following:
a. In the User/Groups Fields section, click .

b. From the Field list, select a field.
c. Under the Available section, expand Users or Groups and select the applicable user or group.
Note: You can also use the Find field to search for a specific user or group.
d. (Optional) To add additional fields, select the Add Another checkbox.

e. Click Add.
f. If you selected to add another field, repeat steps b,c, and e.
6. After you have added the next node in your process, draw an outgoing transition from your
Update Content node.
By default, the transition type is Successful. If you want the process to always move to the next
node, regardless of whether the content is successfully updated, select Always Complete
instead. If you want to create an error path in your process, see "Create error paths" in
Advanced Workflow Troubleshooting.

7. To validate your workflow and save your changes, click .
Add a Send Notification node.
Important: The Send Notification node requires an on-demand notification template that is
associated with the application or questionnaire in which you are creating an advanced workflow. If
you do not already have an on-demand notification template associated with the application or
questionnaire, you must first create one. For information on notifications, see Notifications.
1. If you have not already enabled notifications for the application or questionnaire, do the
following:
a. Click .
b. Click the General tab.
c. In the Options section, select the Notifications checkbox.
d. Click Apply.
2. If necessary, create an On-Demand notification template. The template should define the subject
and content of the notification that the node generates, as well as who should receive it.
3. In the General section of the Modeler Toolbox, click Send Notification.
5. In the Send Notification section, in the Name field, enter a name that reflects the step in your
business process that the node represents.
Assigning unique names for each node (across all advanced workflows) allows you to search and
report against the current node name.
6. In the Settings section, select the notification that you want to use.
7. After you have added the next node in your process, draw an outgoing transition from your
Notification node.
By default, the transition type is Successful. If you want the process to always move to the next
node, regardless of whether the notification is successfully delivered, select Always Complete
instead. If you want to create an error path in your process, see "Create error paths" in
Advanced Workflow Troubleshooting.
Add a User Action node.

The User Action node waits for a user to click an action button in the record and follows the
corresponding transition. For example, you might create two possible transitions out of a User Action

Node: Approve and Reject. When the user clicks either Approve or Reject in the record, that choice
determines which transition to follow. For each transition, you can configure a rule that defines the
conditions under which that transition can be followed (for example, if a date field contains a date
prior to the current date) and you can set permissions to determine which users or groups have
access to the action buttons in the UI that transition the record (for example, only a Finding
Reviewer should be allowed to see the Approve or Reject buttons in a finding).
You can also configure the User Action node to create tasks in the Task Management application
when the node becomes active. When the node is completed, the task displays as completed.
Note: If you plan to use the create tasks option, the application must have at least one user/groups
field.
1. If you plan to create tasks and have not already enabled task management for this application, do
the following:
a. Click .
b. Click the General tab.
c. In the Options section, select the Task Management checkbox.
d. Click Apply.
e. Click the Advanced Workflow tab.
2. In the General section of the Modeler Toolbox, click User Action.
5. In the Layout section, do one of the following:
l To assign an existing layout, select the layout from the Layouts list.
l To create a new layout, click . For more information, see Adding

Additional Layouts.
Note: You cannot add new fields or update existing fields in a layout created from the
Workflow Process Designer. You can only add or remove existing objects to or from the
layout and arrange existing objects. If you wish to modify field attributes or add new fields,
you must do this from the Layouts tab in the application or questionnaire.

6. If you want the node to create tasks, do the following:

a. In the Tasks section, select the Create Task checkbox.
b. In Assign to Field(s), click .

c. In Due Date, select the field that you want to use from the list.
d. In Subject, choose a subject line for the task. Do either of the following:
l To use the value of an existing field as the subject, select Choose Field, and select the
field from the list.
l To enter your own subject text, select Enter Text, and enter your text.
e. In Priority, assign a priority level to the task.
f. In Description, provide a description for the task. Do either of the following:
l To use the value of an existing field as the description, select Choose Field, and select the
l To enter your own descriptive text, select Enter Text, and enter your text.
g. In Resolution, choose a resolution for the task. Do either of the following:
l To use the value of an existing field as the resolution, select Choose Field, and select the
l To enter your own resolution, select Enter Text, and enter your text.
7. After you have added the next node(s) in your process, add outgoing transitions from your User
Action node. Enter a unique name for each transition, keeping in mind that the name is also used
as the label for the action button that the user sees in the record.
By default, the transition type is Successful. If you want to create an error path in your process,
see "Create error paths" in Advanced Workflow Troubleshooting.

8. (Optional) Configure rules.

a. Select an outgoing transition from the User Action node
b. In the Rule section, click . The Manage Rule: (New) window appears.

c. In the General Information section, enter a name and description for the rule.
d. In the Status field, ensure that Active is selected.
e. In the Criteria section, select which field to evaluate, an operator, the value or values to
match, and (if applicable) the relationship to the subsequent row of filter criteria. Each row
represents one set of filter criteria.
f. (Optional) To add additional rows for specifying more filter criteria, click Add New.
The system automatically renumbers the criteria rows, but you may need to modify any
g. Click Save.
h. For each additional outgoing transition from the User Action node that you want to create a
rule for, repeat steps a - g.
Note: A rule can be edited or deleted by hovering over the corresponding icons next to the rule
name. Only adding or deleting a rule enables the Save Workflow button; other changes, such as
editing the rule properties, do not.
9. (Optional) Configure permissions.

a. Select an outgoing transition from the User Action node.
b. In the Permission section, click .

c. In the Available list, expand the Fields, Groups, or Users tree and click the users or groups
you want to assign.
applicable, select the type from the adjacent list. Click . The results of your search appear
in the Available list in the Search Results node.
d. Click Add.
Note: You can edit or delete permissions by hovering over the corresponding icon next to the
permission name. Only adding, deleting, or changing the permissions name enables the Save
Workflow button; other changes, such as editing the permissions properties, do not.

10. (Optional) Configure signatures. When interacting with content, you can add another layer of
security by enabling electronic signatures. Electronic signatures allow users to authenticate who
they are before interacting with content.
Note: Signatures can only be configured on the outgoing transition from a User Action node.
a. Select an outgoing transition from the User Action node.

b. Create a new signature.
Note: Editing an existing signature uses the same process.
i. Click New Signature.
ii. In the Manage Signature window, enter a name and description for the signature.
iii. Choose an Authentication Type from the drop-down.
l User Name / Password
l One-time PIN via Email
One-time PIN conditions are set in security parameters. For more information, see
Adding Security Parameters.
Note: The system removes expired one-time PINs. For more information, see the topic
on "Job Types" in the RSA Archer Control Panel Help.
Note: Authentication is unsuccessful if any of the following conditions are true:

l The user account is locked out or inactivated.
l The user requests authentication during Dates Disallowed or Days Disallowed.
l The session has timed out.
iv. Configure the attachment.

a. Choose an existing Attachment field from the drop-down. For more information, see
Adding Attachment Fields.
b. From the drop-down, choose a File type.
v. Click Save and Close.
Note: File types are the same as export.

Note: Attachment field rules apply. For more information see "Configuring an Instance for
Blacklisting or Whitelisting" in the Archer Control Panel Help and Adding History Log
Fields.
c. In the Signatures drop-down, select a signature.
Important: When a signature is selected, the User Action node icon becomes and
the transition becomes bolded.
d. To remove a signature from the workflow, select Choose Signature from the Signature field
dropdown.
Note: When a signature is removed, the User Action node and transition return to their
original design.
Note: To view completed signatures, see "Viewing Record History" in the RSA Archer User's
Guide.
11. To validate your workflow and save your changes, click .
Add an Evaluate Content node.

The Evaluate Content node evaluates the content in the record against transition rules that you create
and follows the matching transition. The node determines which transition to follow based on the
first rule to match, and if there are no matches, follows the default transition.
Note: The Evaluate Content node evaluates rules from the order in which nodes are listed in the
Node Properties pane. After a rule is evaluated to True, Advanced Workflow stops evaluating any
remaining rules in the list.

1. In the General section of the Modeler Toolbox, click Evaluate Content.

4. After you have added the next node(s) in your process, add outgoing transitions. Enter a unique
name for each transition.
Important: You must add outgoing transitions before you can define the rules associated with
those transitions.
By default, the transition type is Successful. If you want to create an error path, see "Create
error paths" in Advanced Workflow Troubleshooting.
5. Define the rules to govern which transition the node should take. Do the following:
a. Click the Evaluate Content node, and in the Rules section, click .
b. From the Transition list, select a transition.
c. Click Add Rule.
d. In the General Information section, enter a name and description for the rule.
e. In the Status field, ensure that Active is selected.
f. In the Criteria section, select which field to evaluate, an operator, the value or values to
match, and (if applicable) the relationship to the subsequent row of filter criteria. Each row
represents one set of filter criteria.
g. (Optional) To add additional rows for specifying more filter criteria, click Add New.
Note: The system automatically renumbers the criteria rows, but you may need to modify any
Note: The Evaluate Content node evaluates rules from the order in which nodes are listed in
the Node Properties pane. After a rule is evaluated to True, Advanced Workflow stops
evaluating any remaining rules in the list.

6. Select a transition for the node to follow if all the rules governing outgoing transitions evaluate
to false. Do one of the following:
l Add a Wait for Content Update node.
a. Draw a transition from the evaluate content node to the new content change delay node.
b. Click the Evaluate Content node.
c. From the Default Transition list, select the transition that you created.
l From the Default Transition list, select an existing transition.
Add a Wait for Content Update node.

A Wait for Content Update node is intended to be used with an Evaluate Content node. If none of the
rules in the Evaluate Content node are met, you can configure the default transition to go to a Wait
for Content Update node, and you can assign it a layout that prompts the user to make necessary
updates in the record. The job stays on the Wait for Content Update node until content is saved by
the user or the delay timeout is reached, at which point it follows the outgoing transition.
RSA recommends you configure the outgoing transition to the originating Evaluate Content node.
This creates a loop.
1. In the General section of the Modeler Toolbox, click Wait for Content Update.
4. In the Layout section, do one of the following:
l To assign an existing layout, select the layout from the Layouts list.
l To create a new layout, click . For more information about

configuring layouts, see Layouts.
5. In the Delay Timeout section, do one of the following:
l Select the Enable Timeout checkbox to set the maximum amount of time that should be
allowed before the Wait for Content Update node closes and moves to the next node, if the
user does not make edits to and save the content within that time.
l Clear the Enable Timeout checkbox to use a default value of no delay. (Recommended)

6. After you have added the next node(s) in your process, draw an outgoing transition from your
Wait for Content Update node.
By default, the transition type is Always Complete, and cannot be changed. RSA recommends
that this outgoing transition returns to the previous Evaluate Content node.
Note: Your Wait for Content Update node can not have more than one outgoing transition.
(Optional) Task 3: Create looping transitions

A looping (upstream) transition (indicated by a dashed line) allows you to point back to a node that
has already been processed. This is useful if you have steps in a workflow that need to be repeated.
For example, if a record in an Evaluate Content node does not meet the criteria needed advance to
the next step in the workflow, you can create a loop that sends the record back to a previous stage so
the user can update the content.
In most cases you do not need to do anything to change a transition into a looping transition. As you
build an advanced workflow, the system attempts to detect loops and automatically convert
transitions to looping transitions as necessary. However, in some cases the system may not detect
that you have drawn a loop, particularly if you delete and redraw a looping transition. In this case,
you need to manually change the transition to a looping transition.
1. Select the transition.
2. In the Transition Properties panel, in the Looping transition field, select Yes.
3. To validate the looping transition and save changes, click .

The transition becomes a dashed line.

Task 4: Activate the workflow

Once you have built your entire workflow and you are ready for records to start being enrolled in the
workflow, you must activate it.
1. At the top of the Workflow Process Designer, click Activate.
2. Click .
Activating and Deactivating Advanced Workflows

When you activate an advanced workflow, jobs begin being created based on the enrollment model
that you selected. When you deactivate a workflow, existing jobs for the application continue to
process, but new jobs are not created.
Note: All advanced workflows installed in a package are installed as inactive and you must activate
them before use.
Activate a workflow
1. Go to the Advanced Workflow tab of the application or questionnaire that contains the workflow
you want to activate.

2. At the top of the Workflow Process Designer, click Activate.
3. Click .

Deactivate a workflow
1. Go to the Advanced Workflow tab of the application or questionnaire that contains the workflow
you want to deactivate.

c. Select the application or questionnaire you want to update.
2. At the top of the Workflow Process Designer, click Deactivate.
3. Click .
Deploying Updates to Advanced Workflows

Every time that you save changes to an advanced workflow, the version number of the workflow
process is updated. If you need to update an advanced workflow that already has enrolled content
with active jobs, follow the process below.
Important: While you can restart a completed advanced workflow job, unpredictable results can
occur. RSA strongly recommends not restarting completed advanced workflow jobs.
1. Plan your advanced workflow updates. Depending on how your organization handles updates,
you may either want to plan and prepare all of your changes in a development environment or
plan in advance the changes that you will make in your production environment during the
deployment period.
2. RSA recommends that you schedule the deployment and contact end-users.
l Plan to deploy the updated workflow over a scheduled period of time, ideally during off hours
to avoid business disruption.
l Contact your advanced workflow end users and inform them that a new version of the
workflow is going to be deployed, that they should complete all work on their currently
enrolled records, and that no new workflow enrollments will be supported during the
deployment period.
3. Check the Job Troubleshooting tool for any active jobs. If you have active jobs, work with your
end users to determine whether the job can be completed or has to be canceled and the record

recreated later in the updated workflow.

l To complete a job, do one of the following:
o Have the end user manually move the record through the remaining steps in the workflow.
o Open the job in the Job Troubleshooting tool and manually complete each remaining node.
l To cancel a job, do the following:

b. Under Advanced Workflow, click Job Troubleshooting.
c. Locate your process, and double-click anywhere in the row to open the associated jobs.
d. Locate the job that you want to delete, and from the menu, select Cancel.
e. Enter an optional comment, and click Cancel Job.
4. Disable all enrollment options for the current version of the workflow process.
5. (Optional) Lock down access or permissions for record creation while you deploy the updated
workflow.
Important: Any new records that are created, or existing records that are updated while the
current workflow is turned off cannot be supported in the updated workflow. If it’s a new record,
and advanced workflow is enrolled, then that record won’t have a workflow job created. If a
record is updated while workflow is turned off, it may get stuck at that node and may require
workflow troubleshooting.
6. Once you have confirmed that there are no active jobs, deploy the new workflow.
7. Re-enable the appropriate enrollment options.
8. If you canceled jobs for records that you want to use with the new workflow, create new copies
of those records and start the new workflow.
9. Inform your end users that the updated workflow has been deployed and educate them on the
changes.

Troubleshooting Advanced Workflows
Troubleshoot Workflow Process Designer access errors

The following table shows errors you may encounter when attempting to access the Advanced Work-
flow tab in an application or questionnaire.
Error message Resolution
None - Workflow Process Designer splash screen Check to see if the Advanced Workflow
hangs. Service is running. If it is not running, start
the service.
Advanced workflow HTTP request error: 404 not
found.
The Workflow builder encountered an unexpected

error. Please contact your system administrator for
more details.
An error occurred communicating with the server.
The Advanced Workflow service is unavailable.
Troubleshoot workflow validation errors

When you build an advanced workflow and click Save Workflow, the system validates all of your
nodes and transitions and informs you if there are any configuration issues.
The following table describes some of the messages that you can encounter.
Error
Error message Description Resolution
type
General

Error
type
Advanced Workflow has The advanced workflow must be Before you click Save
unsaved changes. Please save saved separately from the or Apply in the
or revert. application or questionnaire that it application or navigate
belongs to. If you save or close away from the page,
the application without saving the make sure that you do
workflow, your changes will be one of the following:
lost. l Click Save
Workflow to save
any changes in your
process.
l Click and
select Revert to
return to your most
recent saved
version of your
process.
Edits made to this workflow Changes to a workflow process Select the I understand
will only apply to records that design cannot be applied to the implications of
enter workflow after the records that were already performing this
changes are saved. The N enrolled in the workflow. For best operation checkbox,
record(s) that are currently practices for handling workflow and click OK.
using this workflow will updates, see "Deploying Updates
continue to use the previous to Advanced Workflows" in the
version of it until they exit RSA Archer Online
workflow. Documentation.
The workflow does not start A Start node is required. Add a Start node.
with a "Start" node.
Node Node Name requires at All nodes except for a Stop node Add an outgoing
least one outgoing transition. require at least one outgoing transition from the
transition. node.
Node NN: CUST Name is All nodes require a name. This Select the node, and in
required. error only displays if you deleted the Name field, enter
the Name text from a node. text.
Evaluate Content node

Error
type
Node Evaluate Content The Evaluate Content node Select the Evaluate
requires one default requires that you mark one Content node, and in
transition. outgoing transition as the default. the Default Transition
If all the rules governing outgoing field, select a
transitions evaluate to false, the transition.
workflow follows the default
transition.
Node Evaluate Content: Other than the default transition Select the Evaluate
Except for error and default or transitions marked as an error Content node and add
transitions, each outgoing path, all outgoing transitions from a new rule for each
transition must be configured an Evaluate Content node require outgoing transition.
with one rule. a rule that defines under which For steps, see "Add an
conditions the workflow should Evaluate Content
follow that path. Node" in the RSA
Archer Online
Documentation.
Send Notification node
Notifications: A notification The Send Notification node Select the Send

is required. requires that you select an on- Notification node, and
demand notification template to in the Notification
use for the notification. field, select a
notification template.
Note: If you do not already have
an on-demand notification
template associated with the
application or questionnaire, you
must first create one.
Update Content node
The option requires other Some Values List fields are Update a different
text. Can't be selected. configured to require that the user value or configure the
enter text in an Other text field if value list value not to
Note: This error displays in a particular value is selected. require Other text.
the Add Value dialog box. Advanced workflow cannot
update these values.

Error
type
User Action node
Node User Action layout is You must select an existing Select the User Action
required. layout or create a new layout for node, and in the
the User Action node. Layout section, select
the layout that you
want to use or create a
new layout.
Tasks: Group or Permissions If you want to create a task from Do the following:
field for assignees is an User Action node, you must 1. Select the User
required. select either a User/Groups or a Action node, and
Record Permissions field to in the Assigned to
assign the task to. field, click +.
2. Select the group or
permissions field
you want to use,
and click Add.
Tasks: Please select a If you want to create tasks from a Select the User Action
priority for this task. User Action node, Priority is a node, and in the
required field. Priority field, select a
value.
Tasks: Please enter the text In the Select the User Action
for the task subject/task Subject/Description/Resolution node, and in the
description/task resolution. fields, if you select Enter Text, Subject/
you must enter the text you want Description/Resolution
to use. text field, enter your
text.
Tasks: Please select a field In the Select the User Action

to use for the task Subject/Description/Resolution node, and in the
subject/task description/task fields, if you select Choose Field, Subject/
resolution. you must select a field to use. Description/Resolution
drop-down field,
select the field that
you want to use.
Wait for Content Update node

Error
type
Node Wait for Content You must select an existing Select the Wait for
Update: Layout is required. layout or create a new layout for Content Update node,
the Wait for Content Update node and in the Layout
to use. section, select the
layout that you want to
use or create a new
layout.
Loops
A process loop was detected You have created a loop in your Do the following:
but none of the transitions workflow process, but none of the 1. Select the
within the loop were transitions in your loop is marked transition that
declared as being upstream. as looping. completes the
Please make one of the loop.
transitions within the loop an
upstream transition. 2. In the Transition
Settings section,
from the Looping
Transition list,
select Yes.
3. Click
.
When you save,
the transition
changes to a
dashed line.
An upstream transition was An upstream, or looping, Ensure that all dashed

found outside of a process transition is marked by a dashed transitions are part of
loop. Please verify that all line and is only necessary when a loop in your process.
upstream transitions are in part of a loop in your process.
process loops. You may see this error if you
created a loop and later deleted
one of the nodes, leaving a
looping transition that is no longer
part of a loop.

Troubleshoot errors in the enrolled content record

The following table describes errors you may encounter when working in a record that is enrolled in
an advanced workflow.
Workflow job failed to Content save fails if the record Contact your RSA Archer
start. cannot be enrolled into an advanced administrator.
workflow for any reason.
Cannot enroll content in This content record has already been Contact your RSA Archer
advanced workflow. The enrolled in advanced workflow and administrator.
content has already been has a job associated with it. The
enrolled and re-enrollment advanced workflow creator has not
is not allowed for records allowed for records in this
in this application. application to be re-enrolled in the
workflow.
There was an error The workflow job ran into an error at Use the Job Troubleshooting
processing this record. the Node Name node. tool to investigate the error.
Please contact your For more information, see
administrator and tell "Troubleshooting Errors in
them this record could not Running Workflows" in the
go past the 'Node Name' RSA Archer Online
stage. Documentation.
Cannot enroll content into The rule associated with the User Contact your RSA Archer
advanced workflow. The Initiated enrollment option has not administrator.
rule conditions associated been met, so the record cannot be
with workflow enrollment enrolled in advanced workflow.
were not met.
Cannot transition to the The rule associated with the Contact your RSA Archer
next advanced workflow transition has not been met, so the administrator.
node. The rule conditions record cannot transition to the next
associated with the node.
selected transition were
not met.

Cannot enroll content into Only users who have been granted Contact your RSA Archer
advanced workflow. You permissions to the User Initiated administrator.
are not authorized to enrollment option can enroll the
perform this action based record in advanced workflow.
on the permissions
configured for enrolling
content.
Cannot transition to the Only users who have been granted Contact your RSA Archer
next advanced workflow permissions to the transition can administrator.
node. You are not click the associated User Action
authorized to perform this button in the record and transition the
action based on the record.
permissions configured for
this transition.
Troubleshoot errors in running workflows

If records are running into errors while moving through your workflow, you can open the Job
Troubleshooting tool and look at the individual job details.
1. Open the Job Troubleshooting tool.

b. Under Advanced Workflow, select Job Troubleshooting.
2. Locate your process (for example, by name), and double-click anywhere in that row to open the
associated jobs.
Note: If there are no associated jobs, verify that your workflow is active, that you selected a
content enrollment option, and that records have been created in the application or questionnaire.
3. Locate your job (the Reference number is the tracking ID of your content record), and double-
click anywhere in the row to open the detail view. If the job is in an error state, a red error
message displays in the upper-right corner of the grid.

4. Determine where the job got stuck. Locate the last selected (green) node.
Node states
The following table describes the node states.
State Description Appearance
Planned Downstream from one or more other nodes that have yet to be Dark Gray
completed or skipped. All nodes start as planned. It is unknown
whether this node will be executed in a particular job.
Selected Either has no dependencies or all of its dependencies have been Green
resolved and at least one of the transitions leading to this node was
selected. The node must now be executed.
Complete Previously selected to be executed and the work that is represents Blue
has been completed.
Skipped The node was downstream from one or more nodes and none of the Light Gray
transitions leading to this node were selected. The node does not
need to be executed.
Transition states
The following table describes the transition states.
Planned The transition has not been evaluated. All transitions start as Dark Gray
planned.
Selected The source node of the transition is completed and either: Green
l It is the only outgoing transition from that node.
l The criteria for this transition have been met (either a user
clicked an Action button for a transition from a User Action
node, or a rule evaluated to true for a transition from an Evaluate
Content node).

Skipped Either the source node of the transition was skipped or the source Light Gray
node was complete but the transition did not meet its criteria (an
action button was not clicked or the rule evaluated to false).
5. Review any errors:

a. Click anywhere in the grid to display the Job Properties panel.
b. Scroll down to the Errors section.
c. Hover over an error until an icon appears, and click the icon.
d. Note the timestamp of the error message.
6. Depending on which node caused the error, verify the following:
l Evaluate Content node
o Are the associated rules correct?
n Did you make any changes to the fields that are being evaluated?
l Send Notification node
o Is the on-demand notification configured correctly?
o Are notifications enabled for your instance?
o Are notifications enabled for the application or questionnaire?
l Update Content node
o Is the node configured to update at least one field?
o Did you change the validation on any of the fields being updated? For example, did you
make a field required that was previously not required?
l User Action node
o If you chose to create tasks, is Task Management enabled for the application or
questionnaire?
o Are all the fields required for Task Management also required in the record?
o Do the fields that you selected to use for the task subject, description, due date, and
resolution have values entered in them in the record?
7. Check the Advanced Workflow server.log file (located in \\RSAarcher\LogFiles\Workflow) for
more information about the error.
Note: The timestamps of all entries in server.log are in Coordinated Universal Time (UTC). The
timestamps of errors in the Job Troubleshooting tool depend on the time zone of your instance.

Note: RSA recommends using the Job ID to find the actual error in the log message. For
example, from a job in error, the comment might read "Node instance Update Content in job
4726:CUST did not select an outbound path." you would search for "4726:CUST" in the log.
8. Depending on the type of error encountered and your workflow process, determine how you want
to handle the job.
Option Description Steps
Restart Restarts the job from the beginning. Any work previously
1. From the
the job completed is reset and must be completed again.
menu, select
Restart.
2. Click Restart Job.
Cancel Cancels the job. Use this option if you no longer need the
1. From the
the job job or plan to recreate the record and trigger a new job.
menu, select
Cancel.
2. Enter an optional
comment, and click
Cancel Job.
Reset a Resets the node as Selected and resets all downstream 1. In the grid, select
node nodes as Planned. Use if you want to retry the node. the node.
2. In the Actions
section, click
Reset.

Option Description Steps
Manually Use this option if you want the job to continue regardless
1. From the
move to of whether the node completed successfully. For
menu, select
the next example, you might want to use this option if a
Activate.
node notification failed to send.
2. In the grid, select
the node.
3. In the Actions
section, click
Change State, and
select Complete
Work.
4. From the
Completion Code
list, select the
transition that you
want to follow.
5. Click Complete
Work.
Create error paths

An error transition out of a node allows you to create a path for a workflow in the case that the node
runs into an error. You might want to create error paths in your workflow if your jobs are running
into the occasional error on a particular node and you want to force the job to continue on through the
workflow instead of stopping. For example, if you have intermittent errors with your mail server, but
do not want the job to stop just because a notification could not be sent, you might create an error
path to allow the workflow to continue to the next node.
1. Add a User Action node to the grid.
2. In Node Properties panel, in the Name field, type Error.
3. In the Layout section, create and assign a layout that indicates an error.
4. Draw an outgoing transition from the node that is failing to the Error node.
5. In Transition Settings, from the Type list, select Error.
6. Draw an outgoing transition from the error node to the next node in your process.
7. To validate the new transitions and save your changes, click .




Chapter 10: Workflow

The Workflow feature defines a process for moving a record through stages for review and
validation before publishing it to end users. You can create unique workflow processes for any
application, any level in a leveled application, or any questionnaire in RSA Archer for which they
have been assigned ownership rights.
When you define a workflow process, you do the following:
l Establish review and validation stages.
l Determine the order to route content.
l Assign designated personnel to each stage.
l Configure content review assignment notifications.
After a formal workflow process is defined for an application, records that are subsequently added
or edited are routed through the process. As records move through content review stages, a detailed
history of all content modifications is electronically maintained by person, date, and time. By
default, this history is configured to retain all fields indefinitely. If this history log is configured to
purge its contents, the workflow information may be lost along with other historical information.
Other history log fields could be placed in the application as well.
In leveled applications, workflow processes are configured separately for each level.
Fields added for workflow tasks

When you activate a workflow, several fields are added to the Available Fields list for the
application or questionnaire. RSA Archer uses these fields to manage the workflow feature.
Record permissions still apply for records in workflow process. All users with proper access
privileges can view a record in the workflow process. However, only users that have been assigned
a record in the workflow process can accept or reject it.
The following table describes the fields added for workflow tasks.
Field Description
Workflow Read-only field used by the system to manage workflow stages.

Stage
Workflow System-managed field that provides access to the workflow discussion forum for
Comments individual records.
Workflow Read-only field used by the system to manage user access to a record that resides
Assignees in a particular workflow stage.

Field Description
Workflow System-managed field that maintains a change history for each record. All logged
History entries are retained indefinitely.
Workflow toolbar options

When a user assigned to a record displays it in the workflow process, the Workflow toolbar displays
at the top of the record.
The following table describes the toolbar options.
Button Description
Accept Saves any changes made to the record and advances it to the next stage in the
workflow process.
Reject Saves any changes made to the record and demotes it to the previous stage in the
workflow process.
Comment Opens a discussion forum dedicated exclusively to the current record. This button only
displays if the Comments option has been enabled for the workflow stage.
Reassign Enables application owners to reassign the record to a different user. This option is
only available to application owners.
History Displays a history log of the record that includes a description of the changes made to
the record during the workflow process. All logged entries are retained indefinitely.
Workflow tasks
l Activating or Inactivating Workflows
l Adding Workflows to Applications
l Adding Workflow Notifications
l Configuring the End Stage of Workflows
l Deleting Workflow Notifications
l Deleting Workflow Stages
l Reordering Workflow Stages
Workflow vs. Advanced Workflow


workflow process.
For information about using the Advanced Workflow feature, see Advanced Workflow.
Adding Workflows to Applications or Questionnaires

Adding a workflow to applications and questionnaires creates a process for your users to follow with
specific defined stages.
Note: The information described in this topic is specific to the Workflow feature. For information on
the Advanced Workflow feature, see the Advanced Workflow topic in the RSA Archer Online
Documentation.
Task 1: Add a workflow stage

By default, the workflow includes a start stage and an end stage. You can add and configure one or
more additional workflow stages.
1. Go to the application or questionnaire that you want to update.



d. Click the Workflow tab.

l If the application is a leveled application, select the tab of the level for which you want to
configure a workflow process.
3. In the Stages section, click Add New.
l If you want to create a new workflow stage, select Create a new Stage from scratch.
l If you want to create a workflow stage from an existing workflow stage, select Copy an
existing Stage, select the workflow stage from the Available Workflow Stages list.
Note: If no stage has been created before, it will automatically Create a new Stage from
scratch.
5. Click OK.
6. In Stage Name field of the Stage Properties section, enter the name of the stage.
7. In the Advanced Stage Properties section, select the assignment model for the workflow.
Assignment model options

The following table describes assignment models.
Field Description
Round Robin Randomly assigns records to qualified users.
Multiple - Edit Assigns ownership to the first user to save a record under review.
Owner
Multiple - Allows any qualified user to accept the record and move it to the next
Concurrent stage.

l To enable users to post comments associated with the record, click Content Discussion in
Comments.
l To require users to post a comment when rejecting a record, click Comment on Rejection in
Rejection Reason.
9. In Enrollment Model of the Workflow Options section, select the enrollment model.

l All Records
l New Records Only
l Update Records Only
l To enroll the original record in the workflow, go to the next step.
l To enroll a copy of the record in the workflow, click Record Version in Create Record Copy.
A copy of the original record becomes part of the workflow process while the original record
is available to users.
Task 2: Assign default assignees to the workflow
1. In the Stage Properties section, click in Default Assignees to open the selection box.

e. In the Stages section, select the stage that you want to configure.
2. In the Available section, do the following:

a. Click Select to open the selection box.
b. In the Available section, double-click a group, user, or field to display it in the Selected
section.
c. Click OK.
Note: To search for a specific user or group, expand the User or Group node and double-
click the value. Your selection is displayed in the Selected column.


Task 3: Define workflow assignment rules

Assignment rules automatically assign records to users. Multiple rules work cumulatively. This step
is not required. If no records satisfy the criteria, the record is assigned to the default assignees.
1. In the Stages section, select the stage that you want to configure.

e. In the Stages section, select the stage that you want to configure.
2. In the Stage Properties section, click Add New in Assignment Criteria of the Rules section.
3. In Name, enter a name for the rule.
4. In Description, enter a description for the rule.
5. In the Criteria section, enter the rule criteria.
Option Description

Evaluate

Operator
Logic
6. In the Assignment section, select the groups, users, and fields to which records are assigned in

the workflow process:

a. Click Select to open the selection box.
b. In the Available section, double-click a group, user, or field to display it in the Selected
section.
c. Click OK.
Note: To search for a specific user or group, expand the User or Group node and double-
click the value. Your selection is displayed in the Selected column.
7. Click OK.
8. Repeat steps 5 – 7 to add new rules as needed.
Adding Workflow Notifications

You can configure the workflow process to automatically send email notifications to users and
groups that are assigned to a record for review. The notifications are sent when any of the following
happens to a record:
l Enrolled in the workflow
l Moves to a new stage (except the End stage)
l Manually reassigned by the application owner
You can configure a workflow notification for any stage in the workflow process, and can use the
same notification for multiple stages or create unique notifications for each stage.
Documentation.
Task 1: Add a workflow notification
1. Go to Workflow tab of the application or questionnaire that you want to update.




4. In the Stage Properties section, click Edit in Notifications.
5. Click Add New.
l If you want to create a new workflow notification, select Create a new Workflow
Notification from scratch.
l If you want to create a new workflow notification from an existing workflow notification,
select Copy an existing Workflow Notification and select the existing workflow notification
from the list.
7. Click OK.
8. In the General Information section, enter the name and description of the notification.
Task 2: Define the design template

1. On the General tab, scroll down to the Template Design section.
2. Do the following:
a. In the Letterhead field, click and select the letterhead you want.
b. In the Body Layout field, click to select the layout for the body of the notification, and
click OK.
c. In the Preview field, verify that the layout you selected is the one you want to use.
l If the layout is what you want to use, go to the next step.
l If the layout is not what you want to use, repeat steps b and c.


Task 3: Define the content of the workflow notification

You can define the content of a workflow notification using both static and dynamic content. Static
content is text that remains the same for every notification, while dynamic content is content that
changes based on the unique parameters.
1. Click the Content tab.
links.
field.
3. Click Apply.
Task 4: Define the email properties of the workflow notification

1. Click the Delivery tab.
address.
selection.

3. Click Save.
Activating or Inactivating Workflows

After you have added a workflow, you can activate it by changing the Status field to Active. For
leveled applications, you must activate the workflow process for each level independently.
Documentation.
Activate a workflow
1. Go to the Workflow tab of the application or questionnaire that you want to update.


3. In the Stages section, click the Start stage.
4. In the Status field of the Workflow Status section, click Active.
Inactivate a workflow
To prevent records from entering the workflow process, change the value in the Status field to
Inactive. You cannot inactivate a workflow process if there are records enrolled in any of the
workflow stages.



3. In the Stages section, click the Start stage.
4. In the Status field of the Workflow Status section, click Inactive.
Configuring the End Stage of Workflows

By default, the workflow includes the end stage.
Documentation.
1. Go to the Workflow tab of the application or questionnaire that you want to update.



3. In the Stages section, click the End stage.

4. In Completed Status Name, enter a name to associate with complete records.
5. In Completed Record Access, select the access level of records that have completed the
workflow process.
Completed Record Access options

The following table describes access levels.
Field Description
Standard Removes any access restrictions imposed during workflow. To use this option, the
application must have a Record Permissions field.
Public Enables all users to access records that are released from workflow.
Private Enables you to grant access to selected users or groups when records are released
from workflow.

Deleting Workflow Notifications

You can delete a workflow notification when it is no longer valid.
Documentation.
1. Go to the application or questionnaire in which you want to delete a workflow notification.



4. In the Stage Properties section, click Edit in Notifications.
5. Click the row of the notification that you want to delete.
6. Click for that notification.

7. Click OK.
Deleting Workflow Stages

You can delete a workflow stage if there are no records currently enrolled in it.
Documentation.
Delete a workflow stage

1. Go to the application or questionnaire in which you want to delete a workflow stage.


3. In the Stages section, select the stage that you want to delete.
4. Click in the Stage.

5. Click OK.

Reordering Workflow Stages

Complete this task to change the order of stages in a workflow process at any time, even while
records are currently enrolled in the workflow process.
Documentation.

2. If the application is leveled, select the tab for the level for which you want to configure a
workflow process.
3. In the Stages section, select the stage that you want to reorder.
4. Drag the stage to the location you want.

Chapter 11: Offline Access

Offline access enables Audit Engagements & Workpapers users to conduct audits offline on a
laptop. Offline access is available with an active Audit Engagements & Workpapers license and is
configurable for each instance. You must enable offline access in the RSA Archer Control Panel.
For a complete list of requirements, see Installing Offline Access.
As an administrator, you select the application or questionnaire that is eligible for offline access.
What you select determines which records an offline access user can select for offline use. All data,
including cross-referenced and related records, for the specified records download to the offline
access database and are available for offline use on a laptop.
RSA recommends that only trusted users with secure laptops with strict firewall rules restricting
remote access to Offline Access have permission to Offline Access.
RSA Archer features not supported for offline access

The following are features not supported for offline access:
l Application Builder
l Data Feeds
l Data Publications
l Data Imports
l Discussion Forums
l LDAP Synchronization
l Notifications
l Packaging
l Training and Awareness
l User Preferences
Note: Records from a retired application are not supported in offline access. You can view User
Preferences, but you cannot edit them in offline access.
Use the Offline Access Gateway to select the application or questionnaire that will have offline
access for RSA Archer. After you determine which application or questionnaire you want for offline
access, you can then manage the records in the offline access library.

Configuring Offline Access Gateway

The Manage Offline Access Gateway page contains a list of applications and questionnaires. You
must select the application or questionnaire that is eligible for offline access. RSA does not
recommend selecting an application enabled for Workflow or Advanced Workflow. Application and
Questionnaire records are Read Only in offline access.
You can reconfigure the offline access gateway at any time. The records already used in an offline
access session are synchronized with RSA Archer data the next time the offline access user
performs a synchronization. The offline access user can then select the new records eligible for
offline use.
You can also configure the offline access gateway to prevent downloading unnecessary applications
and questionnaires that may be referenced by the selected gateway application or questionnaire.
Configure the offline access gateway

1. Go to the Manage Offline Access Gateway page.

b. Under Offline Access, click Offline Access Gateway.
2. Do one of the following under the Gateway Application tab:

l Click the Applications tab, and select the application for offline access availability.
l Click the Questionnaires tab, and select the questionnaire for offline access availability.
3. (Optional) On the Excluded Applications / Questionnaires tab, select any referenced applications
or questionnaires that you want to exclude from offline access availability.
4. Click Save.
Offline Access Library

The Offline Access Library contains the specified records from the application or questionnaire
designated in Manage Offline Access Gateway. The Offline Access Library is unique for each user
and contains only the records in which that user has permissions. Use the Offline Access Library to
manage the records that are downloaded to and worked in offline access.
When a record is enabled for offline access, all supporting data, including cross-referenced and
related records, for that record is also synchronized. RSA Archer searches all applications or
questionnaires for any cross-referenced and related records. Menus for synchronization and support
are provided for the Offline Access Library.

Record states in the library

The following table describes the record states.
Record
Description
State
Strike-through Records synced with offline access and being removed in the
next sync.
Bold New records that will be synced with offline access in the next
sync.
Regular text Records synced with offline access in the next sync.
You can refresh the records in the Offline Access Library by populating the Offline Access Library.
You can remove records from the library clicking , which is displayed next to each record.
Records are removed from the Offline Access Library only.
Menu options for offline access library

The Offline Access Library includes a menu bar with the following functions:
l Start Sync
l Reset Password
The following table describes how the menu options for syncing records change based on the record
state.
Menu
Description
Option
Start Initial state. Records are ready for synchronization.

Sync
Resolve Becomes available when conflicts exist between the offline access data and the RSA
Conflicts Archer data. In addition, if there are any updates to the application, these changes are
also validated.
Restart Becomes available when conflicts are resolved so that synchronization can continue.
Sync
Populate the offline access library
1. Go to the search results of the designated application or questionnaire.

a. From the menu bar, click the Audit Management menu.

b. Click the application or questionnaire that matches your Offline Access gateway.
c. Click Search and then run a search without adding any additional search criteria.
2. On the Search Results page, click Options, and select Enable Offline Library.
3. Select the records that you want to add to the Offline Access Library.
4. Click .
5. Verify that the specified records appear in the Offline Access Library.
Remove records from the offline access library

1. From the User menu, click Offline Access Library.
2. Click next to the record that you want to remove.
Any records synchronized to offline access appear with a strike-through. The next sync removes
these records from offline access. Records that are not synced are removed from the library.
Resetting Your Offline Access Password

You are assigned a one-time password for logging on to Offline Access. This password is displayed
for a few minutes.
To complete this task, make sure the laptop running offline access is available and you are logged in
to RSA Archer.
2. Click Reset Password.
3. Do one or both of the following one step at a time:
l Click Copy to Clipboard to copy your user name and paste it into the office access login.
l Click Copy to Clipboard to copy the one-time password and paste it into the offline access
login.
4. Click OK.
5. At User Login on the laptop, click OK.
a. Enter your current password (one-time password).
b. Enter a new password.
c. Retype your new password.
7. Click Submit.

Resolving Online Access Conflicts

Conflicts are detected while synchronizing Offline Access with RSA Archer. Record and Save
Validation are types of conflicts you may encounter. The cause of a conflict may vary. Some
conflicts occur during the save validation process when field values are validated. For example, a
required field is missing data or does not have the proper value. Other conflicts occur when a record
is updated in offline access and the same record is updated with different values in RSA Archer.
You can resolve conflicts any time but they must be resolved before the synchronization can
complete. Offline access is not available until all conflicts are resolved. You can delete an
unresolved offline access record. This action only deletes the record from conflict resolution. The
values entered offline are not saved.
Conflict conditions
l An RSA Archer administrator updated an application that impacts the records in offline access.
For example, made a field required or changed a values list.
l Required data is missing from the record being uploaded from offline access.
l A record that is being worked offline is also updated in RSA Archer with different values.
Stepped process for resolving conflicts

2. Click Start Sync.
3. Resolve the conflicts.
4. Restart the sync.
Resolving offline access conflict process

You resolve conflict from the Offline Access Unresolved Records page in RSA Archer. This page
contains a list of the records that have record conflicts or save validation conflicts.
The process for record conflicts is different than save validation conflicts.
l For record conflicts, you use the Conflict Resolution page, and specify which field values you
want to keep or discard.
l For save validation conflicts, you use the record details page to update the field values.
When you resolve either conflict, you return to the Offline Access Unresolved Records page. All
conflicts must be resolved to complete the synchronization. Offline access is not available until all
conflicts are resolved.

If the reason that caused the conflict no longer exists, a message is displayed informing you that the
record is no longer in conflict and no further action is required. To continue, click OK.
Use the following tasks to resolve offline access conflicts:
Resolve offline access record conflicts

All conflicts must be resolved before you can continue working offline.
1. In offline access, click Resolve Conflicts.
The Offline Access Unresolved Records page opens with the conflicts listed.
2. Click the record you want to resolve.
3. In Resolution, do one of the following:
l To keep the offline access values, select Keep my changes and discard the changes from the
other processes. Go to step 6.
l To discard the offline access values, select Discard my changes and keep the changes from
the other processes. Go to step 6.
l To manually select which values to keep, select Let me choose which changes to keep and
which changes to discard. Go to step 4.
4. In Conflicts, click the values you want to keep in either the Your Value or System Value
column.
5. Click OK.
6. Repeat steps 2 – 5 until all conflicts are resolved.
7. Click Offline Access Library.
8. Click Restart Sync.
Resolve offline access save validation conflicts

If this condition exists, a warning message displays showing a list of fields that must be corrected.
You must update the record with the required information to resolve the conflict. All conflicts must
be resolved before you can continue working offline.
1. In offline access, click Resolve Conflicts.
The Offline Access Unresolved Records page opens with the conflicts listed.
2. Click the record that you want to resolve, and a warning message displays with a list of the
fields that require resolution.
3. Click OK.
4. Update the record with the necessary information for each field.

5. Click Save.
6. Repeat steps 2 – 5 until all conflicts are resolved.
7. Click Offline Access Library, and click Restart Sync.
Delete unresolved offline access records

This action only deletes the record from conflict resolution. The values entered offline are not saved.
1. Go to the Conflict Resolution page
1. Click Offline Access Library.
2. Click Resolve Conflicts.
2. Select each record you want to delete.
3. Click .
Synchronizing Offline Access Records

Synchronizations are started from the Offline Access Library page of RSA Archer. Before
synchronizing, start the Distributed Transaction Coordinator service on the laptop running offline
access.
Synchronizing offline access to RSA Archer is required:
l The first time you run offline access after installation.
l After purging offline access data.
l To update RSA Archer Platform and offline access with new or updated records.
When a record is enabled for offline access, all supporting data, including cross-referenced or
related records, for that record is also synchronized. Records from a retired application are not
synchronized. Records in an application enabled for Workflow or Advanced Workflow are read only
in offline access.
Important: Appointment details are synchronized in offline access and can be updated while
working offline, but when the data is resynchronized with RSA Archer Platform the relationships
between the parent and resource applications are not saved. You must re-edit these appointment
details to reestablish these relationships.
Synchronization process
Offline access synchronization requires a stable connection to RSA Archer. If the connection is lost,
the synchronization fails. You cannot synchronize if the offline access version does not match the

RSA Archer version.

The initial synchronization downloads all records and any supporting data from the Offline Access
Library. If applicable, this process initializes an index rebuild for keyword search that can consume
significant resources.
Subsequent synchronizations ensure that the offline access data is synchronized with the
RSA Archer data. During this synchronization, offline access data uploads to the RSA Archer, and
then any updated (new and existing) records in the Offline Access Library download to offline
access. If data is missing, or does not match the parent record, a conflict is created during the
synchronization. You can resolve conflicts at any time from the Offline Access Library, but must
resolve them before the synchronization can successfully complete.
Offline access is not available until synchronization completes.
RSA Archer includes special synchronization options controlled by security parameters to ensure
offline data is synchronized regularly. These options include:
l Sync Reminder. If the Sync Reminder option is set and the specified conditions are met, an alert
prompts you to synchronize the offline data with the RSA Archer Platform. You can continue
working in offline access.
l Force Sync. If the Force Sync option is set and the specified conditions are met, you must
synchronize offline access with the RSA Archer Platform. You cannot open offline access until a
sync successfully completes.
l Purge Data. If the Purge Data option is set and a you have not synchronized within the specified
time frame, you are forced to purge all offline access data upon login and run an initial
synchronization. Offline access is not available until all data is purged and until the initial sync is
completed.
Run the initial offline access synchronization

If an initial sync is required, you are prompted to run it. This process requires a stable connection to
the RSA Archer Platform and takes several minutes.
If applicable, this process initializes an index rebuild for keyword search that can consume
significant resources.
3. In offline access, click Continue.
Run a forced offline access synchronization

Complete this task when prompted. When a forced synchronization is required, you cannot start
offline access until the synchronization completes. Your administrator determines whether this

option is required.
Note: This task requires a connection with the RSA Archer Platform and takes several minutes.

3. In offline access, click Continue.
Synchronize offline access

Synchronizing requires a stable connection to the RSA Archer Platform. You run all
synchronizations from the Offline Access Library.
3. Wait until the process completes.
If there is missing data or data that does not match the parent record, a conflict is created during
synchronization. You can resolve conflicts at any time from the Offline Access Library, but must
resolve them before the synchronization can successfully complete.
Offline Access Mode

Offline access enables you to conduct audits offline on a laptop. Working in offline access does not
require a connection to RSA Archer. You can add and update records just as if you were working
directly in RSA Archer. Data is stored in a local database on the laptop and then synchronized to
RSA Archer later.
Before using offline access, start the Distributed Transaction Coordinator service on the laptop
running offline access, and synchronize offline access with RSA Archer. Synchronization requires a
stable connection to RSA Archer. When you finish working offline, you must synchronize offline
access with RSA Archer.
Note: Records from a retired application are not supported in offline access. User Preferences are
honored, but you cannot edit them in offline access.
Offline access utility

Offline access includes a utility that runs from the system tray app. This utility and all supporting
applications automatically install during the offline access installation. The Offline Access utility
acts as the gateway between offline access and RSA Archer.
In addition to this utility, all data and related records of the specified records from the Offline
Access Library download to the local database.

In addition to starting offline access, the Offline Access utility facilitates the following:
l Purging Data in Offline Access
l Working Offline
Logging In to Offline Access

All users must create an offline access password. Single sign-on logins are not available in offline
access.
l If your RSA Archer account uses single sign-on, use the user name and one-time password
presented at login to create an offline access password.
l If your RSA Archer account does not use single sign-on, login to offline access using your RSA
Archer user name and password.
Important: System administrators who use RSA Archer offline automatically convert to a general
user status and are granted sufficient access rights in the permissions tables. Any change to either
content or meta data that occurs during offline access produces a conflict between offline and RSA
Archer. To resolve a content conflict, you must use the Resolve Offline Access Conflict process. To
resolve a meta data conflict, such as a deleted dashboard or iView, you must purge data from offline
access.
Only one user can log in to offline access from the same laptop--one user, one RSA Archer
instance, and one device. Multiple users cannot be used with offline access.
Offline access user configuration

All data downloads from the Platform to offline access. Updated or new records from offline access
upload to the Platform. Conflicts are created if during this process missing data or data that doesn't
match the parent record exists. You can resolve conflicts anytime, but they must be resolved before
synchronization can successfully complete. Offline access is not available until synchronization
completes.
Login requirements
Upon log in, offline access checks your user account for the appropriate credentials. Enter the
following:
l User name and password
l RSA Archer instance name
l RSA Archer Base URL
If any of these elements do not match, a validation message appears informing you that your user
account is invalid. Verify that you have correctly logged in to both RSA Archer and offline access.

Login to offline access - no SSO

This login requires the same login credentials as RSA Archer.
1. On the desktop, double-click the RSA Offline Access icon.
2. Enter the following information:
l Username
l Domain (optional)
l Password
3. Click OK.
Login to offline access - SSO
1. Go to the Offline Access Library page.

a. From the menu bar, click the User menu.
b. Click Offline Access Library.
2. Click Reset Password.

A one-time temporary password is provided for logging in to offline access.
3. Do one or both of the following:
l Click Copy to Clipboard to copy your user name and paste it into the office access login.
l Click Copy to Clipboard to copy the one-time password and paste it into the offline access
login.
4. Click OK.
5. At User Login page, click OK.
6. Enter the following:
l Current Password (one-time password)
l New Password
l Retype Password
7. Click Submit.
Installing Offline Access

The installation process for Offline Access is separate from the RSA Archer installation.
RSA recommends installing Offline Access on a client laptop or computer. To install Offline
Access, use the installation wizard to guide you through the process.

Note: Currently, Offline Access supports the Audit Engagement, Audit Entity, Audit Plan, Audit
Workpaper, IA Engagement and Assessment Results, Internal Audit Department Annual Review,
Plan Entity and Question Library applications.
Preparing for Offline Access Installation

The following table lists the requirements your system must meet
before installing offline access.
Component Requirement
Operating System Windows 10 64-bit
Memory 8 GB RAM
Disk Space 100 GB Hard Drive
Additional Software Microsoft .NET Framework 4.6.1 or 4.6.2
Important: Microsoft Sync Framework 2.1 is required and must be installed on the Services Server.
For more information, see "Preparing the Services Servers" in the RSA Archer Installation and
Upgrade Guide.
By default, the offline access data is stored on the local computer at C:\Users\
[username]\AppData\Roaming\RSA Archer\Offline Access\. Isolating the offline access data
ensures that each offline access user has their own environment for working offline. For example,
when a user purges offline access data, only the offline access data of that user is purged.
Anti-virus and firewall applications may interfere with Offline Access run-time activities. You must
add the Offline Access installation file as a trusted file/process/installer/updater for any anti-virus
and firewall applications that may interfere with the installation.
Before running offline access, start the Distributed Transaction Coordinator service on the laptop
using offline access.
Install Offline Access

The offline access version must always match the RSA Archer version.
Important: You must have administrator rights to install offline access. If you are upgrading offline
access, close the Offline Access utility before starting the installation.
1. Contact your IT Administrator to obtain the Offline Access installation file.

The IT Administrator downloads the Offline Access installation file from the RSA site and can
provide it to you or auto-deploy the file through a software management system.
2. Double-click the Offline Access installation file.

3. On the RSA Archer Offline - InstallShield Wizard page, click Next.

4. Read the license agreement. Select I accept the terms in the license agreement. Click Next.
l To accept the default installation folder, click Next.
l To designate a different installation folder, click Change and specify the path to the folder
where you want to install offline access.
6. Click Install. This process takes several minutes to complete.
7. Click Finish to complete the installation.
8. Add the following Offline Access files as trusted processes for any anti-virus and firewall
applications.
The following table lists the files and their default locations.
File or Process Default Location
Archer.Offline.Tools.Controller.exe C:\Program Files\RSA Archer\Offline Access
Archer.Services.Queuing.exe C:\Program Files\RSA Archer\Offline

Access\services
ArcherTech.JobFramework.Cache.exe C:\Program Files\RSA Archer\Offline

Access\services
ArcherTech.JobFramework.Host.exe C:\Program Files\RSA Archer\Offline

Access\services
ArcherTech.JobFramework.Job.exe C:\Program Files\RSA Archer\Offline

Access\services
iisexpress.exe C:\Program Files\IIS Express
sqlservr.exe C:\Program Files\Microsoft SQL

Server\110\LocalDB\Binn\sqlservr.exe
SqlLocalDB.exe C:\Program Files\Microsoft SQL

Server\110\Tools\Binn\SqlLocalDB.exe
Purging Data in Offline Access

You can remove offline access data permanently by either a forced or manual purge. Complete
either process from offline access using the Purge option of the offline access utility.


Purge Description
Forced A forced purge is controlled through the Purge Data option in security parameters to
ensure that data is purged under ordered conditions. If you have not synchronized within
the specified time frame, you are forced to purge all offline access data upon login and
to run an initial synchronization. Offline access is not available until all data is purged
and until the initial synchronization is complete.
Manual A manual purge is initiated by you to remove all offline access data permanently from
the laptop. If you want to continue working offline, you must run an initial
synchronization.
Use the manual purge when:
l Moving from one environment to another, for example, test to production.
l Using a different RSA Archer instance.
l Using a different laptop.
Purge offline access data

1. On the taskbar, right-click the RSA icon.
2. Click Tools.
3. At the prompt, click Purge.
4. Run an initial synchronization.
Working Offline
While working offline, you can use the Offline access utility to open the logs created while working
offline and to exit offline access.
Open offline access logs

Offline access includes logs that help you troubleshoot processes. By default, the log files are stored
at C:\Program Data\RSA Archer\Offline Access\Logs.
1. Click the RSA icon on the computer taskbar.
2. Click Tools.
3. Click Open Logs.
Exit offline access

1. On the taskbar, right-click the RSA icon.
2. Click Exit.

Chapter 12: User Access Control

Access control provides a framework for maintaining users, roles, and security parameters, and for
assigning access rights at the system, application, record, and field levels.
l User accounts allow users to log on to RSA Archer.
l User groups provide a means of grouping users based on organizational structure or geographic
locations.
l Access roles are collections of application-level and page-level rights that an administrator can
create and assign to any number of users and groups to control user privileges (create, read,
update, and delete).
l Security parameters are rules for controlling user access to RSA Archer and its individual pages.
l LDAP synchronization streamlines the administration of users and groups by allowing updates
and changes that were made in the LDAP server to be reflected automatically in RSA Archer.
It is important to have well-defined policies around Help Desk procedures for your RSA Archer
installation. RSA strongly recommends that your Help Desk administrators understand the
importance of password strength and the sensitivity of data, such as user logon names and
passwords. Creating an environment where an end user is frequently asked for this kind of sensitive
data increases the opportunity for social engineering attacks. Train end users to provide, and Help
Desk administrators to request, the least amount of information needed in each situation.
Preventing social engineering attacks

Fraudsters frequently use social engineering attacks to trick unsuspecting employees or individuals
into divulging sensitive data that they can then use to gain access to protected systems. RSA
recommends that you use the following guidelines to help reduce the likelihood of a successful social
engineering attack:

l If Help Desk administrators need to initiate contact with a user, they should not request any user
information. Instead, users should be instructed to call the Help Desk back at a well-known Help
Desk telephone number to ensure that the original request is legitimate.
l The Help Desk telephone number should be well known to all users.
l Help Desk administrators should only ask for user name of the user over the phone when they call
the Help Desk. Help Desk administrators should never ask for user passwords.
l Help Desk administrators should authenticate the user's identity before performing any
administrative action on a user's behalf. RSA recommends that you verify user identity using the
following methods:
o Call the user back on a phone owned by the organization and on a number that is already stored
in the system.
Important: Be careful when using mobile phones for identity confirmation, even if they are
owned by the company because mobile phone numbers are often stored in locations that are
vulnerable to tampering or social engineering.
o Send an email to the user at a company email address. If possible, use encrypted email.
o Work with the manager of the employee to verify the user identity.
o Verify the identity in person.
o Use multiple open-ended questions from employee records. For example: "Name one person in
your group." or "What is your badge number?" Avoid yes or no questions.
Confirming user identities

It is critical that your Help Desk administrators verify each end-user identity before performing any
Help Desk operations. RSA recommends that you verify user identities using the following methods:
l Call the end-user back on a phone owned by the organization and on a number that is already
stored in the system.
Important: Be careful when using mobile phones for identity confirmation, even if they are
owned by the company. Mobile phone numbers are often stored in locations that are vulnerable to
tampering or social engineering.
l Send an email to the user at a company email address. If possible, use encrypted email.
l Work with the employee's manager to verify the user's identity.
l Verify the identity in person.
l Use multiple open-ended questions from employee records. For example: "Name one person in
your group." or "What is your badge number?" Avoid yes or no questions.

Advice for your users

RSA recommends that you instruct your users to do the following:
l Never give their passwords to anyone, not even to Help Desk administrators.
l Change their passwords at regular intervals.
l Be aware of what information requests to expect from Help Desk administrators.
l Always log off from the RSA Archer web interface when finished.
l Always lock their desktops when they step away from their computers.
l Regularly close their browser and clear their cache of data.
l Do not upload any files to RSA Archer from sources other than themselves.
l Never enable active content when opening CSV files with spreadsheet applications like Microsoft
Excel or LibreOffice Calc.
Note: RSA recommends that you conduct regular training to communicate this guidance to users.
Entity permissions
RSA Archer supports user permissions on multiple system components. RSA recommends that you
grant permissions only to users who need to access these components. When granting permissions to
these components, RSA recommends that you do not select the Everyone group because that group
grants rights for all users. Additionally, RSA recommends that you review the granted permissions
on a routine basis to ensure that the correct access is granted to the users.
The following table explains how user permission is configured on the supported components.
Component Permissions Explanation
Workspaces, Configured from the Access tab in a workspace or dashboard. RSA recommends
Dashboards, that you configure these components to be private.
Global iViews
Global Reports Configured when you save a report. RSA recommends that you set the
Permissions field to Global Report.
Record Configured in a Record Permissions field in an application or questionnaire.

Permissions
Field Configured in the Access tab in a field in an application or questionnaire. RSA

Permissions recommends that you configure fields to be private.

Component Permissions Explanation
Application Configured in Application Builder for the assigned applications, questionnaires,

Owners, or sub-forms owners.
Questionnaire
Owners,
Sub-Form
Owners
Global Report Configured in Application Builder for the assigned report owners in a specific
Administrators application or questionnaire.
Discussion Configured in Discussion Forums. Discussion forum roles provide administration

Forum Roles and forum creation rights for specific discussion communities.
User Accounts
Each RSA Archer user must have an account to log on to the system. When adding a user consider
the following:
l Will the user be notified of password information?
l Will the user be forced to change the password at next log in?
l Does the user speak a language different from the default language?
l Does the user require a specific security parameter?
l What groups should the user be enrolled in, and which access roles should be assigned to the user
account?
Important: RSA strongly recommends that you ensure that users are approved for logging on to the
system before you create an account for them. Even when users are approved, RSA recommends
that you only assign the minimum set of access permissions that enable the users to perform their
job.
System administrator and default services accounts

The RSA Archer installation process automatically creates a System Administrator (sysadmin)
account and a series of Default Services accounts. These accounts are set up in the Archer Control
Panel. You cannot delete or rename these accounts, but you can disable the System Administrator
account.

A user account with system administrator privileges is not the same as the System Administrator
account. It cannot, for example, see the System Administrator account or change its password. Only
someone who has access to the System Administrator account can manage it. See Understanding the
System Administrator Account and Default Services Passwords for more information.
New user account with system administrator privileges

RSA recommends that you create a new user account and assign the System Administrator access
role to it. This access role grants the account all rights within RSA Archer.
For instructions on creating a new user account, see Adding User Accounts.
For instructions on assigning access roles to an account, see Assigning Access Role to Users.
Important: RSA recommends that before issuing this account, you ensure that the user is approved
for full access to the system.
User account passwords

All new user accounts are created with a unique password assigned manually by an administrator or
generated randomly by RSA Archer. RSA strongly recommends that you enable the Force Password
Change on Next Sign-In option in RSA Archer for all new user accounts. Configuring this option
requires users to change their password the first time that they log on to RSA Archer.
RSA Archer enforces the password strength, logon, and session time-out policies defined in security
parameters.
Note: These security parameters are enforced by RSA Archer across all user accounts except the
sysadmin and service accounts. RSA strongly recommends that you instruct your administrators on
your corporate IT policy and security best practices for generating and managing passwords for all
accounts.
The following table shows the password settings of the default

security parameter. RSA recommends that you treat these settings
as the minimum requirement for enforcing strong passwords and
secure sessions in RSA Archer.
Parameter Setting
Minimum password length 9 characters
Alpha characters required 2 characters
Numeric characters required 1 character
Special characters required 1 character

Parameter Setting
Uppercase characters required 1 character
Lowercase characters required 1 character
Password change interval 90 days
Previous passwords disallowed 20 passwords
Grace logons 0 logon
Maximum failed logon attempts 3 attempts
Session time-out 10 minutes (sysadmin account)

30 minutes (service account)
Account lockout period 999 days
Adding User Accounts

You must create a user account for each user who needs access to RSA Archer. Login credentials
are the same on the mobile device as they are for RSA Archer. Mobile users log in to mobile
devices using their user name and password that is established in their user account.
Configuring new accounts

Each RSA Archer user must have an account to log on to the system.
New User Accounts
All new user accounts must have a unique password, generated under one of the following sets of
circumstances:
l The system administrator assigns the password manually. RSA strongly recommends that you
enable the Force Password Change with the Next Sign-In option in RSA Archer for all new user
accounts. Configuring this option requires the user to change the password after the first
successful logon attempt.
l If the single sign-on feature is in place on your system, RSA Archer automatically creates a
random password for each new user.
Important: RSA strongly recommends that you ensure users are approved for logging on to the
system before creating an account for them. Even when users are approved, RSA recommends that
you only assign the minimum set of access permissions for users to perform their job.

New User Account with System Administrator Privileges
RSA recommends that you create a new user account and assign the System Administrator access
role to it. This access role grants the account all rights within RSA Archer.
Important: RSA recommends that before issuing this account, you ensure that the user is approved
for full access to the system.
Platform User Accounts
RSA Archer enforces the password strength, logon, and session time-out policies specified by the
security parameters defined in the Administration workspace.
Note: These security parameters are enforced by RSA Archer across all user accounts except the
sysadmin and service accounts. RSA strongly recommends that you instruct your administrators on
your corporate IT policy and security best practices for generating and managing passwords for all
accounts.
The following table shows the default security parameters settings

for password strength.
Parameter Setting
Minimum password length 9 characters
Alpha characters required 2 characters
Numeric characters required 1 character
Special characters required 1 character
Uppercase characters required 1 character
Lowercase characters required 1 character
Password change interval 90 days
Previous passwords disallowed 20 passwords
Grace logons 0 logon
Maximum failed logon attempts 3 attempts
Session time-out 10 minutes (sysadmin account)

10 minutes (user account)
30 minutes (service account)
Account lockout period 999 days

RSA recommends that you treat these settings as the minimum requirement for enforcing strong
passwords and secure sessions in RSA Archer.
Important: Regardless of the security parameter settings, RSA Archer passwords cannot contain
more than:
l Three consecutive matching characters, for example aaaa.

l Three consecutive characters from the user name.
Add a user account
1. Go to the Manage Users page.

b. Under Access Control, click Users.
2. Click Add New.

3. In the General Information section, enter the name of the user, the user name for log on, and the
domain.
The following table describes each property.
First The valid name of the user. First and last names are required.
Name, Middle
Name, and
Last Name
User Name A seven character system-defined name in all lowercase. The user name
contains the first six characters of the Last Name followed by the first
character of the First Name. If the Last Name is fewer than six characters,
the system uses additional characters from the First Name to make a seven-
character user name. If the user name is not unique in the domain, the system
appends a number (up to 999) to the end of the name to make the name unique.
User Domain If your RSA Archer instance has one or more Lightweight Directory Access
Protocol (LDAP) configurations defined, select the domain to which the user
is a member. To use the RSA Archer domain, select No Domain.
4. (Optional) In the Contact Information section, enter the default email address and any other
pertinent information for contacting the user.


Address The complete address of the user.
Company The company name.
Title The title of the user.
Email The following user email types are available:
l Business l Mobile 2
l Business 2 l Other
l Home l Other 2
l Home 2 l Pager
l Mobile
Phone The following user telephone number types are available:
l Assistant l ISDN
l Business l Mobile
l Business 2 l Mobile 2
l Business Fax l Other
l Home l Other 2
l Home 2 l Other Fax
l Home Fax l Pager
5. (Optional) In the Localization section, enter the time zone, locale, and language if the location
and language of the user is different from the system.
Option Description
Time Zone The time zone for the location of the user. Time is based on Coordinated
Universal Time (UTC). All time is stored as UTC and converted based on the
time zone of the user.
Locale The physical location of the user.

Option Description
Manually Overrides the default language set for the instance. When you select this option,
select a you must specify the language.
language
6. In the Account Maintenance section, enter the user password and assign the security parameter
for this user.
Status The current status of the user account. The options are Active, Inactive, or
Locked.
Password For new user accounts, the password must be entered and confirmed. These
entries must match exactly. The password must conform to the default security
parameter password rules.
For existing user accounts, use the Change Password link to change the
password manually.
The Send user a notification with password information option enables RSA
Archer administrators to notify new users that the user account has been setup
with a temporary password and may require a password change.
Force Determines whether the user is forced to change the password the next time
Password the user logs in.
Change
Security The security parameter assigned to the user. A user can only have one security
Parameter parameter assigned at a time.
Notifications, Enables users to select the records and applications for which they want to
Subscriptions receive notifications when an update occurs.

Default Sets a user’s default home page to use either a task-driven landing page or a
Home Page dashboard based on group, role, or user profile. If the user belongs to multiple
roles or groups, the home page is based on the most recently assigned role or
group. Once the user logs in, the selected home page becomes default and any
changes to the home page of the role or the group do not affect the user's
default home page.
Note: If the user's permission to access the dashboard assigned to the home
page is revoked, a message appears upon log in allowing them to select a new
home page.
Important: If the administrator sets the default home page while the user is
logged in, the user must click the Home button to refresh the home page
setting. If the user changes the default home page selection, the change is
applied upon clicking Save.
Default Sets which dashboard displays on the default home page.

Home
Dashboard
7. (Optional) Select the Send user a notification with password information checkbox if you want to
send the user an email notification of the password change.
Note: If you do not select this checkbox, you must inform the user of the new password. The
Default Email address is used for the notification email.
8. (Optional) In the Notes section, record any additional information about the user account, for
example, list hours of availability or preferences for how the user should be contacted. Account
notes appear when users click a linked user name in RSA Archer to view the user profile.

Deleting User Accounts

When you delete a user account, the user can no longer log on to RSA Archer, and the user name is
no longer available for selection in the User/Groups List and Record Permissions fields. In saved
records where the user name has been selected in a User/Groups List or Record Permissions field,
the user name is removed. After you have deleted a user account, you can reuse the associated user
name for another account, or you can re-create the deleted account and assign the same user name
used in the original account.
Note: You cannot delete a user account that is used in an advanced workflow.

2. Click the user account that you want to delete, and view the description.
3. In the Actions column, click for the user account that you want to delete.
4. Click OK.
Identifying User IDs
Identifying the User ID of a single user

2. Under Access Control, click Manage Users.
3. Hover your mouse over the user in which you want the User ID.
4. Note the User ID in the bottom right of the screen.
Identifying the User ID of all users

2. Under Access Control, click Access Control Reports.
3. Click Export Account Data.
4. In your account email, open the .zip file.
5. In the .zip file, download the Users.csv file.

Ending Active User Sessions

When you end an active user session, the user is logged off from RSA Archer immediately and must
log back on to continue working.

2. Click the row of the user account that you want to log off.
3. In the Actions column, click for the user account that you want to log off.
Maintaining Security
Security Patch Management
Security patches are released on an as-needed basis.

All security patches for RSA Archer originate as RSA and are available for download as an update,
as long as you have a current maintenance agreement in place with RSA. Updates are available
from RSA SecurCare Online. Product documentation is posted on the RSA Archer Community on
RSA Link. RSA recommends you register your product and sign up for the RSA Archer Community
on RSA Link.
The following table lists the third-party components for which patches are needed.
Third-Party
EMC Customer Reference to
Component for Frequency
Responsibility Responsibility Instructions for
which Patch Is of Patch
(Yes or No) (Yes or No) Applying Patch
Needed
Windows Server 2012 Determined No Yes Based on vendor

R2 & 2016 by vendor. recommendations.
SQL Server 2014 Determined No Yes Based on vendor

& 2016 by vendor. recommendations.
Malware Detection
RSA recommends that you deploy a malware detection solution on the web and database servers.
The malware detection solution should be based on your standard tools and best practices. It is your
responsibility to deploy patches and updates for the malware detection tools.

Virus Scanning
RSA recommends that you run virus scanning software on the deployed servers on a routine basis. If
you are running Threat or Vulnerability feeds, RSA strongly recommends that you disable virus
scanning for the folder in which the Threat or Vulnerability data files are temporarily stored. A virus
scanning engine could interpret the data as a virus or malware.
For information on configuring the folder, see Threat Data Feeds.
Ongoing Monitoring and Auditing
As with any critical infrastructure component, RSA recommends that you constantly monitor your
system and perform periodic and random audits, for example, configuration, permissions, and
security logs. Ensure that the configurations and user access settings match your company policies
and needs.
Reassigning User Resources

RSA Archer enables a system administrator to reassign resources from one user to another. The
need for reassigning resources can arise if employees change their roles or even leave the company
entirely.
Resources for a specific user often affect multiple records. Identifying, locating, and reassigning
resources manually can be a cumbersome and time-consuming process. The User Reassignment
functionality identifies all resources for a user so you do not have to search for them yourself.
Consider the following before using the User Reassignment feature:
l Only users with system administrator rights can perform a user reassignment.
l User resources include any content in applications and questionnaires that has direct reference to
specific users. For example, a user may be the owner, creator, or reviewer of a record, and the
record may generate multiple notifications. You should carefully consider the users to whom you
want to reassign resources.
l System administrators cannot reassign his or her own resources to another user.
l If you have initiated a reassignment for a specific target user, you must wait until the process has
completed before initiating another reassignment to the same target user. However, multiple
reassignments can be in progress at the same time as long as they do not target the same user.
l If the record you are reassigning is configured to send notification emails, you can select an
option that prevents the sending of emails after the reassignment is complete.
l You cannot reassign user resources to groups.
l Some target users you select for reassignment may not be available for a specific record. In this
case, you can update the record to make the user available, and then perform the reassignment.

Reassign an Archer user

a. From the menu bar, click the Administration menu.
2. In the Manage Users list, find the name of the source user whose resources you want to
reassign, and then do one of the following:
l In the Actions column, click .
l Click the name of the user to display the profile details, and then click .
3. In the User Information section, confirm that you have selected the correct source user for
reassigning.
4. In Reassignment Users, click , select one or more target users, and then click OK.
5. In Notifications, do one of the following:
l Select Send if you want RSA Archer to send notification emails for all notification-configured
records that are reassigned.
l Select Do Not Send if you want to prevent RSA Archer from sending notification emails for
reassigned records.
6. On the Applications and Questionnaires tabs, select the resources you want to reassign in the
Reassign column.
7. In the New User column, specify a target user to whom you are reassigning each selected
resource.
8. Click OK.
Viewing User Login History

You can view all of the sessions associated with any user account, and review details such as the
date, start time, and duration of each session.
1. Go to the user account.

c. Select the user account that you want to view.
2. In the Account Maintenance section, click the text in Last Login field.

Understanding System Administrator and Default Services

Account Passwords
RSA recommends instructing administrators on your corporate IT policy and security best practices
for generating and managing passwords for default System Administrator (sysadmin) and default
services accounts.
After installing RSA Archer, change the passwords of the SysAdmin Account and Services
Account. Thereafter, change both passwords at least every 90 days using the RSA Archer Control
Panel. The new passwords must meet the security parameter configuration for the accounts. You can
disable the sysadmin account, but cannot delete or rename it.
Default Archer Service Accounts Password
In RSA Archer, there is one password for all RSA Archer service accounts.
The following table lists the RSA Archer service
accounts.
Service User Name
Asset Server userArcherAssetServer
Async Service userArcherAsynService
Calculation Agent userArcherCalculationAccount
Data Feed Service userArcherDataFeedService
LDAP Service userArcherLdapService
Migration User userMigrationUser
Notification Service userArcherNotificationService
Offline Access userOfflineService
Guidelines for Managing Passwords

The SysAdmin and Services Account passwords must meet certain requirements.
The following table describes default minimum
security requirement guidelines.
Password Requirements Value
Minimum password length 9
Alpha characters required 2

Password Requirements Value
Numeric characters required 1
Uppercase letter required 1
Lowercase letter required 1
Special characters 1
The following table describes values for pass-

word change and expiration intervals.
Change and Expiration Intervals Value
Password change interval: 90 days
Number of previous passwords: 20
Grace logins: 0
Password expiration notice: 30 days
The following table describes values for

authorization properties.
Authorization Properties Value
Maximum failed login attempts: 3
Session timeout: 10 minutes
Account lockout period: 999 days
Account account deactivation: None
Change the SysAdmin password
1. On the RSA Archer Control Panel Accounts tab, go to the SysAdmin Account section of the
instance you want to update.
a. Open the RSA Archer Control Panel.
b. From the Instance Management list, double-click the instance.
2. In the New Password field, enter the password for the SysAdmin account.

3. (Optional) Select Show Password to show the password as you enter it. If this option is not
selected, the password is masked with substituted characters for the actual text.
Change the Services Account password
1. On the RSA Archer Control Panel Accounts tab, go to the Services Account section of the
instance you want to update.
b. From the Instance Management list, double-click the instance.
2. In the New Password field, enter the password for the Services account.
3. (Optional) Select Show Password to show the password as you enter it. If this option is not
selected, the password is masked with substituted characters for the actual text.
Updating User Accounts

1. Go to the General Information tab of the user account that you want to update.

c. Select the user record.
d. Click the General Information tab.

First The valid name of the user. First and last names are required.
Name, Middle
Name, and
Last Name
User Name A seven character system-defined name in all lowercase. The user name
contains the first six characters of the Last Name followed by the first
character of the First Name. If the Last Name is fewer than six characters,
the system uses additional characters from the First Name to make a seven-
character user name. If the user name is not unique in the domain, the system
appends a number (up to 999) to the end of the name to make the name unique.

User Domain If your RSA Archer instance has one or more Lightweight Directory Access
Protocol (LDAP) configurations defined, select the domain to which the user
is a member. To use the RSA Archer domain, select No Domain.
3. Complete the Contact Information section.

Address The complete address of the user.
Company The company name.
Title The title of the user.
Email The following user email types are available:
l Business l Mobile 2
l Business 2 l Other
l Home l Other 2
l Home 2 l Pager
l Mobile
Phone The following user telephone number types are available:
l Assistant l ISDN
l Business l Mobile
l Business 2 l Mobile 2
l Business Fax l Other
l Home l Other 2
l Home 2 l Other Fax
l Home Fax l Pager
4. Complete the Localization section.


Option Description
Time Zone The time zone for the location of the user. Time is based on Coordinated
Universal Time (UTC). All time is stored as UTC and converted based on the
time zone of the user.
Locale The physical location of the user.
Manually Overrides the default language set for the instance. When you select this option,
select a you must specify the language.
language
5. Complete the Account Maintenance section.

Status The current status of the user account. The options are Active, Inactive, or
Locked.
Password For new user accounts, the password must be entered and confirmed. These
entries must match exactly. The password must conform to the default security
parameter password rules.
For existing user accounts, use the Change Password link to change the
password manually.
The Send user a notification with password information option enables RSA
Archer administrators to notify new users that the user account has been setup
with a temporary password and may require a password change.
Force Determines whether the user is forced to change the password the next time
Password the user logs in.
Change
Security The security parameter assigned to the user. A user can only have one security
Parameter parameter assigned at a time.
Notifications, Enables users to select the records and applications for which they want to
Subscriptions receive notifications when an update occurs.

Default Sets a user’s default home page to use either a task-driven landing page or a
Home Page dashboard based on group, role, or user profile. If the user belongs to multiple
roles or groups, the home page is based on the most recently assigned role or
group. Once the user logs in, the selected home page becomes default and any
changes to the home page of the role or the group do not affect the user's
default home page.
Note: If the user's permission to access the dashboard assigned to the home
page is revoked, a message appears upon log in allowing them to select a new
home page.
Important: If the administrator sets the default home page while the user is
logged in, the user must click the Home button to refresh the home page
setting. If the user changes the default home page selection, the change is
applied upon clicking Save.
Default Sets which dashboard displays on the default home page.

Home
Dashboard
6. (Optional) In the Account Notes section, enter any additional information about the user account.
User Groups
User groups are groups of users set by an administrator. You can add user groups to other groups to
create a hierarchical structure of user groups and subgroups. For example, you can create a Sales
group that includes all user accounts for members of the Sales team. In the Sales group, you can
create other groups, such as Midwest Sales Team and East Coast Sales Team, and add the
appropriate users to these user groups.

Use groups to streamline key tasks in RSA Archer according to your business practices, such as:
l Assigning access rights at the application, page, record, and field levels to user groups rather than
individual users.
l Enrolling a user group in a discussion forum.
l Sending a Training and Awareness event to members of a specific user group, such as the
Incident Investigation group.
When a user becomes a member of a user group with an associated role, the user automatically
receives the permissions of the access role. For example, a Policy Administrators group has an
associated access role that grants create, read, and update privileges to the Policies application. All
members added to this user group are granted the same access rights related to policy-related job
functions.
Important: Users must exist before groups can be created. Groups must exist before adding an
access role or security parameter.
Other uses for groups

l Administrative functions
l Global reports
l Data records
l Private fields
l Email notifications
l Content Review stages
l Training and Awareness campaigns
l Forums and polls
Adding User Groups

Users must exist before creating groups. Groups must exist before adding an access role or security
parameter.
Add a user group
Note: When importing and installing a package that contains groups, you must manually add the
members of the group to that group. For more information, see "Manage Packages" in the Online
Documentation.

1. Go to the Manage Group: (New) page.

b. Under Access Control, click Groups.
2. Click Add New.

3. In the General Information section, enter the name and description of the group.
Add members to a user group
1. Go to the group to which you want to assign members.

c. Select a group.
2. In the Members section, from the Available list, select the groups and users that you want to be
members of the group. You can either browse through the nodes or use the Find field to search
for a specific user or group.
Add a user group to another group
1. Go to the user group that you want to add to one or more groups.

c. Select the user group.
2. In the Member Of section, from the Available list, in the Groups field, select the group or groups
to set as a parent for the current group. You can also use the Find field to search for a specific
group.


Identifying User Group IDs
Identifying the Group ID of a single group

2. Under Access Control, click Groups.
3. Hover your mouse over the group in which you want the Group ID.
4. Note the Group ID in the bottom right of the screen.
Identifying the Group ID of all groups

2. Under Access Control, click Access Control Reports.
3. Click Export Account Data.
4. In your account email, open the .zip file.
5. In the .zip file, download the Groups.csv file.
Assigning Users to User Groups

You can assign a user to a group or unassign a user group from a user account.
Important: If a group is created through LDAP synchronization, you cannot use these tasks to
assign or unassign a group. To assign or unassign a user from an LDAP group, you must make the
appropriate changes in your LDAP directory and then run a data synchronization.
Assign a user to a group
1. Go to the user account that you want to assign to the group.


c. Select the user account that you want to update.
2. Click the Groups tab.

3. Click Lookup.
4. In the Available list, in the Groups section, select the group.
Note: To search for a specific group, enter the group name in Find and click . The results of
your search appear in the Available list of the Search Results node.
5. Click OK.
Unassign a user group from the user account

1. Select the user account that you want to unassign from a group.
2. Click the Groups tab and click Lookup.
3. From the Selected list, click for the group that you want to unassign.
4. Click OK.
Deleting User Groups

Note: The Everyone group cannot be deleted and contains all users and groups that are selected
from a User/Groups List or Record Permissions field in a content record. If a group contains
subgroups, remove the subgroups from the group before you delete the group.

Important: If the group was created through LDAP synchronization, you cannot use this task to
delete the group. Make the appropriate changes in your LDAP directory and then run a data
synchronization. To delete a group using the Web Services API, use the AccessControl.DeleteGroup
method.
Important: You cannot delete user groups that are used in an advanced workflow.
1. Go to the Manage Groups page.

2. Click the row of the group that you want to delete.
3. In the Actions column, click .

4. Click OK.
Access Roles
An access role is a collection of application-level and page-level rights that an administrator can
create and assign to any number of users and groups to control user privileges (create, read, update,
and delete). For example, the access role of a General User can allow access only to applications,
and the access role of an Administrative User can allow access only to RSA Archer features. RSA
recommends that you assign permissions through group membership, and not assign permissions
directly to user accounts.
RSA Archer includes an access role called System Administrator that you cannot delete or modify.
The System Administrator role grants users unrestricted access to all RSA Archer features and to all
records stored in applications, including records enrolled in content review. Only System
Administrators can assign the System Administrator access role.
RSA Archer solutions include pre-defined access roles for use with the solution.
For instructions on assigning permissions through group membership, see Assigning Access Roles to
Users and Groups.
As the number of users, groups, and applications increases, keeping track of who has access to what
becomes more complex. RSA recommends simplifying the process. If you create granular access
roles for each of your applications, for example, Policy Administrator, Policy Author, and Policy
Reader, you can grant access to new or existing users and groups by selecting from a list of
predefined access roles.
Importing access roles

Although access roles are supported objects in the packaging process, when you import access roles

with groups during the packaging process, you must manually associate each access role to the
respective group. After the package is installed, you must manually add users to each group in the
target instance.
Adding Access Roles

RSA Archer supports role-based access control. RSA Archer allows you to create access roles that
you can assign to users. Each access role is mapped to a list of user authorization settings. User
authorization settings control rights or permissions that are granted to a user for accessing a resource
managed by RSA Archer.
Creating an access role defines the application and page-level rights for all users assigned the role.
Page-level rights
The following table describes page-level rights.
Rights Description
Create Create new page content, such as records, fields, notification templates, and content
review stages.
Read Read page content.
Update Modify existing page content.
Delete Delete page content.
Add an access role

1. Go to the Manage Access Role page.

b. Under Access Control, click Access Roles.
2. Click Add New.

l If you want to create a new access role, click Create a new Access Role from scratch, and
then click OK.
l If you want to create a new access role from an existing access role, click Copy an existing
Access Role. Select the access role from the Access Role list, and then click OK.
4. In the General Information section, enter a name and description for the access role.
5. (Optional) To enter an Alias, click Apply, and then enter an Alias name.

6. (Optional) To set access role as the default for all users and groups, in the Default Access Role
field of the Default Access Role section, click Assign as Default.
7. (Optional) In the Group Assignments section, assign groups to the access role.
8. Click Apply.
9. On the Rights tab, and select the (Create, Read, Update, and Delete) checkboxes that
correspond to the appropriate rights for each page type.
l User or group access to the Manage Global Values Lists page provides access to all global
values lists in RSA Archer. If you want a user to have access to specific global values lists
and not all lists, select the appropriate CRUD access for the individual global values list.
l If you grant access rights to import data, you must also grant rights to the content record that
data will be imported into. For example, users can import data into the Policies application
only if they have access to Integration: Data Imports; Create, Read, and Update rights to
Policies: Content Record; and Policies: Data Import.
Assigning Rights to Access Roles

When adding or updating an access role, you can assign which page-level rights users and groups
have.
1. Go to the Rights tab of the applicable access role.

c. Select the Access Role.
d. Click the Rights tab.
2. Select the (Create, Read, Update, and Delete) checkboxes that correspond to the appropriate
rights for each page type.
The following table describes each of the rights.
Rights Description
Create Create new page content, such as records, fields, notification templates, and content
review stages.
Read Read page content.

Rights Description
Update Modify existing page content.
Delete Delete page content.

Assigning Access Roles to Users or Groups

RSA Archer allows creating one or more access roles. Each access role is mapped to a list of
permissions that grant the user rights to perform certain tasks and create, read, update, and/or delete
RSA Archer entities. RSA recommends that you limit privilege abuse and conflict of interests by
configuring access roles that provide separation of duties.
Immediately after installation, RSA recommends you configure access roles as follows:
l Create a new access role with no rights and make it the default role. Grant additional roles to
users as needed for appropriate access in RSA Archer.
l Create read-only roles that can be used by an auditor. RSA recommends that these roles only
have permissions to view reports, configurations, and logs.
l Create a new Security Administrator role that has full rights to Access Control. Grant the
Security Administrator role access rights to managing roles.
l Configure access roles to grant non-administrative users only the rights they need for each task
based on their role in the organization. You can grant multiple access roles to each user. RSA
recommends that these roles do not have permission to view or modify security configuration.
RSA recommends that you review users’ task permissions on a routine basis to ensure that each user
is granted the correct task permissions.
Access roles are cumulative and can be assigned to users, groups, and users with more than one
access role.
Example
One access role grants create, read, and update privileges in the Policies applications and another
access role grants only delete privileges. A user who is assigned both access roles has create, read,
update, and delete privileges in the Policies applications.

Role Assignment by Group or User
RSA Archer allows access roles to be assigned to users through group membership or directly to
user accounts. RSA recommends that you assign permissions through group membership and not
directly through user accounts.
You can assign access roles to users in either of the following ways.
Assign an access role to a user
1. Open the user account to which you want to assign an access role.

c. Select the user account.
2. Click the Roles tab.

3. Click Lookup.
4. In the Available list, expand the Roles tree, and click the access role to assign.
5. Click OK.
Assign an access role to a user group

The group that you are assigning to the access role must exist.
If you associate a user group with an access role and the group contains subgroups, the subgroups
are not automatically associated with the access role. To associate subgroups with an access role,
you must also select the subgroups.
1. Open the access role to which you want to assign a user group.


c. Select the access role.
2. In the Group Assignments section, click Assign.

3. From the Available list, expand Groups, and select the group or groups to which you want to
assign the access role. You can also use the Find field to search for a specific group.
Unassign an access role from a user account

You only can remove roles in which the Assignment Method is set to Manual.
1. Open the user account from which you want to unassign an access role.

2. Click the Roles tab.

3. From the Selected list, click to unassign the applicable access roles.
4. Click OK.
Setting the Default Access Role

The default access role is automatically assigned to all new user accounts. You can only set one
access role as the default.
1. Open the access role to set as the default access role.


2. In the Default Access Role section, click Assign as Default.

Updating Access Roles

Users with designated permissions can update an access role.
Note: Complete only the steps that apply to the property that you are changing.
1. Open the applicable access role.

b. Under Access Control, click Access Role.
2. (Optional) In the General Information section, update the name or description.

3. (Optional) In the Default Access Role section, click Assign as Default.
4. (Optional) In the Group Assignments section, click Assign and do the following:
l To assign an access role, under Available, select the appropriate group or groups.
l To search for a specific group, enter the group name in the Find field and click .
l To remove a group from the Selected list, click next to the access role.
5. (Optional) Click the Rights tab and select the checkboxes that correspond to the appropriate
rights for each page.
Deleting Access Roles

CAUTION: Deleting an access role is permanent. You cannot recover a deleted access role. Users
and groups that are assigned to the deleted access role lose the privileges of the access role.

Note: You cannot delete the default access role. To delete the default access role, first set another
access role as the default access role.
1. Go to the Manage Access Roles page.

2. In the Actions column of the access role, click .

3. Click OK.
Security Parameters
Security parameters allow you to control the password and authorization rules for user sessions.
l Password rules determine the password strength requirements and how frequently passwords must
be changed.
Note: The instance security settings determine whether users are allowed to change their
password while working in RSA Archer. Verify with your IT administrator that your instance is
configured to allow users to change their passwords. Instance parameters are managed in the
l Authorization rules determine how users can access their account, the length of a session, and the
system behavior if a user locks him or herself out of the account.
You can create multiple security parameters, but only one security parameter is assigned to a user.
You can designate a security parameter as the default parameter for all new user accounts.
If your instance is licensed for offline access or the mobile app, you must define security parameters
for mobile users. These parameters include account lockout duration, session time-out behavior,
active session restrictions, and sync alert behaviors.
Security parameters for a single sign-on

If your organization uses a single sign-on (SSO) solution, most security parameter settings are not
applicable because your network enforces the following:
l Password expiration
l Account lockout
l Time frames
l Password strength requirements

After successfully authenticating, SSO solution users can access RSA Archer with no need for
defined security parameters.
Adding Security Parameters

Security parameters determine the password and authorization rules for user sessions.
Note: The instance security settings determine whether users are allowed to change their password
while working in RSA Archer. Verify with your IT administrator that your instance is configured to
allow users to change their passwords. Instance parameters are managed in the RSA Archer Control
Panel.
1. Go to the Manage Security Parameters page.

b. Under Access Control, click Security Parameters.
2. Click Add New.

l To create a new security parameter, select Create a new Security Parameter from scratch,
and click OK.
l To create a new security parameter from an existing security parameter, select Copy an
existing Security Parameter, select the existing security parameter from the Security
Parameter list, and click OK.
4. In the General Information section, enter the name and description of the security parameter.
5. (Optional) In the Alias field, enter a different name if you want to use an alias to identify the
security parameter.

6. In the Password Properties section, enter password rules that you want to enforce.
The following table describes each option.
Property Action
Password format a. In the Minimum Password Length field, select the minimum number of
characters or select Other and enter a different value.
b. In the Numeric Characters Required field, select the minimum number
of numbers or select Other and enter a different value.
c. In the Uppercase Characters Required field, select the minimum
number of uppercase characters or select Other and enter a different
value.
d. In the Alpha Characters Required field, select the minimum number of
alphabetic letters or select Other and enter a different value.
e. In the Special Characters Required field, select the minimum number of
special characters or select Other and enter a different value.
f. In the Lowercase Characters Required field, select the minimum
number of lowercase characters or select Other and enter a different
value.
Password a. In the Previous Passwords Disallowed field, select the number of

limitations previous passwords a user may not use as the new password or select
Other to enter a different value.
b. In the Grace Logins field , select the number of times a user is allowed
to bypass the password change alert or select Other to enter a different
value.
Password In the Password Expiration Notice field, select the number of days for
expiration notice prompting the user to change the password or select Other to enter a
different value.
Password In the Password Change Interval field, the number of days after which a
change interval user is required to change the password or select Other to enter a different
value.
Restrict a. In the Password Change Limit field, click Enable password change
frequency of limit.
password b. Enter or select the period (in Hours) in which users can change their
change passwords for this security parameter.
7. In the Authorization Properties section, enter the authorization rules that you want to enforce.

The following table describes each rule.

Rule Action
Number of In the Maximum Failed Login Attempts field, select the

allowed login number of unsuccessful login attempts a user is allowed,
failures or select Other to enter a different value.
Account lockout In the Account Lockout Period field, select the period
period after login that an account remains locked before the user can log in
failures again, or select Other to enter another value.
Timeout for an In the Session Timeout field, select the maximum length
inactive session of time an active user session without activity can remain
active before the session is automatically timed out, or
select Other to enter a different value. You can enter the
number of seconds in the range from 30 to 300.
Time limit for In the Automatic Account Deactivation field, select the
account number of days a user account can remain active before
inactivity the account becomes deactivated, or select Other to enter
a different value.
Note: To prevent the account from being deactivated at

the end of the time limit, the user must log in to RSA
Archer before the nightly system job
AutomaticUserAccountDeactivationJobHandler runs.
Time period a. In the Limit Session Time field, click Allow active
allowed for user user sessions only for a specific time period.
sessions b. In the From field, enter the start time of the period.
c. In the To field, enter the end time of the period.
d. In the Time Zone field, select the time zone that
applies to the active session limitation.
Active user a. In the Static Session Timeout field, click Enable

session period static session timeout.
before requiring b. Select the time interval that is allowed for active user
re-authentication sessions before the user must re-authenticate.

Rule Action
Days disallowed In the Days Disallowed field, click and select the days
for user sessions (Sunday through Saturday) that user sessions are not
allowed and click OK.
To remove a day from the Selected list, click adjacent to
the day that you want to remove from the list.
Dates disallowed In the Dates Disallowed field, click and select the dates
for user sessions that user sessions are not allowed and click OK.
To remove a date from the Selected list, click adjacent to
the date that you want to remove from the list.

Rule Action
Warning period a. In Session Timeout Warning, select Enable session

before the timeout warning.
session times out b. In Seconds, enter the length of the warning period in
the range 30 to 300.
Important: This option specifies the maximum
number of seconds in a warning period before a user
is automatically logged out of a session. This warning
period applies to both a simple Session Timeout and
an enabled Static Session Timeout. When the
warning period begins, a message box appears,
displaying a countdown until the active session
terminates. This box always appears at the beginning
of the warning period, regardless of user activity or
inactivity.
Things to remember:
l When the warning box for a simple Session
Timeout appears, you can stop the countdown and
reset the warning period. To reset, you must either
click Continue Working in the countdown box or
complete an action, such as loading an application
or performing a save, that communicates with the
server.
Note: Note: Certain user actions, such as typing

text or clicking a tab with the mouse, do not reset
the warning period because they do not
communicate with the server.
l In the last few seconds before the countdown

reaches zero, factors such as the speed of the
network may mean that there is not enough time to
prevent the session terminating. In this case it is
best to save changes and stop the countdown early.
l If the simple Session Timeout setting is a short
amount of time, for example 5 minutes, then the
countdown box will appear frequently. To reduce
the frequency, increase the setting (for example to
30 or 60 minutes).

Rule Action
l When the warning box appears because a Static

Session Timeout interval is about to expire, the
user cannot stop the countdown and must log in
again after the session terminates. This is true
regardless of session activity. The user should not
wait until just before the session terminates to
save changes.
PIN Expiration Select the maximum length of time a PIN remains active

before expiring.
Maximum Select the number of times a user can request a PIN

PIN Resends before the system prevents them from requesting an
additional PIN.
Reset Maximum Select the lockout period before the user can request a
PIN Resends PIN after the user exceeds their maximum PIN resend
limit.

Security Parameters for Mobile Users

To set mobile authorization properties in a security parameter, either:
l The instance must be licensed for mobile questionnaires
l The solution must be licensed for offline access.
If the instance or solution is not licensed, the Mobile Authorization Properties section is not
displayed on the Manage Security Parameter page.
The security parameters for a mobile user include:
l Login credentials for mobile users
l Session behaviors for mobile users
l Data synchronization and data purge behaviors for mobile users
Login credentials for mobile users

Mobile users log in with the same credentials as they use when logging in to RSA Archer.

For mobile users to sync data between offline access or the mobile app and RSA Archer, they must
log in to the mobile device and provide their RSA Archer credentials when prompted to sync. For the
mobile app, single sign-on (SSO) is not supported.
First time login
The type of mobile user determines the steps for the initial log in.
l For offline access, users must synchronize data from the RSA Archer solution to a laptop
computer.
l For the mobile app, users need the RSA Archer URL, domain, and instance to access for mobile
data.
Session behaviors for mobile users

Mobile authorization properties for mobile session behaviors control the following:
l Failed login attempts
l Session timeouts
l Session termination
Example: How default behaviors affect a mobile session
You can configure these values to meet your own business requirements and user needs.
The following table describes session behaviors for mobile users.
Option Value Behavior
Maximum 3 The mobile user is allowed to attempt to log in using incorrect credentials
Failed attempts (user name, company ID, and password combination) up to three times.
Login
Attempts
Account 30 The mobile user account is locked for 30 minutes, preventing the user from
Lockout minutes attempting to log in to a session after exceeding the maximum failed login
Period attempts. After that time, the mobile user can attempt to log in again up to
the maximum failed login attempts.
Session 30 The mobile session is active for 30 minutes after the last detected user
Timeout minutes activity. After this duration, the session is automatically timed out, and the
user is prompted to log in again.

Static blank The mobile session has no limit to availability to the user.
Session
Timeout
Close on blank The mobile session remains active after the mobile app is closed. This
Exit option does not apply to offline access.
Data synchronization and data purge behaviors for mobile users

Mobile authorization properties for data synchronization and data purge behaviors control the
following:
l Reminders to synchronize data
l When users are forced to synchronize
l When users are forced to purge data from the mobile device
The synchronization rules work together to ensure that mobile users maintain current data and offline
access users sync regularly with RSA Archer.
Example: How default purge behaviors and individual sync alerts influence synchronized data
You can configure these options and values meet your own business requirements and user needs.
The following table describes data synchronization and data purge behaviors for mobile users.
Sync 15 On the 15th day after the last synchronization, the mobile user will be
Reminder Days reminded upon log in to synchronize data with RSA Archer. The reminder
continues to appear until the user syncs or reaches the Force Sync limit.
Force 30 On the 30th day after the last synchronization, the mobile user will be forced
Sync Days to synchronize data with RSA Archer or the application, until the Purge Data
limit is reached.
Purge 45 If the mobile user has not synchronized data with RSA Archer in 45 days, all
Data Days data mobile data will be purged when the user attempts to access the
application. The mobile user will be forced to do an initial log-in and
synchronization.

Adding Security Parameters for Mobile Users

Security parameters for mobile users provide additional settings to define data synchronization and
data purge behaviors, and override the default session behaviors. Security parameter settings become
effective on the mobile device the next time the user syncs the device with RSA Archer.
Note: To access mobile-specific settings, either the instance must be licensed for mobile
questionnaires or the solution must be licensed for offline access. If the instance or solution is not
licensed, the Mobile Authorization Properties section is not present on the Manage Security
Parameter page.

2. Click Add New.


4. In the Password Properties section, enter the password rules that you want to enforce.
Property Action
Password format a. In the Minimum Password Length field, select the minimum number of
characters or select Other and enter a different value.
b. In the Numeric Characters Required field, select the minimum number
of numbers or select Other and enter a different value.
c. In the Uppercase Characters Required field, select the minimum
number of uppercase characters or select Other and enter a different
value.
d. In the Alpha Characters Required field, select the minimum number of
alphabetic letters or select Other and enter a different value.
e. In the Special Characters Required field, select the minimum number of
special characters or select Other and enter a different value.
f. In the Lowercase Characters Required field, select the minimum
number of lowercase characters or select Other and enter a different
value.
Password a. In the Previous Passwords Disallowed field, select the number of

limitations previous passwords a user may not use as the new password or select
Other to enter a different value.
b. In the Grace Logins field , select the number of times a user is allowed
to bypass the password change alert or select Other to enter a different
value.
Password In the Password Expiration Notice field, select the number of days for
expiration notice prompting the user to change the password or select Other to enter a
different value.
Password In the Password Change Interval field, the number of days after which a
change interval user is required to change the password or select Other to enter a different
value.
Restrict a. In the Password Change Limit field, click Enable password change
frequency of limit.
password b. Enter or select the period (in Hours) in which users can change their
change passwords for this security parameter.
5. In the Authorization Properties section, enter the authorization rules that you want to enforce.

The following table describes each rule.

Rule Action
Number of In the Maximum Failed Login Attempts field, select the

allowed login number of unsuccessful login attempts a user is allowed,
failures or select Other to enter a different value.
Account lockout In the Account Lockout Period field, select the period
period after login that an account remains locked before the user can log in
failures again, or select Other to enter another value.
Timeout for an In the Session Timeout field, select the maximum length
inactive session of time an active user session without activity can remain
active before the session is automatically timed out, or
select Other to enter a different value. You can enter the
number of seconds in the range from 30 to 300.
Time limit for In the Automatic Account Deactivation field, select the
account number of days a user account can remain active before
inactivity the account becomes deactivated, or select Other to enter
a different value.
Note: To prevent the account from being deactivated at

the end of the time limit, the user must log in to RSA
Archer before the nightly system job
AutomaticUserAccountDeactivationJobHandler runs.
Time period a. In the Limit Session Time field, click Allow active
allowed for user user sessions only for a specific time period.
sessions b. In the From field, enter the start time of the period.
c. In the To field, enter the end time of the period.
d. In the Time Zone field, select the time zone that
applies to the active session limitation.
Active user a. In the Static Session Timeout field, click Enable

session period static session timeout.
before requiring b. Select the time interval that is allowed for active user
re-authentication sessions before the user must re-authenticate.

Rule Action
Days disallowed In the Days Disallowed field, click and select the days
for user sessions (Sunday through Saturday) that user sessions are not
allowed and click OK.
To remove a day from the Selected list, click adjacent to
the day that you want to remove from the list.
Dates disallowed In the Dates Disallowed field, click and select the dates
for user sessions that user sessions are not allowed and click OK.
To remove a date from the Selected list, click adjacent to
the date that you want to remove from the list.

Rule Action
Warning period a. In Session Timeout Warning, select Enable session

before the timeout warning.
session times out b. In Seconds, enter the length of the warning period in
the range 30 to 300.
Important: This option specifies the maximum
number of seconds in a warning period before a user
is automatically logged out of a session. This warning
period applies to both a simple Session Timeout and
an enabled Static Session Timeout. When the
warning period begins, a message box appears,
displaying a countdown until the active session
terminates. This box always appears at the beginning
of the warning period, regardless of user activity or
inactivity.
Things to remember:
l When the warning box for a simple Session
Timeout appears, you can stop the countdown and
reset the warning period. To reset, you must either
click Continue Working in the countdown box or
complete an action, such as loading an application
or performing a save, that communicates with the
server.
Note: Note: Certain user actions, such as typing

text or clicking a tab with the mouse, do not reset
the warning period because they do not
communicate with the server.
l In the last few seconds before the countdown

reaches zero, factors such as the speed of the
network may mean that there is not enough time to
prevent the session terminating. In this case it is
best to save changes and stop the countdown early.
l If the simple Session Timeout setting is a short
amount of time, for example 5 minutes, then the
countdown box will appear frequently. To reduce
the frequency, increase the setting (for example to
30 or 60 minutes).

Rule Action
l When the warning box appears because a Static

Session Timeout interval is about to expire, the
user cannot stop the countdown and must log in
again after the session terminates. This is true
regardless of session activity. The user should not
wait until just before the session terminates to
save changes.
PIN Expiration Select the maximum length of time a PIN remains active

before expiring.
Maximum Select the number of times a user can request a PIN

PIN Resends before the system prevents them from requesting an
additional PIN.
Reset Maximum Select the lockout period before the user can request a
PIN Resends PIN after the user exceeds their maximum PIN resend
limit.
6. In the Mobile Authorization Properties section, enter the mobile authorization rules that you want
to enforce.
Property Action
Number of allowed login failures a. In the Maximum Failed Login Attempts field, specify
and account lockout period the number of allowable attempts.
b. In the Account Lockout Period field, specify the
duration of the lockout period.
Timeout for an Inactive Mobile In the Session Timeout field, specify the inactivity duration
Session of the session before the user is logged out automatically.
Active Mobile Session Period In the Static Session Timeout field, click Enable static
Before Requiring Re- session timeout, and then select the duration.
Authentication
Whether the Mobile Session In the Close on Exit field, click Enable session termination
Terminates When Closing after closing the mobile application.

Property Action
Sync Reminder Alerts for Mobile In the Sync Reminder of Sync Alerts field, specify the
Users number of days from the last synchronization.
Time Limit for Forcing Mobile In the Force Sync of Sync Alerts field, specify the number
Users to Sync of days from the last synchronization.
Disable Automatic Purging of In the Purge Data of Sync Alerts field, clear the box.
Data for Mobile Users
Retention Days Before Mobile In the Purge Data of Sync Alerts field, select the number
Data Is Purged of days from the last synchronization.

Assigning Security Parameters to Users

You can assign a specific security parameter to the user. By default, all users are assigned the
default security parameter when you create the user account.
1. Go to the General Information tab of the user account to which you want to assign a security
parameter.

d. Click the General Information tab.
2. Go to the Account Maintenance section.

3. In the Security Parameter list, select the parameter that you want to assign to the user.
4. (Optional) View the properties of the selected security parameter:
a. In Security Parameter Detail, click View Security Parameter.
b. Click OK.

Setting the Default Security Parameter

You can set one default security parameter that is automatically assigned to all new user accounts.
1. Select a security parameter to set as the default.

c. Select the security parameter.
2. In the Default Security Parameter section, click Assign as Default.

Deleting Security Parameters

You can delete security parameters when they are no longer valid, or are created in error.
Note: You cannot delete a default security parameter that is in use. To delete the default security
parameter, assign another security parameter as the default.

2. In the row of the security parameter that you want to delete, in the Actions column, click .
3. Click OK.
LDAP Configuration
As an administrator of the Access Control feature, you can synchronize information between RSA
Archer and your organization Lightweight Directory Access Protocol (LDAP) server. With LDAP
synchronization, you can streamline the administration of user accounts and groups by allowing
updates and changes that were made in the LDAP server to be automatically reflected in RSA
Archer.

The LDAP configuration feature allows you to do the following:

l Associate user accounts with LDAP users.
l Create accounts when new users are found on the LDAP server.
l Deactivate accounts that can no longer be directly associated with an LDAP user. You cannot
delete user accounts using LDAP synchronization.
l Reactivate accounts when certain user criteria is found on the LDAP server, for example,
renewed employment status.
l Update user profile data for accounts based on LDAP changes.
The LDAP configuration feature accepts multiple-domain, single sign-on (SSO) information and
synchronizes with discrete LDAP systems, allowing you to do the following:
l Standardize the log on procedures in heterogeneous domain environments.
l Incrementally add new domains to existing user access configurations.
l Synchronize data with multiple domain accounts.
LDAP groups cannot be mapped to a previously existing RSA Archer group. The synchronization
process replicates the LDAP group structure within RSA Archer. Groups created in the RSA Archer
Platform by the LDAP synchronization process cannot be edited within RSA Archer.
LDAP configuration with multiple domains

RSA recommends that you do not specify a default LDAP configuration if your organization employs
multiple domains and allows non-unique user names across your domains. If you do, an individual
with an identical user name to an individual in the default domain could potentially gain improper
access to RSA Archer.
For example, John Smith (jsmith@apac.company.com) from the Asia-Pacific domain and Jim Smith
(jsmith@us.company.com) from the United States domain have the same user name. If a default
LDAP configuration specifies us.company as the default domain and the apac.company.com domain
is not valid in the us.company instance, John Smith can log on to the account of Jim Smith. When
John Smith logged on to RSA Archer using SSO, RSA Archer attempted to validate him in the
default domain by the user name "jsmith." RSA Archer matches this user name to an existing
account, jsmith@us.company.com, even though it is a different individual.

Configuring LDAP for Managing User Accounts and Groups

Before you can update your user accounts and groups through a Lightweight Directory Access
Protocol (LDAP) server, you must:
l Configure your LDAP server.
l Map attributes from your LDAP directory to your user accounts in RSA Archer.
l Set the rules for creating, updating, activating, and reactivating the user accounts and groups.
You can also set a schedule to automate the synchronization process between your LDAP server and
the RSA Archer database. RSA recommends that you select LDAP servers that communicate using
LDAP over HTTPS, and that you set the LDAP Connection attribute to secure.
Note: RSA recommends requiring a domain for LDAP synchronizations and SSO. If domains are
not used, RSA recommends disabling the display of the Domain field in the RSA Archer Control
Panel.
The following fields change during mapping:

l A user profile field that is mapped to an LDAP attribute is populated for new accounts. The value
is retained for existing accounts.
l A user profile field that is mapped to an LDAP attribute that does not have a value is not
populated for new accounts. The value is retained for accounts that were previously created.
l When the Email Address or Phone field in the user profile is mapped to an LDAP value, the
LDAP value is inserted in the first email or phone number field in the user profile for new user
accounts. For existing accounts, the LDAP value replaces the value in the first email or phone
number field in the user profile. If a user has modified the email address or phone number through
the Platform, the modification is overwritten by LDAP synchronization unless the LDAP value is
null.
l The Time Zone field in the user profile cannot be mapped to an LDAP attribute.
Task 1: Set up your LDAP server
1. Go to the Manage LDAP Configurations page.

b. Under Access Control, click LDAP Configurations.
2. Click Add New.

4. Click the Configuration tab.

5. In the LDAP/Active Directory Server section, enter the user domain, IP address, and connection
or binding preferences.
The following table describes each field.
Field Description
User Specifies the domain to which user accounts from this LDAP server belong. The
Domain name must be unique for all LDAP configurations.
If you are using Windows Authentication, ensure that the User Domain field
matches the Windows domain name. If these values do not match, single sign-on
(SSO) fails. These domain names are not case sensitive.
Connection Specifies whether a secure connection is required.
Name/IP Specifies the fully qualified name or IP address of your LDAP or Active
Address Directory server. Selecting this option ensures that your server assumes
responsibility for directing RSA Archer to the appropriate domain controller.
If the previously contacted domain controller is unavailable, a secondary domain
controller is identified and used instead. For example, if your primary LDAP
server is down for maintenance, RSA Archer is directed to the secondary server
to execute LDAP synchronization.
Binding Enables you to bind the LDAP connection to a default domain controller without
specifying the name of a default server. Microsoft recommends the use of
serverless binding for fault tolerance.
If you are using an Active Directory server, select whether to use serverless
binding. If you select Use Serverless Binding, you do not need to enter a value in
the Name/IP Address field.
6. In the LDAP/Active Directory Server Configuration section, enter the configuration options for
your LDAP server.
Field Description
User Specifies the user name of the user identified to access the LDAP or Active
Name Directory server when additional authentication is required.
Password Specifies the password of the user identified to access the LDAP or Active
Directory server when additional authentication is required.

Field Description
Active Specifies the domain of the active directory when additional authentication is
Directory required.
Domain
User Identifies the object as a user object:

Identifier l For new LDAP configurations, the default value is user.
l For Active Directory servers, the default value is user.
l For other LDAP servers, the default value is inetOrgPerson.
To obtain the actual default values for your organization, see your LDAP
administrator.
Group Identifies the object as a group object:

Identifier l For new LDAP configurations, the default value is group.
l For Active Directory servers, the default value is group.
l For other LDAP servers, the default value is groupOfUniqueNames.
administrator.
Additional Provides additional attributes that must be retrieved from the LDAP source during
Attributes search. For example, if you are using filters, enter the filters in this field.
User Identifies the groups to which the user belongs:

Group l For new LDAP configurations, the default value is memberOf.
Identifier
l For Active Directory servers, the default value is memberOf.
l For other LDAP servers, the default value is uniqueMember.
administrator.
Users and Sets the User/Group association:

Groups l Users contain groups: Specifies that the user-group association is defined in
the user object of the active directory server.
l Groups contain users: Specifies that the user-group association is defined in
the group object of the LDAP server.

Field Description
Connection Inputs the time-out value in seconds for the LDAP query. This value must be a
Time-out whole number greater than 0.
For new LDAP configurations, the default value is 60.
Binding Sets the Binding for an LDAP configuration from the following options:
l Use Simple LDAP Binding: Use when your server does not allow connection
using the Simple Authentication and Security Layer (SASL) protocol, or if you
experience errors.
l Disable page searching: Use when your server does not support paged
searching.
l Remove the whitespace from the DNs: Use to remove unnecessary white
space in the Distinguished Name (DN) before the names are compared when
you are using an LDAP server other than Active Directory.
7. (Optional) Click Test Connection to test your configuration settings.

Task 2: Map LDAP attributes to your user profiles
1. Go to the Configuration tab of the LDAP Configuration.

c. Click the Configuration tab.
2. Go to the User Field Mapping section.

3. In the Base DN field, enter the domain name.
4. (Optional) In the Filter field, enter the criteria for filtering the LDAP directory.
5. In the Attributes field, click Get Attributes to populate the field mapping.
6. In the Field Mapping field, select the attributes for each field in the user profile that you are
synchronizing with the LDAP directory.


Field Description
Base DN Specifies the Base Distinguished Name (DN) for the location of user account
information in your LDAP directory.
Filter Filters the LDAP information available for mapping to user profile fields. Filters
are entered using the following format: objectClass=class name.
Example
You want to map only LDAP values associated with the “user” class. You would
enter objectClass=user as the filter. This entry results in the values associated
with this class being available for mapping.
Attributes Populates the Attribute lists in the Field Mapping section.
Field Maps the attributes from the LDAP directory to the fields in the user profile. You
Mapping must map all required fields in the user profile to an attribute.
Synch Tests the connection of an LDAP Configuration between the RSA Archer

Connector database and the LDAP server or active directory server.
Test If an error message is displayed when the number of records returned exceeds the
configured size limit for the active directory, contact your LDAP administrator to
request a configuration change.

Task 3: Set rules for managing user accounts and groups
1. Go to the Data Sync tab of the LDAP Configuration.

c. Click the Data Sync tab.
2. In the User Account Management section, define the rules for updating, creating, deactivating,
and reactivating accounts.


Field Description
Updating Specifies the rules for updating the user profile.

l Update all user accounts on each sync: Updates all user accounts based on
the information contained in your LDAP server
l Update only user accounts where the LDAP attribute meets the following
criteria: Updates user accounts based on a specific LDAP attribute and the
specified criteria.
Example:
You want to update only user accounts from your New York office. You
would select Office from the Attribute list, select Equals as the operator, and
enter New York in the Value field from the Operator list.
Create/Update Creates or updates a user account if the account does not exist in
RSA Archer. The name for the new user account is assigned the value of the
LDAP attribute mapped to the User Name (Login) field.
Clear User Clears the distinguished names of all users just before the LDAP
DNs synchronization starts. The synchronization then repopulates the database with
the most up-to-date list of distinguished names. If users have changed their
login names, moved location, or are in a new part of the company, for
example, the old distinguished names are no longer valid. Consequently, these
users would not be able to log into RSA Archer.
Note: RSA Archer strongly recommends that you enable this option.

Field Description
Deactivation Deactivates user accounts.

l Deactivate all user accounts that do not have a matching LDAP user.
Deactivates user accounts for which no matching LDAP account is found
during data synchronization.
l Deactivate those user accounts where LDAP attribute meets the following
criteria and then enter the LDAP criteria. Deactivate user accounts based
on a specific LDAP attribute.
Example:
You want to deactivate user accounts where the employment status for the
matching LDAP user account is set to inactive. You would select
Employment Status from the Attribute list, select Equals as the operator, and
enter Inactive in the Value field from the Operator list.
Reactivation Reactivates user accounts based on specific LDAP attribute criteria.
Example:
You want to reactivate inactive user accounts where the employment status in
the matching LDAP user account is set to active. You would select
Employment Status from the Attribute list, select Equals and enter Active in
the Values field from the Operator list.
Send Sends a notification to each user that is created to alert the user of a new
Notification password. The Default Email Address in the user account must be present to
send notifications. When you select this option, a notification message is sent
to all users that are being created.
RSA recommends disabling this option when synchronizing a large number of
records because uploading a large number of users can cause the email server
to exceed its capacity for sending email messages.
3. (Optional) In the Group Management section, enter the criteria for synchronizing the
LDAP group structure with RSA Archer.


Field Description
Group Replicates your LDAP group structure in RSA Archer when synchronized.

Sync The common name (CN) of the group on your LDAP server is used as the group name
in RSA Archer. If a group in RSA Archer is created before synchronizing with your
LDAP server, and there is a group with a matching name in your LDAP directory, the
group in RSA Archer is not synchronized with the LDAP group. Instead, a new group
with the same name is created and is flagged with the Synchronization icon.
Selecting the Group Synch option makes your LDAP server the authoritative system
for RSA Archer group management.
l Any groups that you delete from your LDAP server also are deleted from
RSA Archer
l Any changes made to your groups in the LDAP directory are reflected in RSA
Archer.
You cannot edit or delete groups in RSA Archer that were created through LDAP
synchronization. You can create additional groups in RSA Archer that are not included
in your LDAP group structure, and can fully manage these groups in RSA Archer.
Group Specifies the Base Distinguished Name (DN) for your LDAP group structure.
Base If you selected Group Sync and you do not specify a DN for your group structure, the
DN group sync query defaults to the Base DN specified in the LDAP configuration.

Synchronizing Your User Accounts and Groups

Synchronization is the process of updating RSA Archer user accounts and groups from the LDAP
directory. You can run LDAP synchronization manually or automatically by a set schedule. In most
cases, the synchronization process runs automatically so that RSA Archer user accounts and groups
are updated regularly.
If RSA Archer cannot access the LDAP directory at the scheduled time, it automatically tries to
connect with the directory 10 times over a 1-hour period, before logging an error record and stopping
the synchronization process. If the synchronization fails, the sync status is set to inactive.
Note: RSA Archer only supports standard implementations of LDAP in the directory services. The
users and groups in the Active Directory must have distinguished names.

If there are records that are not updated during the synchronization, you can view a text file that
details the date, time, and specific records that failed to synchronize. While the sync status is
inactive, RSA Archer suspends further synchronization attempts until you manually correct the
problems with the connection and set the status to active.
Set the LDAP synchronization schedule
1. Go to the Data Sync tab of the LDAP Configuration you want to schedule synchronization.

c. Select the LDAP Configuration.
d. Click the Data Sync tab.
2. In the Sync Schedule section, set the schedule for synchronizing user accounts and groups.
The following table describes the fields.
Field Description
Frequency How often you want to run the LDAP synchronization process.
Time Time of day to run the LDAP synchronization process.
Time Zone Time zone of the LDAP server.

Run the LDAP synchronization now

You can bypass the LDAP synchronization schedule and run the synchronization now.
Note: If you have made changes to your LDAP configuration, you must save those changes before
requesting an immediate data synchronization. Otherwise, the last saved LDAP configuration is
used.
1. Go to the Sync Status tab of the LDAP configuration that you want to synchronize.


d. Click the Sync Status tab.
2. Go to the Immediate Sync Request section and click Run Sync Now in the Sync Request field.
Note: To cancel the synchronization request, using the Cancel option that appears in the Sync
Request field, click Cancel.

Auto-Provisioning
The Auto-Provisioning feature enables LDAP synchronizations to create user accounts and groups
automatically without the necessity of creating those accounts beforehand. Account creation and
synchronization occur when a user logs on so long as the system administrator has configured the
user account to meet the following conditions:
l An LDAP synchronization can create user accounts
l A valid user of the domain, BaseDN, and Filter matching the LDAP Synchronization attempts to
log into RSA Archer
l The user account does not currently exist in RSA Archer
l Available user licenses exist
Viewing Synchronization Status

You can view the status of LDAP synchronization, and any failed synchronization attempts that
occurred in the last synchronization.

2. Select the LDAP configuration that you want to view.

3. Click the Sync Status tab.
4. In the Status field, click Refresh Status.

5. In the Current Sync Status field, view the status.

Status Description
Active The connection is active and currently in process.
Idle The connection is active, but LDAP synchronization is not currently in

process.
Inactive The connection is inactive, and no scheduled synchronizations run.
Queued A synchronization request has been issued, but the system has not yet
responded to the request.
Running LDAP synchronization is currently in process.
Running, LDAP synchronization is currently in process, but a cancel request has been
pending issued. The system has not yet responded to the request.
cancel
Note: If the LDAP synch status is Queued or Running, the Cancel Sync Job section is displayed
instead of the Immediate Sync Request section.
6. If failures occurred in the last sync attempt, in the Failure Detail field, click View Failure Detail
to view failure information in a text file.
Changing LDAP Configuration Status

When an LDAP configuration is no longer needed, but you do not want to delete the configuration,
you can change its status from Active to Inactive (or the reverse if the configuration is inactive and
you want to reuse it again).
1. Open the LDAP Configurations for which you want to change the status.

2. From the Status list, change the status of this LDAP configuration to one of the following:
l Inactive to disable the use of this LDAP configuration.
l Active to enable the use this LDAP configuration.


Deleting LDAP Configurations

When you delete an LDAP configuration, the database sets the configuration to 99999, which
signifies that the LDAP configuration and database have been deleted. The information and
relationships, however, are still intact.
Note: When you delete an LDAP configuration, all users and group information associated with an
LDAP configuration are permanently deleted.

2. Click the row of the LDAP configuration that you want to delete.
3. In the Actions column, click .

4. Click OK.

Chapter 13: Communication Tools

RSA Archer offers multiple tools for communication with and between your end users and for
ensuring that your users have access to the right information in the system.
l Notifications alert users to specific conditions within records, particularly when it is something
that requires their attention or action (for example, a record is ready to be reviewed).
l Discussion Forums enable you to create structured environments where users can exchange
information on various topics.
l Training and Awareness enables you to construct and deliver training and awareness
communications to specified users and groups.
l Mail merge functionality allows you to export data into a Microsoft Word document.
l Alias name is a short name for a unique object in the system that is human readable, but also can
be used in code or as a reference in configuration processes
Notifications
The Notifications feature is a time-saving function for sending notifications of various conditions as
they occur to designated recipients, for example, adding or updating a record. RSA Archer
administrators can customize notifications using blueprints by defining the appearance and page
properties that then can be used by multiple notifications.
Specified users receive notifications when a defined trigger occurs in an application or
questionnaire. A trigger is any change detected in RSA Archer that initiates the publishing of a
notification. A trigger can be any of the following:
l Saving a record
l Periodic reports
l DDE rules
l Workflow stage changes
l Daily record search based on filter criteria
l Training and Awareness events and reminders
l Discussion Forum postings
When a specified trigger occurs, notifications are queued after a save or based on a specific
schedule.
Global Notification Settings are general properties that define default values for all notifications, as
well as read-receipt functionality. The Read Receipt properties enable administrators to activate the
read-receipt functionality. A designated email account tracks the receipt of notifications triggered by
a notification blueprint.

Recipients can receive notifications using any email-based device. RSA Archer users can select the
notifications that they want to receive from the User Preferences menu.
Essential terminology
The following table defines important terms to understand when working with notifications.
Term Definition
Layout The format of the content in the body of a notification. Content can be structured or
free form.
Notification The notice that specified recipients receive based on a set of pre-defined conditions.
Notification The specification of properties and settings for the notifications. The notification
Blueprint blueprint defines what information is sent, when it is sent, who should receive it, and
how the information is displayed.
Notification The act of creating and sending notifications. Publishing includes a delivery method,
Publishing subscription behaviors, and recipients.
Recipient An RSA Archer user or other user who receives notifications. Depending on the
notification blueprint, recipients can be one or a combination of the following:
l RSA Archer users and groups
l RSA Archer users contained in Record Permission fields
l Other users that are manually entered in the blueprint (non-RSA Archer users)
Note: If a user is specified multiple times (for example, individually, and as part of
a group or role), that user receives only 1 notification each time the notification is
triggered.
Record A set of data or fields that is entered to populate RSA Archer elements.
Template A preset format of a notification type made up of the name, letterhead and body
layout in the notification blueprint.
Trigger Any change detected in RSA Archer that initiates the publishing of a notification.
When a specified trigger occurs, notifications are queued and processed.
Recipient rules
Recipients can be users, groups, or manually entered email addresses. Recipients who are non-RSA
Archer users receive all content regardless of permissions.
If a user account is Locked, that account does not receive any notifications to which it was
subscribed.

The following table describes recipient rules.

Type Description
Users A specific RSA Archer user receives the notification. The primary email address for the
user listed in the user account is used to send the notification.
If the user is subscribed to a notification and selects a different address in the Manage
Your Email Subscription page from the Preferences menu, the specified email address is
used.
Groups A specific group receives the notification. Each user in the group is treated individually
at the time the notification is sent. The user email address follows the same rules defined
for the Users type.
Fields The fields that contain email addresses at the time of publication receive the notification.
The following types of fields can contain email addresses:
l Record Permissions. Recipients are specified at the record level.
l Text. Recipients are specified as users in the field.
l User/Groups List. Recipients are specified in a list of users and groups in RSA
Archer.
l Values List. Recipients are specified in a list of predetermined values.
l Workflow. Recipients are specified in the Workflow Stage Properties.
User/Group Lists are not record-based. All other field types are record-based Text fields.
Values Lists do not use record permissions.
Static The email address that is entered manually in the notification blueprint.
Subscription rules
Notification subscriptions enable recipients to receive notifications after the adding or updating of
records in specified applications or questionnaires. The following table describes the available
subscription types.
The following table describes the available subscription types.
Subscriber
Description
Type
None Users are not subscribed by default. Users can subscribe and cancel at any time.
New Users New users receive notifications by default, but they can cancel the subscription at
any time.

Subscriber
Description
Type
All Users New and existing users receive notifications by default, but they can cancel the
subscription at any time.
Required New and existing users receive notifications by default, but they cannot cancel
the subscription.
Administrators specify the default settings for notifications in the notification blueprints. RSA
Archer users can subscribe or unsubscribe to notifications from the User Preferences menu >
Manage Your Email Subscriptions.
All selected recipients automatically receive notifications.
Notification Publishing
Notification publishing creates and sends notifications to specified recipients when a defined trigger
occurs. For each notification type and blueprint, notifications are sent according to a delivery
schedule specified in the notification blueprint.
Notification publishing process

Notifications are queued and processed after a save or on a specific schedule. If the delivery method
is Instantly or Digest, notifications are not sent when saving the record updates a calculated field if
there are no other changes to that record.
Notification Blueprints
Notification blueprints are containers that you can use to generate and send notifications to specified
recipients when a defined trigger occurs, such as adding or updating a record.
Notification blueprints specify the rules for generating the notifications. Use a unique name for each
notification blueprint for each instance. Notifications are sent according to the template layout and
delivery schedule defined in the blueprint.
When creating and configuring a blueprint, you can:
l Specify the application it monitors
l Design the layout
l Configure the delivery methods and recipients
l Specify the conditions in the application records that cause an email to be sent
Blueprint elements contain the rules for layout template design, delivery, and filter criteria.
Notification types determine which blueprint elements are used.
Key elements of a notification blueprint

The following table describes the key elements of a notification blueprint.
Notification
Blueprint Description
Element
General General information defines notification names and letterhead properties. It also
Information specifies how information is displayed.
The Body Layout can be formatted in a table or free form.
The Table layout provides a structured notification as information is presented
in a two column format.
The Free Form layout provides more flexibility and allows you to arrange
content according to the parameters of the Rich Text Toolbar.

Notification
Blueprint Description
Element
Content Content specifies the notification content including the email subject and body.
Content can vary between notification types and can include dynamic data,
static data, and links. Fields are an example of dynamic data, for example,
[Field:Date].
Report content can be an attachment or a link to a report.
Delivery Delivery determines the delivery schedule and recipients of the notification.
Notifications can be queued instantly, sent as a digest (daily, weekly, monthly,
or quarterly), or as a reminder based on search-based filter criteria.
Filter Criteria Filter the record based on specified criteria that must be met to generate the
email notification.
Layout template design

The layout template design enables administrators to configure the format and content of
notifications. Predefined letterhead templates and body layouts are used to specify the layout of the
notifications recipients can receive.
Letterhead
Letterhead templates define the page, header, body, and footer properties used in a notification. A
letterhead is not a required element of a notification blueprint, and does not apply to notifications
sent in XML format. A default letterhead is specified in Global Notification Settings, but the
selection can be overridden in the individual notification blueprint.
Body layout
The body layout defines the format of the layout in the notification body, including how the content is
arranged. The body layout can be structured and free form. The structured format presents content in
a two-column table. The left column contains the field name, and the right column contains the field
value. The free-form body layouts allow the content to be arranged anywhere in the body of the

notification.
Content
The content of a notification includes user-defined static content and dynamic content placeholders
in the Subject line and Body. Static content is text that remains the same for every notification, while
dynamic content changes based on data from specified fields.
The following table describes the types of content.
Type Dynamic Content Placeholder for...
Field Data from the fields of the records used for publishing the notification.
Report Links to global and personal reports that are available from an application or
questionnaire.
Link Links to user pages, administrative pages, and records.
Subject
You can configure the Subject line for all notification types using static and dynamic text and data
from fields. A Cross-Reference field appears as a Key Field reference.
Do not use the following field types to create dynamic content in the Subject line:
l Attachment l Sub-Form
l Cross-Application Status l Questionnaire
Tracking Reference
l Image l Access History
l Record Permissions l History Log
l Scheduler
Body
The Body is composed of user-defined static content and dynamic content placeholders.
l Static content is text that remains the same for every notification.
l Dynamic content is content that changes based on unique parameters and is based on the field,
reports, or links you select. When defining content, fields, reports, and links become placeholders
for the actual data or content of the notification, which is generated during notification publishing.

Example: Subscription notification with static and dynamic content
The following figure shows an example of content for a subscription notification for Incident
Management for reporting an incident to a business unit manager who is waiting on an update.
l 1: Field names are the placeholders for the actual field values that dynamically display when the
notification is generated.
Fields that cannot be included as dynamic content in the Subject line are: Attachment, Cross-
Application Status Tracking, Image, Record Permissions, Sub-Form, Questionnaire Reference,
Access History, and History Log.
Some of the element options vary based on the notification type. Content for the Scheduled Report
Distributions notification includes a section for specifying the report and attachment type, for
example, PDF, Word, Excel, and others.
Note: For Subscription and On Demand notifications, the type of content you place in the Body area
depends on the option you select in the Body Layout field on the General tab.
Notification delivery
Notifications are delivered based on the delivery methods that are configured in the notification
blueprint. In most cases, notifications are only sent when a record is saved unless the delivery
method is Instantly or Digest. When set to either delivery method, notifications are not sent when
saving the record updates a calculated field when there are no other changes to the record.

Delivery methods
The following table describes the types of delivery methods.

Type Description
Instantly
Notifications are published as soon as possible when a trigger occurs for record-based
notifications. An example of a trigger is saving a record.
Digest Notifications are aggregated and published in a digest. Digest notifications include
records that meet the filter criteria, and have been added or updated since the last time
the notification was sent. For example, if a daily digest is configured to send every day
at 1:00 pm, it will include all records saved since 1:00 pm the previous day.
The data used for publishing the notification are captured each time a record is added
or updated. Notification publishing uses the most recent version of a record that passed
the filter criteria of the notification blueprint. If the notification blueprint filters are
modified within a specified period, the already captured record is still used for
notification publishing at the end of the period.
The frequencies are as follows:
l Daily. Notifications are published once per day based on the notification blueprint.
l Weekly. Notifications are published once per week based on the notification
blueprint.
l Monthly. Notifications are published once per month based on the notification
blueprint.
l Quarterly. Notifications are published once per quarter on January 1st, April 1st,
July 1st, and October 1st based on the notification blueprint.
Reminder
Notifications are published once per day, and typically use date filters that compare a
date-based field in each record to the date that the notification is being run. The record
collection is search-based, and does not require a save to occur for the notifications to
be published. All records for an application or questionnaire can potentially be
returned for a record-based notification.
Filter criteria
Filter criteria determine the records that are published in a notification. Only records that meet the
specified filter criteria are included in the notification. A notification is not generated unless all
criteria is fulfilled.

For notifications generated from the DDE Generate Notification action, DDE rules determine which
records are included.
Example: Criteria for filtering by a date
l Field to Evaluate = Date
l Operator = Equals
l Value(s) = 1/10/2015
Notification blueprint types

The following table describes the notification blueprint types. You can create a blueprint for each
notification type.
Notification
Description
Type
Record-Based Record-based notifications contain dynamic or static content of specified fields
from a record. The following notifications are record based:
l Subscription
l On-Demand
l XML
l DDE
l Workflow
Report- Report-based notifications contain static content based on the user permissions of
Based the user who created the notification report template. Report-based notifications
are sent on a required schedule.
These notifications include an embedded report or a link to a report. A link to the
report requires the recipient to have an active RSA Archer user account, and
recipients can only view the records for which they have record permissions.
The report-based notification is called Scheduled Report Distributions.
Other Data Data Source notifications contain data from other data sources. The notifications
Source for Training and Awareness and Discussion Forums can be generated.

Notification
Description
Type
System Admin notifications inform users of important system changes and events that are
not directly related to application content. For example, you can set up a
notification when a password changes, or when a mail merge job succeeds or fails.
Subscription Notifications
Subscription notifications enable recipients to receive notifications on a set schedule or instantly

when records are added or updated in an application or questionnaire. You can create notification
blueprints for any application or questionnaire for which they are assigned ownership rights. The
Subscription Notification blueprint specifies the rules used to generate a subscription notification.
RSA Archer users can subscribe or unsubscribe to notifications from Email Subscriptions under the
User menu.
Notifications generated from the DDE Generate Notification action are filtered by DDE rules. If the
you do not want recipients to unsubscribe to a notification, use DDE Generated Notification action.
Example: Subscription notification

The following table provides an example subscription notification scenario.
A team needs to be alerted each time an urgent issue is added or updated in a custom
Scenario
application or questionnaire.
A user with administrative rights to the custom application or questionnaire creates a

subscription notification blueprint, specifying that a notification is sent to all members
Action of the team each time a new issue is reported. The filter criteria are defined so that
notifications are sent only when the value Urgent is selected in the Priority field,
thereby limiting the number of notifications that are triggered by the blueprint.
A user adds a new issue in the application or questionnaire and selects Urgent in the
Result
Priority field and clicks Save. Everyone on the team receives a notification.

Unique elements of subscription notifications

The following table describes the subscription options.
Recipients can subscribe or unsubscribe to notifications. Administrators specify one
of the following subscription options in the notification blueprint:
l None: RSA Archerusers and specified recipients are not subscribed by default
and can subscribe or unsubscribe to the notification at any time.
Subscription
l New Users: New users receive notifications by default and can cancel the
l All Users: New and existing users receive notifications by default and can
cancel the subscription at any time.
Users can receive notification emails using any email-based device, and select which notifications
they want to receive using the Manage Your Email Subscriptions option in the User Preferences
menu.
On-Demand Notifications
On-Demand notifications are pre-configured notifications that RSA Archer users can send to anyone
with an active email address. Administrators configure the properties of a notification in an On-
Demand notification blueprint.
When RSA Archer users click in the page toolbar on a record, they can make a selection from a
list of available On-Demand notification blueprints.
The following table describes the elements that are specific to On-Demand notifications.
By default, the email address of recipients is entered manually. They also have the
Recipient option to specify with which addressee type the recipient can be associated, for
example, as CC, BCC, and To.
Delivery On-Demand notifications can only be sent instantly.
Recipients of On-Demand notifications cannot subscribe or unsubscribe to the

Subscription
notifications.
The access right for an On-Demand notification is specified in the On-Demand

notification blueprint. The following options are available:
Access l Public: All application or questionnaire users will automatically be granted
unrestricted access to use the notification blueprint.
l Private: Only specified users and groups can access the notification blueprint.

Example: Record-based notification

The following table provides an example record-based notification scenario.
Members of the executive team would like to receive the status of remediation plans
Scenario periodically. Some of the members have access to RSA Archer, but some members do
not.
A RSA Archer user with administrative rights creates an On-Demand notification

blueprint called Remediation Plans. Specific values from a record in a specified
location are placed within the Subject line and Body of the template, including the name
Action
and status of each remediation plan. The email addresses of every member of the
executive team are added as recipients. Email addresses for non-RSA Archer users are
entered manually in the Static field.
A user adds new information to a remediation plan that affects other plans. The user
Result clicks and selects Remediation Plans from a list of blueprints. An email alert is
sent to every member of the executive team with the status of the remediation plans.
XML Notifications Setup
XML notifications are used to transmit information from RSA Archer to an external system or
integration in XML format. Administrators configure the properties of an XML notification in an
XML notification blueprint.
The following table describes the elements that are specific to XML notifications.
Element Description
Layout Does not apply to XML notifications.
Content Only fields are included within the Subject line and Body of the notifications.
Recipient The email addresses of the recipients are entered manually. Multiple email
addresses are separated by a semicolon. The email addresses specified as recipients
receive all notifications generated by the notification blueprint.
Subscription Recipients cannot subscribe or unsubscribe to the notifications. The subscription

behavior is defined in the notification blueprint.
DDE Generate Notification Action
Notifications can be generated through the DDE Generate Notification action. The Generate
Notification action enables administrators to configure a notification. When a record is added or
updated that meets defined rule conditions, a Generate Notification action is triggered.

Note: If a workflow is enabled in an application, then only the Reminder notification type can be
used in a DDE. If you try to send notifications on an instant, daily, weekly or monthly basis in an
application or questionnaire that has workflow enabled, the notifications do not send. These types of
notification can only be sent from within an enabled workflow.
The following table describes the rules that apply to the DDE Generate Notification action.
RSA Archer users, groups, or recipients specified in a field or Record Permission
Recipient fields. Recipients are not specified in the notification blueprint of the DDE
Notification action.
Filter Fields, operators, and values set by DDE rules.

Criteria
Subscription Recipients cannot subscribe or unsubscribe from DDE Generate Notification action.
Example: Record-based notification

The following table provides an example record-based notification scenario.
Scenario A team needs to be alerted each time an urgent issue is added or updated.
A user with administrative rights to the custom application or questionnaire creates a

Generate Notification action, specifying that a notification is sent to all members of the
team each time a new issue is reported. The filter criteria in the DDE rule are defined
Action
so that notifications are sent only when the value "Urgent" is selected in the Priority
field, thereby limiting the number of notifications that are triggered by the notification
blueprint.
A user adds a new issue in the application or questionnaire and selects "Urgent" in the
Result
Priority field and then clicks Save. A notification is sent to everyone on the team.
Workflow Notifications
Workflow Notification blueprints enable administrators to configure the workflow process to

automatically send notifications to users and groups that are assigned to a workflow task. A
Workflow Notification blueprint is defined and enabled for each stage of the workflow in Stage
Properties on the Workflow tab.
Elements for workflow notifications

The following table describes the elements of a workflow notification.
Element Description
Recipient Any users or groups determined by the Assignment Model for a stage.

Element Description
Delivery Configured for entrance to any stage in the workflow process, and sent at the end of
that stage.

behavior is defined in the workflow process.
The notifications are sent when a record:

l Is enrolled or moved to a new stage (except the End stage)
l Is manually reassigned by the Application Owner
Example: Workflow notification

The following table provides an example workflow notification scenario.
A custom application or questionnaire has a workflow configuration with three
Scenario stages: Stage 1, Stage 2, and Stage 3. A Workflow Assignee needs to be alerted each
time a record enters Stage 2 of the workflow.
A user with administrative rights creates a custom application or questionnaire with

Action three Stages and enables Workflow. A Workflow Notification blueprint was created
and enabled for Stage 2.
A user promotes a record from Stage 1 to Stage 2. A notification is sent to the

Workflow Assignee as determined by the assignment model for that stage.
Result The task is promoted to Stage 3, but the Workflow Assignee for Stage 3 rejects the task
and it is sent back to Stage 2. A notification is sent to the Workflow Assignee for Stage
2.
Training and Awareness
The Notification functionality of the Training and Awareness feature in RSA Archer enables
administrators to construct and deliver training and awareness notifications to any users and groups.
Training and awareness notifications are organized as campaigns with one or more events.
Campaigns support the coordination of three event types:
l Presentation: Events allow information to be broadcast to users or groups using email or prompts
at logon. Recipients of presentation events are not required to acknowledge receiving the event or
respond to the content of the event. Presentation events represent a passive form of
communication.

l Acceptance: Events extend presentation events to require action from the recipient. These events
are presented to users or groups as a prompt when they log on to RSA Archer. Users receiving an
acceptance event are required to accept or decline the event.
l Quiz: Events enable administrators to test knowledge of the users. These events are presented to
users as a prompt when they log on to RSA Archer. A quiz event is a method for determining that
a user or group received or accepted a trigger, and that they have a complete understanding of the
required reading.
The following table describes the elements that are specific to notifications generated from Training
and Awareness Campaigns.
Element Description
Custom text or specified pre-built content from any application or questionnaire to

which a user has ownership rights. The notification content of a Training and
Content
Awareness Campaign event includes a static text introduction, dynamic content
placeholders for a trigger, and a static text closing.
Delivery Acceptance and Quiz events have reminders. Presentation events are sent only once.
Discussion Forums
The notifications from Discussion Forums are subscription-based notifications. RSA Archer users
can subscribe to receive notifications when messages are posted to a forum, posted to a topic, or
posted to a message.
The following table describes the elements that are specific to notifications generated
from Discussion Forums.
Elements Description
Content Letterheads and body layouts are not available.
Delivery Notifications are sent as soon as possible after a trigger occurs.
Recipient Only RSA Archer users can receive notifications from Discussion Forums.
Reminder Notifications
Reminder Notifications are used to provide information to users either before, on, or after a specific
date. They are published once per day, and use date filters that compare a date-based field in each
record to the date that the notification is being sent.
When creating a notification reminder, you can set when and how often you want to send a
notification email. To prevent the emails from being sent indefinitely, use filters in combination with
any Greater than or Less than reminder criteria.

Important: If a workflow is enabled in an application, then only the Reminder notification type can
be used in a DDE.
The following table describes the elements that are specific to the delivery schedule criteria for noti-
fications.
Criteria
Filter Description
Filter
Field Determines when the reminder will be selected.
Operator Determines if the notification will be before, after, or on the date decided by the
Field filter.
Days Determines how many days the reminder will be sent in correlation to the date
dictated by the Field filter.
Occurrence Determines how many times the notification will be sent.
Target Determines if the notification will be sent before or after the date decided by the
Field filter.
Examples of notification reminders

The following table provides examples of notification reminders.
Intention Configuration
Send a single reminder email 5 days before a Due Date. Field = Due
Date
Operator =
Equals
Days = 5
Occurrence =
Once
Target = After
Date

Send a daily reminder email for 5 days. Once each on the 4 days leading up to Field = Due
the Due Date, and again on the Due Date. Date
Operator = Less
Than
Days = 5
Occurrence =
Daily
Target = After
Date
Send a reminder email 5 days after the Due Date has passed. Field = Due
Date
Operator =
Equals
Days = 5
Occurrence =
Once
Target = Before
Date
Send a reminder email each day, beginning on the Due Date, and then for 4 Field = Due
consecutive days afterward. Date
Operator = Less
than
Days = 5
Occurrence =
Daily
Target = Before
Date

Send a reminder email every day once a record is more than 5 days past the due Field = Due
date. date
Operator =
Greater Than
Days = 5
Occurrence =
Daily
Target = Before
Date
Managing Notification Blueprints

You can delete a notification blueprint or make a notification type inactive.
Delete a notification blueprint
Note: You cannot delete a notification that is used by an advanced workflow.
1. Select the notification type that you want to delete.

b. Under Notifications, select the notification type.
2. In the row of the notification that you want to delete, click .

3. Click OK.
Set notification to inactive
1. Go to the General tab of the notification you want to modify.

b. Under Notifications, select the notification type.
c. Select the notification.
d. Click the Content tab.


Activating Notifications
By default, all notifications are inactive.
The Default From Address is required for all instances and all configurations. You configure the
mail server and Default From Address for each instance in the RSA Archer Control Panel.
After configuring notifications in the RSA Archer Control Panel, you must also configure the
application in the instance and the Notifications feature of RSA Archer.
Enable notifications for an application

You can enable or disable notifications for an application. When notifications are enabled, end users
are allowed to receive notifications when content in the application is published or updated.
You can also create a notification. When you create a notification blueprint for an application, end
users can subscribe to that blueprint and receive email alerts when records in the application are
added or updated.

2. In the Options section, select the checkbox in the Notifications field.

3. Click Apply.
Configure the default notification settings

These values are used for all notifications and can be overridden for a specific notification blueprint.
1. Go to the Default Notification Settings section of the Manage Global Notification Settings page.

b. Under Notifications, click Global Notification Settings.
c. Go to the Default Notifications Settings section.

2. In Letterhead, select the default letterhead that you want to use.
3. In Body Layout, click to preview and select the layout you want, and then click OK.
4. In From Address, enter a default email address.
5. In From Alias, enter a default email alias.
6. In Attachment Type, select the default attachment type.
7. Click Save.
Define read receipt rules

Read-receipt functionality enables you to track the receipt of notifications. When return-receipt
functionality is activated, enter the return email address for read-receipts that are requested from
users when they open a notification email. These rules also include settings for the mail server and
user name and password for the return email account.
Important: You must set up an email account on your mail server that receives read receipts from
users who have indicated receipt of notification emails. The mail server on which you create this
account most likely is the same mail server that your organization is using for alert notifications.
After the application pulls read-receipt information from the email account that you define, all
emails are deleted from that account to prevent the account from exceeding its storage limit.
Read receipt rules
The following table describes the read receipt rule properties.

Status Indicates whether the read-receipt functionality is active or inactive. The Active
status enables you to configure any notification blueprint to request read-receipts
when notifications are sent to the recipients.
Email Specifies the email address that receives the return receipts.
Address Do not use your own email address as the account to receive the return receipt. All
notifications are deleted from the specified email account after the application or
questionnaire retrieves read-receipt information to prevent the account from
exceeding its storage limit. Use a dedicated email address to receive the read
receipts.
Server Specifies the server name or IP address of the mail server on which the return-
Name receipt email account is created.
The Server Name is the same server name or IP address that was used when
configuring the Notifications for the instance.

Protocol Specifies the method that is used to retrieve notifications from the email server.
Port Specifies the number associated with the communication endpoint for the selected
protocol.
User Specifies the name of the user who has access to the return-receipt email account.
Name
Password Specifies the password that is required to log on to the return-receipt email account.
Test Verifies that the credentials and connection information entered are correct.
Connection If an error occurs, correct the error and click Test again. Continue this process until
you receive a confirmation message indicating success.
Change the status of the read receipt rules
1. Go to the Manage Letterheads page.

2. In the Read Receipt Properties section, in the Status field, select the applicable status: Active or
Inactive.
3. Click Save.
Define the read receipt rules
1. Go to the Manage Global Notification Settings page.

c. Expand the Read Receipt Properties section.
2. In the Email Address field, enter the email address that receives the messages.
3. In the User Name field, enter the user name that has access to the return-receipt email account.
4. In the Password field, enter the password that is required to log on to the return-receipt email
account.

5. In the Test Connection field, click Test to verify that the credentials and connection information
you have entered are correct.
Note: If the test reports an error, correct the error and click Test again. Continue this process
until you receive a confirmation message indicating success.
6. Click Save.
Update the read receipt rules
1. Go to the Manage Global Notifications Settings page.

2. Expand the Read Receipt Properties section.

3. In the Email Address field, enter the email address that will receive the messages.
4. In the Server Name field, enter the server name or IP address of the mail server on which you
created the return-receipt email account.
5. In the Port field, enter the appropriate port for the selected protocol.
6. From the Protocol list, select the protocol used to retrieve emails from your email server.
account.
you have entered are correct,
If the test reports an error, correct the error and click Test again. Continue this process until you
receive a confirmation message indicating success.
10. Click Save.
Adding Admin Notifications

Admin notifications inform users of important system changes and events that are not directly related
to application content. For example, you can set up a notification when a password changes or when
a mail merge job succeeds or fails.
You can add any of the following admin notification types:

l Account Data Export Job Failed

l Account Data Export Job Succeeded
l Change User Password
l Datafeed Job Completed
l Globalization Export Job Failed
l Globalization Export Job Succeeded
l Globalization Import Job Failed
l Globalization Import Job Succeeded
l Mail Merge Job Failed
l Mail Merge Job Succeeded
l On Demand Bulk Actions Job Status
l Scheduled Bulk Actions Job Status
Add an admin notification

1. Go to the Manage Admin Notifications page.

b. From the Notifications list, click Admin Notifications.
2. Click Add New and do one of the following:

l To create a new admin notification, click Create a new Admin Notification from scratch.
l To create an admin notification from an existing one, click Copy an existing Admin
Notification. From the Admin Types list, select the template you want to use.
3. Click OK.
4. In the General Information section, enter the name and description of the notification.
5. In the Template Design section, select the letterhead and body layout that you want to use.
The Preview section displays the options you select.
6. Click the Content tab, and add the content you want to appear in the notification.

links.
field.

Adding On Demand Notifications

On-Demand notifications are pre-configured notifications that you can send to any active email
address. You configure the rules of a notification in an On-Demand notification blueprint.
Click in the page toolbar on a record to select from a list of available On-Demand notification
blueprints.
Example: On-demand notification

The following table provides an example on-demand notification scenario.
Members of the executive team want to receive the status of remediation plans
Scenario
periodically. Not all team members have access to RSA Archer.
A user with administrative rights creates an on-demand notification blueprint called

Remediation Plans. Specific values from a record in a specified location are placed
within the Subject line and Body of the template, including the name and status of each
Action
remediation plan. The email addresses of every member of the executive team are
added as recipients. Email addresses for non-RSA Archer users are entered manually
in the Static field.
A user adds new information to a remediation plan that affects other plans.
Result The user clicks and selects Remediation Plans from a list of blueprints. An email
alert is sent to every member of the executive team with the status of the remediation
plans.

Elements of on-demand notifications

The following table describes the elements of an on-demand notification.
Element Description
Recipient By default, the email address of each recipient is entered manually. Optionally, you
can specify the recipient type CC, BCC, and To.
Delivery On-demand notifications can only be sent instantly.
Subscription Recipients of on-demand notifications cannot subscribe or unsubscribe to the

notifications.
Access The access right for an on-demand notification is specified in the on-demand
notification blueprint. The following options are available:
l Public. All application and questionnaire users will automatically be granted
unrestricted access to use the notification blueprint.
l Private. Only specified users and groups can access the notification blueprint.
Add an on-demand notification

1. Go to the General tab on the Manage On Demand Notification Templates page.

b. From the Notifications list, select On Demand Notification Templates.

l To create a new on-demand notification template, click Create a new On Demand
Notification from scratch.
l To create an on-demand notification template from an existing one, click Copy an existing On
Demand Notification Template, and select the notification you want.
3. In Available Applications, select the application to which you want to link the notification.
4. Click OK.
5. In the General Information section, enter the name of the notification, description, and folder in
which you want to store the notification.
6. In the Template Design section, select the letterhead and body layout that you want to use.

click OK.
7. Click the Content tab and add the content you want to appear in the notification.
links.
field.
8. Click the Delivery tab and go to the Email Recipient Options section.
9. In the Send Each Notification As field, specify whether to send separate or one email
notification.


sent.
10. In the Recipients section, enter the list of users or groups who will receive this notification.
Recipients can be a dynamic or static list based on the notification type. A dynamic list is based
on the values of a Users and Groups list and record permissions or an email address stored in a
field.
Do the following for To, CC, and BCC:
b. Click OK.
11. Click the Access tab and specify whether the notification is public or private.
In the Access section, select whether the notification is available to everyone or specified users
and groups.

l To grant unrestricted access, select Public.

l To grant specific rights to selected users and groups, select Private.
In the Available section, do one or more of the following:

Adding Scheduled Report Distributions

Use Scheduled Report Distributions (SRD) to schedule notifications with attached reports or links to
reports. The content of an attached report is based on the record permissions of the user who creates
the report.
When an SRD includes a link to a report, user account privileges are enforced. Recipients of these
notifications can only view data in the report to which they have view privileges.
Note: If a user who created a report is inactive and that report is included (attached, not linked) in
SRD, then SRD creates a system impersonated session for that inactive user. SRD also checks for
the current access rights and roles of the inactive user.
Important: Scheduled Report Distributions are different from scheduled email alerts with embedded
reports or links to reports. You can schedule email alerts that contain embedded reports or links to
reports. The records and fields displayed in the scheduled report distribution are based on the access
restrictions of the user who creates the notification. This may result in someone receiving an
embedded report who is otherwise restricted from certain data.
Example 1: Attached report

The following table describes a scheduled report distribution example.
Scenario An RSA Archer user wants to send a weekly report to managers for feedback.
A user with administrative rights creates a Scheduled Report Distributions notification.

Action The report is included as an attachment in the Body of the template. The notification is
scheduled to be sent weekly to managers.
Once a week, a notification with an attached report is sent to managers. The report
Result contains the information based on the record permissions of the user instead of the
managers.

Example 2: Linked to a report

The following table describes a scheduled report distribution example.
Scenario An RSA Archer user wants to send a weekly report to colleagues for feedback.
A user with administrative rights creates a Scheduled Report Distributions notification.

Action A link to the report is included in the Body of the template. The notification is
scheduled to be sent weekly to a group of colleagues.
Once a week, a notification with a link to the report is sent to the group of colleagues.
Result A recipient clicks on the link to view the report that contains information based on the
record permissions of the recipient.
Elements for scheduled report distributions

The following table describes the elements of a scheduled report distribution.
Element Description
Table body layout is not available. All free-form body layouts can be used for
Layout
report-based notifications.
Only links and attached reports are available. Information in the attached report is
based on the record permissions of the RSA Archer user who creates the report. If
Content the report creator has permission to private fields, all reports sent through the
distribution will include the data of the private fields, even if the recipient does not
have access to the fields.
Recipient Recipients must have active RSA Archer user accounts.
Delivery Notifications are sent on a set schedule: daily, weekly, monthly, or quarterly.
Subscription Recipients cannot unsubscribe to a Scheduled Report Distribution notification.
Add a scheduled report distribution

1. Go to the General tab of the Manage Scheduled Report Distributions page.

b. From the Notifications list, click Scheduled Report Distributions.

l To create a new scheduled report distribution, click Create a new Scheduled Report
Distribution from scratch.

l To create a scheduled report distribution from an existing one, click Copy an existing
Scheduled Report Distribution, and select the notification you want.
3. Click OK.
5. In the Template Design section, select the letterhead and body layout you want.
click OK.
6. Click the Content tab and specify the reports and attachment type for embedding the report in this
notification.
l In the Reports field, select the report or reports that you want to embed in the email
distribution and click OK.
l In the Attachment Type field, select the format of the report or reports.
7. In the Template Design section, select the subject and content for the notification.
links.
field.
8. Click the Delivery tab and enter the email properties for this notification.

address.
selection.
notification.

Frequency Action

Frequency Action

July, and October.
condition.
occurrence.
digest.
10. In the Email Recipient Options section, specify whether to send separate or one email
notification.


sent.
field.
b. Click OK.


Adding Subscription Notifications

Subscription notifications enable subscribers to receive email alerts on a set schedule or instantly
when records are added or updated in a application or questionnaire. Administrators can create
notification blueprints for any application to which they have ownership rights. The rules for a
subscription notification are captured in a notification blueprint, the triggering mechanism for alert
emails.
For example, you can create a notification blueprint, specifying that an alert email is sent to all
members of the Risk Response team each time a new issue is reported. You can apply filters to this
blueprint so that email messages are sent only when the values Urgent and High are selected in the
Priority field. By applying filters, you can limit the number of alert emails that are triggered by the
blueprint.
Users select which notifications to receive using the Manage Your Email Subscriptions option in the
User Preferences menu. They can receive notification emails using any email-based device.
Add a subscription notification

1. Go to the General tab of the Subscription Notifications page.

b. From the Notifications list, click Subscription Notifications.

l To create a new subscription notification, click Create a new Subscription Notification from
scratch.
l To create a subscription notification from an existing one, click Copy an existing Subscription
Notification, and select the notification you want.
3. Click OK.
5. In the Template Design section, select the letterhead and body layout you want.
click OK.

links.
field.
7. Click the Delivery tab and in the Email Properties section, do the following:
address.
selection.
notification.


Frequency Action

July, and October.

Frequency Action
condition.
occurrence.
digest.
9. In the Subscriptions section, click the type for the default subscriber.
The following table describes the subscriber types.
Subscriber
Description
Type
None Users are not subscribed by default. Users can subscribe and cancel at any
time.
New Users New users receive notifications by default, but they can cancel the

Subscriber
Description
Type
All Users New and existing users receive notifications by default, but they can cancel
the subscription at any time.
Required New and existing users receive notifications by default, but they cannot cancel
the subscription.
10. In the Email Recipient Options section, specify whether to send separate or one email
notification.
sent.
field.


b. Click OK.
12. Click the Filter Criteria tab, enter the filters that you want to apply to this notification.
Only the records that match the specified criteria trigger a notification to generate.
a. In the Field to Evaluate field, select the field on which the evaluation is based.
b. In the Operator field, select the applicable operator for evaluating the values.
c. In Value(s), select the applicable values based on the field specified and click OK.
d. (Optional) To add a row for additional criteria, click Add New, and then repeat steps a – c.
e. (Optional) To add advanced operator logic, in the Advanced Operator Logic field, enter the
expression.

Adding XML Notifications

XML notifications are used to transmit information from RSA Archer to an external system or
integration in XML format. You configure the rules of an XML notification in an XML notification
blueprint.
Example
The following table provides an example XML notification scenario.
The Devices Vulnerability system of the IT team needs to be automatically notified
Scenario
when a new vulnerability is added to correctly update user interface displays.
A user with administrative rights creates an XML notification blueprint. Specific fields
are selected to be in the Subject line and Body of the template. The delivery frequency
Action
is Instantly, and the recipient is the email address of the Devices Vulnerability system.
The filter criteria is "Vulnerability" in the Text field.

Every time a new vulnerability is imported into RSA Archer, a notification is sent to the
Result
Devices Vulnerability system in an XML format.
Elements for XML notifications

The following table describes the elements of an XML notification.
Element Description
Layout Does not apply to XML notifications.
Content Only fields are included within the Subject line and Body of the notifications.
Recipient The email addresses of the recipients are entered manually. Multiple email
addresses are separated by a semicolon. The email addresses specified as recipients
receive all notifications generated by the notification blueprint.

behavior is defined in the notification blueprint.
Add an XML notification

1. Go to the General tab on the Manage XML Notifications page.

b. From the Notifications list, click XML Notifications.

l To create a new XML notification, click Create a new XML Notification from scratch.
l To create an XML notification from an existing one, click Copy an existing XML
Notification, and select the notification you want.
3. Click OK.
a. In the Subject line, enter the text or field you want to include as the subject of this
notification.

b. In the Body field, select the fields you want to include in this notification.
6. Click the Delivery tab and enter the email properties for this notification.
address.
selection.
notification.

Frequency Action

Frequency Action

July, and October.
condition.
occurrence.
digest.

field.
b. Click OK.
9. Click the Filter Criteria tab, enter the filters that you want to apply to this notification.
Only the records that match the specified criteria trigger a notification to generate.
a. In the Field to Evaluate field, select the field on which the evaluation is based.
b. In the Operator field, select the applicable operator for evaluating the values.
c. In Value(s), select the applicable values based on the field specified and click OK.
d. (Optional) To add a row for additional criteria, click Add New, and then repeat steps a – c.
e. (Optional) To add advanced operator logic, in the Advanced Operator Logic field, enter the
expression.


Configuring Default Notification Settings

The following table describes the default notification settings that determine the default options and
values across all notification blueprints of an instance. You can designate a default letterhead, body
layout, from address, alias, and attachment types. You can override these default values in the indi-
vidual notification blueprints.
Settings Description
Letterhead Specifies the default letterhead. The right column displays a preview of the selected
letterhead.
Note: XML Notifications do not contain letterheads.
Body Specifies the default layout of the body, including the arrangement of the data. The
Layout Table body layout arranges the content in a structured format. All other body layouts
are free-form layouts, and you can arrange content anywhere in the body.
From Specifies the default email address from which to send notifications. The Default
Address From Address established for the instance is used if this one is not provided.
From Alias Specifies the default email alias for the From Address.
Attachment Specifies the default attachment type. The following types are available:
Type l Adobe PDF
l CSV
l HTML File
l Microsoft Excel
l Microsoft Word
l XML File
Configure the default notification settings

1. Go to the Default Notification Settings section of the Manage Global Notification Settings page.

c. Go to the Default Notifications Settings section.
2. In Letterhead, select the default letterhead that you want to use.

3. In Body Layout, click Select.
4. Preview and select the layout you want, and click OK.

5. In From Address, enter a default email address.

6. In From Alias, enter a default email alias.
7. In Attachment Type, select the default attachment type.
Configuring Global Notification Settings

Global notification settings define the default values for notification templates and control read-
receipt functionality, which allows RSA Archer to track the receipt of email notifications. The
default settings are overridden by the settings of the individual notifications.
Before you begin:

l Define the letterheads templates for the notification blueprints (not required for XML notification
blueprints).
l Define the user accounts for RSA Archer.
Use the Manage Global Notification Settings page to configure the default global values.
l Configuring Default Settings
l Defining Read Receipt Rules
Defining Letterhead Templates

Letterhead templates define the page, header, body, and footer properties used in a notification. A
letterhead is not a required element of a notification blueprint, and does not apply to notifications
sent in XML format. A default letterhead is specified in Global Notification Settings, but the
selection can be overridden in the individual notification blueprint.
Letterhead properties
The following table describes the letterhead properties.
Name Specifies the name of the letterhead. The name of each letterhead must be unique
across the instance.
Status Enables the letterhead to be used in notifications. To prevent the letterhead from
being used, select Inactive.
Description Specifies information about the letterhead.

Page Specifies the entire page background color and border settings, including the line
height.
Header Specifies the header background color and border settings, including the line height.
Body Specifies the body background color and border settings, including the line height.
Footer Specifies the footer background color and border settings, including the line height.
Add a letterhead template

b. Under Notifications, click Letterheads.
2. Click Add New.

l To select new settings for the letterhead, click Create a new Letterhead from scratch.
l To use the settings of an existing letterhead, do the following:
a. Click Copy an existing Letterhead.
b. Select the existing letterhead from the Available Letterheads list.
4. Click OK.
5. In the General Information section, enter the name of the letterhead template and description.
7. In the Toolbar field, click the applicable tab for the properties you want to define.
8. In Fill Properties, do one or more of the following.
Property Action
Background Do one of the following:

Fill l To specify no fill, click No Fill.
l To specify a background fill, click Solid Fill.

Property Action
Background If you selected Solid Fill, specify the color for the background of the body. To
Color choose a background color, do one of the following:
l Enter the HTML code in the space provided, for example #FFFFFF.
l Click to select a color from the color picker.
9. In Border Settings, enter the following:

Property Action
Line Specify the color of the body border. To choose a color, do one of the following:
Color l Enter the HTML code in the space provided, for example #FFFFFF.
l Click to select a color from the color picker.
Line
Click the arrows to set the width in pixels of the border. If you prefer
Height
no border, set the value at zero (0).
10. Click OK.

l If you are not defining the body or page properties, go to step 12.
l If you are defining footer or header properties, use the Rich Text Editor toolbar to change the
appearance of the text, add an image, or edit the HTML.
Delete a letterhead template

2. Click the row of the letterhead that you want to delete.
3. Click .
4. Click OK.

Set a letterhead template to inactive
1. Go to the General tab of the letterhead you want to set to inactive.

c. Select the letterhead.

Defining Read Receipt Rules

Read receipt properties enable or disable the return-receipt functionality and specify the supporting
properties, such as the email address that receives the return receipt. This allows you to know if
your users are receiving their notifications.
Define the read receipt properties
1. Go to the Manage Read Receipt Properties section on the Manage Global Notifications Settings
page.

c. Expand the Read Receipt Properties section.
2. In the Email Address field, enter the email address that receives the messages.
account.
Note: If the test reports an error, correct the error and click Test again. Continue this process


Change the status of the read receipt properties
1. Go to the Read Receipt Properties section on the Manage Global Notifications Settings page.

2. In the Read Receipt Properties section, in the Status field, select the applicable status: Active or
Inactive.
Update the read receipt properties
1. Go to the Manage Global Notifications Settings page.

2. Expand the Read Receipt Properties section.

3. In the Email Address field, enter the email address that will receive the messages.
4. In the Server Name field, enter the server name or IP address of the mail server on which you
created the return-receipt email account.
5. In the Port field, enter the appropriate port for the selected protocol.
6. From the Protocol list, select the protocol used to retrieve emails from your email server.
account.

Note: If the test reports an error, correct the error, and click Test again. Continue this process

Troubleshooting Notifications
Determine point of failure

Problem: Notifications are not being sent or received.
The following table lists potential causes and solutions.
Cause Solution
The Notifications feature is Configure Notifications in the application, questionnaire, or

not enabled in the workflow. Enable Notifications on the General tab of the applicable
application, questionnaire, application or questionnaire in Application Builder.
or workflow. Ensure the notification blueprint is active.
The job engine is not Start the Job Engine in the Windows Services.
running in the Windows
Services.
The Notifications feature is Configure Notifications in the RSA Archer Control Panel.

not configured properly in
the RSA Archer Control
Panel.
The wrong type of Ensure you are using the correct type of notification blueprints for
notification blueprint is used the data that is being triggered.
for the triggering data. Updates to records trigger subscription notifications. You can
update records manually or through a data feed.
Reminder notifications are based on specific criteria. All criteria
must be met to trigger a notification.

Cause Solution
The record in the data feed Ensure the data feed is configured for sending notifications. Select
does not trigger the Send Notifications in the Additional Properties of the data feed.
notifications. DDE Generate Notification action and On-Demand notifications
are not triggered from data feed.
Use Subscription Notifications in a data feed so that data is
accessible on the schedule of the notifications.
Reminder notifications are based on specific criteria. All criteria
must be met to trigger a notification.
The notification jobs are not Set the job priority in the Job Engine Manager. For more
prioritized properly. information, see "Set Filters" in the RSA Archer Control Panel
Help.
There are many jobs ahead Change the priority of the SendNotificationJob or SendMessagesJob
of the notification job types. notification job types.
Workflow notifications can If you enable a workflow in an application, then only the Reminder
only be sent by the notification type can be used in a DDE.
Reminder notification type If you try to send notifications on an instant, daily, weekly or
for a Data-drive event monthly basis in an application or questionnaire that has workflow
(DDE). enabled, the notifications do not send. These types of notification
can only be sent from within an enabled workflow.
Problem: The user cannot view the record.

The following table lists potential causes and solutions.
Cause Solution
The user does not have Check the Access Roles of the user to ensure that the user has
permissions to view the access rights to the application or questionnaire of that record.
record. Ensure that the user has access rights to view that record, including
Cross-Reference fields and related records.
Troubleshooting filter criteria for reminder notifications

Filter criteria can be defined in the delivery schedule of a reminder for the following notifications:
l Subscription notification
l XML notification
l DDE Generate Notification action

Records do not have to be saved or updated to send a reminder notification. Records are evaluated at
the specified time according to the delivery schedule. The reminder notification is sent when a
record meets all the defined filter criteria.
The following scenarios provide the filter criteria for sending reminder notifications before the
current data and after the current date.
Filter criteria before the current date
Scenario 1 Notification is evaluated and sent every day for all

records where "Date Field 1" is more than 1 day before the current
date.
Field Operator Days Occurrence Target
Date Field 1 Greater Than 1 Daily Before Date

records where "Date Field 1" is less than 999 days before the cur-
rent date.
Date Field 1 Less Than 999 Daily Before Date
Scenario 3 Notification is evaluated and sent only once for all

records where "Date Field 1" is 1 day before the current date.
The Occurrence is defined as Once because the Target date can-
not be continually equal to the number of days before the current
date.
Date Field 1 Equals 1 Once Before Date

records where "Date Field 1" is 999 days before the current date.
The Occurrence is defined as Once because the Target date can-
not be continually equal to the number of days before the current
date.
Date Field 1 Equals 999 Once Before Date

Filter criteria after the current date

records where "Date Field 1" is greater than 1 day after the cur-
rent date.
Date Field 1 Greater Than 1 Daily After Date

records where "Date Field 1" is less than 999 days after the cur-
rent date.
Date Field 1 Less Than 999 Daily After Date

records where "Date Field 1" is equal to 1 day after the current
date. The Occurrence is defined as Once because the Target
date cannot be continually equal to a number of days after the
current date.
Date Field 1 Equal To 1 Once After Date

records where "Date Field 1" is equal to 999 days after the cur-
rent date. The Occurrence is defined as Once because the Tar-
get date cannot be continually equal to a number of days after
the current date.
Date Field 1 Equal To 999 Once After Date
Troubleshooting with notification reports

Notification reports provide the success and failure status of notifications. Notifications still in the
queue are not reported. To access these reports, from the menu bar, click Administration >
Notifications > View Notification Reports.

Example: Using the Notification Engine Recent Activity - Last 24 Hours report
The following table lists potential problems and solutions.

Message
Problem Solution
Status
Successful The notifications are sent Check the Junk E-Mail folder or other email folders
successfully, but the recipient of the recipient.
does not receive it. If the notification is not in another folder, generate
the Notifications Sent report to view that the
Recipient Email Address is correct.
Successful There are fewer notifications Recipients did not receive all notifications. If this is
shown in the report than happening:
should have been sent. 1. Check the application or questionnaire's record
permission fields to be sure the recipient is
allowed to see the records.
2. Check the rights of the roles assigned to the
groups to which the recipient belongs.
recipient.
4. Modify the rights and permissions appropriately
and resend the notifications.
Successful The recipient only sees part of Recipients do not have permission to view the
the content. record. If this is happening:
1. Check the application or questionnaire's record
permission fields to be sure the recipient is
allowed to see the records.
groups that the recipient belongs.
recipient.
4. Modify the rights and permissions appropriately
and resend the notifications.

Message
Problem Solution
Status
Failed The notifications failed to Ensure that the Server Address is correct in the RSA
send. Archer Control Panel > General Settings of the
instance.
Ensure the user account of the recipient has an email
address. See Managing Users.
N/A The report does not show any Check the notification rules to be sure that they are
notifications; the notifications valid and will trigger. If that is the issue, modify the
did not trigger. rules and send again.
Discussion Forums for Administrators
Note: This topic is intended for administrators. For an overview for users, see "Discussion Forums
for End Users" in the RSA Archer Online Documentation .
The Discussion Forums feature enables administrators to create structured environments where
users can exchange information on various topics. These environments, called forums, provide a
platform for posting and replying to topics. Administrators can group forums together into
communities. For example, a community named Microsoft Windows can contain forums for
Microsoft Windows Vista vulnerabilities and Microsoft Windows 7 vulnerabilities.
The Discussion Forums feature appears in both the administration suite and the end-user suite of
features. In the Discussion Forums feature in the administration suite, administrators can establish
discussion forum communities and assign forum creators for each community. They also can define
roles for forum participants, which control the permissions end users have in discussion forums.
Application owners also can create record-specific discussion forums to allow users to discuss
information as it relates to a specific content record. The Discussion field type is available for this
purpose.
In the end-user Discussion Forums feature, forum creators can create new forums in their assigned
communities and can define the properties of those forums, select forum members, and assign roles
to those members. End users also can access forums to which they belong through the end-user
Discussion Forums feature, enabling them to read, add, or respond to topics according to the rights
assigned to them through their forum roles.
The Discussion Forums feature provides several default roles for forum participants and enables
administrators to create additional roles. Forum creators, designated by administrators of the
Discussion Forums feature, can create new forums in their assigned communities and can define the
properties and the membership for those forums. Default roles that forum creators can assign to
forum members include forum administrator, moderator, participant, and read-only participant.

Discussion forums terminology

The definitions of terms in the following table are specific to the Discussion Forums feature.
Term Definition
Community An organizational structure for grouping one or more related discussion forums. A
community itself is not a forum and cannot receive posts.
Forum A discussion area focused on a specific subject or theme. A forum is housed in a

discussion community. The forum contains information exchanges relative to one
specific subject. Each forum can contain many topics, and those topics should all
relate back to the central subject or theme established by the forum.
Traditional A standard discussion forum built through the Discussion Forums feature.
Forum
Content- A discussion forum that is linked directly to a specific content record. It cannot be
Specific accessed through the Discussion Forums application. Instead, users can access it
Forum by clicking View Forum in the Discussion field in a record.
Locked Messages in a locked forum can be read by users, but no new messages can be
Forum posted to the forum.
Archived An archived forum is hidden entirely from forum participants. No messages can be
Forum read or posted in the forum. However, an archived forum can be made available
again to forum participants by a community or forum administrator.
Community A user who has been granted the rights to view, edit, and delete all forums in a
Administrator selected community, regardless of whether the user has been enrolled as a
member of those forums. Discussion community administrators also can add new
forums in their assigned communities.
Forum To access and contribute to a forum, a user must be enrolled as a member of that
Membership forum. Each member is assigned a specific role that governs the user rights in the
forum.
Forum Role Each member of a forum is assigned a specific role, which is a named grouping of
rights. A user role dictates what the user can and cannot do in a particular
discussion forum. For example, administrators might create a role called "Reader,"
which is assigned to users who need the ability to view all posts in a given forum,
but who will not be permitted to respond to those posts or to contribute new topics
for discussion.

Term Definition
Forum When a forum creator assigns a user as an administrator of a selected forum, the
Administrator administrator has rights to post messages and to edit and delete posts made by any
forum participant. Forum administrators also can enroll additional members or
revoke the membership of any user or group.
Moderator When a forum creator assigns a user as a moderator of a selected forum, that
moderator has rights to post messages and to edit and delete posts made by any
forum participant. They also can enroll additional members or revoke the
membership of any user or group, and they can manage the properties of the
forum, including its expiration plan, reply depth, display options, and so on. In
addition, moderators can merge topics in the forum.
Post A generalized term referring to any type of message submitted to a forum. Topics
and replies are specific types of posts.
Topic A top-level post that poses a question or otherwise establishes the context for a
thread of discussion. Topics serve as containers for replies.
Reply A post that is submitted in response to an existing post. Replies provide the means
for exchanging thoughts, opinions, or supporting information relative to a given
topic.
Thread A single topic and all of its related replies. The topic-directed discussion that
occurs in a forum is thought of as "threaded" because you can trace the path of
information from the original topic down through all of its reply postings.
Hot Topic A topic is considered "hot" if it has been replied to or viewed several times in a
short period of time. Hot topics are displayed with a star icon so users can easily
identify them. Community and forum administrators define the criteria for topics
marked as "hot," and these criteria can vary from forum to forum. For example, in
one forum, a hot topic may be defined as one that has received 10 posts in the last
3 days and has been viewed 20 times in the last day. In another forum, a hot topic
may be defined simply as one that has received 5 posts in the last day.
Locked Topic When a topic is locked, users are not permitted to reply to it. The topic and its
previous replies, however, remain visible to users. Locked topics can be unlocked
at any time by users who have the proper rights.

Discussion forums icon legend

The following table describes icons that are unique in the Discussion Forums feature.
Icon Description
You have read all posts in this discussion community, forum, or topic.
This discussion community, forum, or topic contains new posts for you to read.
This discussion community, forum, or topic has recently experienced a large number of
postings and information that you have viewed. You have read all posts in this community,
forum, or topic.
This discussion community, forum, or topic recently experienced a large number of postings
and information that you have viewed. The community, forum, or topic contains new posts
for you to read.
This discussion forum or topic is locked, and you have read all posts in it.
This discussion forum or topic is locked, and it contains new posts.
Adding Discussion Communities

A discussion community brings together discussion forums with similar subjects or themes.
Discussion community administrators and discussion forum creators add and edit forums in their
assigned communities. Community forum administrators edit the properties of those forums, but
cannot create new forums.
1. Go to the Manage Discussion Communities page.

b. Under Discussion Forums, click Discussion Communities.
2. Click Add New.

l To select new settings for a community, select Create a new Discussion Forum Community
from Scratch.
l To use the settings of an existing discussion forum community as a starting point for your new
community, select Copy an Existing Discussion Forum Community and select the existing
community from the Discussion Forum Communities list.
4. Click OK.


a. In the Name field, enter a unique name for the community.
b. In the Description field, enter a description of the community.
6. In the Administration section, do the following:
a. In the Community Administrators field, select the groups, users, or both that you want to
administer the community.
b. In the Forum Creators field, select the groups, users, or both that you want to create the
forums.
Adding Discussion Forums
Task 1: Enable a discussion forums in a solution
1. Open the solution to which you want to add a discussion forum.

c. Select the solution that will have the discussion forum.
2. In the Applications section, click Add New.

3. In the Applications tab, select Discussion Forums and click OK.
4. Click Save.
Task 2: Create a discussion forum
1. Go to the Forum page.

a. On the Workspace menu, select a solution.
b. If the discussion forum is enabled, click the preferred sub-solution.
c. Under the Discussion Forum, click Communities.
d. Select a discussion community.

2. Click Add New and do the following:

l To create a new discussion forum, select Create a new Discussion Forum from scratch.
l To create a discussion forum from an existing discussion forum, click Copy an existing
Discussion Forum and select from the Discussion Forum list.
3. Click OK.
4. On the General tab, in the General Information section, enter the name and description of the
discussion forum community.
5. Click Save or Delete.
l Click Delete to remove the discussion forum.
Task 3: Configure the discussion forum options

a. On the Workspace menu, select a solution.
b. If the discussion forum is enabled, click a sub-solution.
c. Under Discussion Forum, click Communities.
2. Select the forum that you want to manage.

3. On the Administration tab, select from the following administrative, display, and notification
options:
Option Description
Forum To set the forum to be archived or deleted on a specific date, select Archive or
Expiration Delete, and in the Forum Expiration Date field, select a date on which the
Plan forum should be archived or deleted.
Maximum Enter the maximum number of topics that can be added to the forum. By default,
Topic Count 100 topics are permitted.
Maximum Enter the maximum number of replies that can be posted per topic. By default,
Reply Count 300 replies are permitted.

Option Description
Maximum When a discussion forum user posts a reply to a topic, that reply is nested under
Reply Level the topic. If another user posts a reply to the first user reply, that second post is
Count nested beneath the first post, creating a 2-level reply depth. In this field, enter
the maximum number of reply levels allowed per topic. By default, 20 reply
levels are permitted.
Maximum To set the maximum number of days a topic can reside in the forum, enter the
Topic Age number of days in this field.
(Days)
Attachments To allow forum participants to attach files when posting topics and replies,
select Allow Attachments. You also can define the maximum allowable size for
those file attachments by selecting a size from the Maximum Attachment Size
(MB) list. The default size is 1MB.
Anonymous To allow users to optionally post anonymous messages in the forum, select
Posting Allow. When this option is selected, forum participants can select the Post as
Anonymous User option when submitting a new post in the forum.
Moderator To configure the forum to trigger email notifications for forum moderators each
Emails time a new post is submitted, select Notify when a message is posted.
Hot Topics A topic is considered "hot" if it has been replied to or viewed a specified
Status number of times within a specified number of days. Hot topics are marked for
Criteria users with a star. To configure when topics are flagged as "hot," enter the
number of replies, views, and days in the appropriate fields.

Task 4: Enroll discussion forum member

a. From the Workspace menu, select a solution.
c. Under Discussion Forums, click Communities.
2. Select the discussion forum that you want to manage.

3. On the Membership tab, for each Forum Role to which you want to assign members, click .
4. From the Available list, edit the list of users and groups you want to assign to the role.
l To remove a user or group from the Selected list, click to the right of the name.
l To search for a specific user or group:
a. Enter the appropriate name in the Find field.
b. Select the name type from the adjacent drop-down list.
c. Click .
5. Click OK.
Adding Discussion Forum Roles

The discussion forum role controls user access rights in the end-user Discussion Forums feature.
1. Go to the Manage Discussion Forum Roles page.

b. Under Discussion Forums, click Discussion Forum Roles.

l Select the forum role that you want to update.
l To create a new role, click Add New and do one of the following:
o To create a new discussion forum role, select Create a new Discussion Forum Role from
Scratch and click OK.
o To create a discussion forum role from an existing discussion forum role, click Copy an
Existing Discussion Forum Role, select from the Discussion Forum Role list, and click
OK.
3. In the Role Permissions section, select each access right that you want to enable for the
discussion forum role.

The following table describes each access right.

Access
Description
Right
Read Posts Users can read posts in the selected forum, but cannot post messages of their
own.
Post Users can post replies to existing topics or existing replies.

Replies
Post New Users can post new topics in the forum.

Topics
Delete My Users can delete any message they have posted in the forum. If other users have
Posts replied to the deleted post, those replies also are deleted.
Edit Posts Users can edit any post in the forum, whether created by them or by another
user.
Delete All Users can delete any post in the forum, whether created by them or by another
Posts user. If other users have replied to the deleted post, those replies also are
deleted.
Add Forum Users can add users and/or groups to the list of forum members.
Users
Remove Users can remove users and/or groups from the list of forum members.
Forum
Users
Manage Users can modify the forum properties.

Forum
Properties
Merge Users can merge topics to organize them in the forum.

Topics

Merging Topics in a Discussion Forum

If you find topics that contain similar information, you can combine or merge them together to keep
the discussion forum organized.

1. Go to Forum page.
a. On the Workspace menu, click a solution.
c. Under Discussion Forum, click Communities
d. Select the discussion community with the forum you want to manage.
2. Go to the discussion forum that contains the topics that you want to merge.
3. In the Actions column, click for a topic that you want to merge.
4. In the Target Topic field, click .

5. In the Target Topic Lookup dialog box, select the topic that you want to serve as a "parent" to
the topics that you plan to merge together.
6. Click OK.
7. In the Merge Topics field, click .

8. In the Merge Topics Lookup dialog box, select the topics that you want to group, or merge, under
the parent topic.
The merged topics are nested under the parent topic and display as replies to that topic. Merged
topics retain their original threading.
Locking and Unlocking Discussion Forums

Lock or unlock a discussion forum to control whether new content is posted.
Lock a discussion forum
a. From the Workspace menu, click a solution.
d. Select the discussion community with the forum that you want to manage.
2. Select the discussion forum that you want to lock.

3. Go to the General tab.

4. Select Locked to lock the forum.

Unlock a discussion forum
d. Select the discussion community with the forum that you want to manage.
2. Select the discussion forum that you want to unlock.

4. Clear the Locked checkbox to unlock the discussion forum.
Archiving Discussion Forums

You can archive an existing forum and remove it from participant view. Once a forum has been
archived, only administrators can continue to access the forum and its posts, as well as edit the
properties of the forum.
d. Select the discussion community with the forum you want to manage.
2. Go to the discussion forum that you want to archive.
Note: If you are accessing a record-specific discussion forum, go directly to the record where
that discussion form is located and skip to step a of this procedure.


4. Select Archived to archive the forum.
Note: You can restore an archived forum to participant use by clearing the checkbox.

Training and Awareness

The Training and Awareness feature enables administrators to construct and deliver training and
awareness communications to specified users and groups. You can expose users to policy changes
and additions, broadcast information regarding special events, and assess your users understanding
of various issues. Training and awareness communications are organized as campaigns with one or
more events. Campaigns support Acceptance, Presentation, and Quiz event types.
Use events to create highly effective campaigns for education and assessment. For example, you can
use a presentation event to inform your end-user community that your Internet Use policy is changing
and to describe the proposed changes. You can then present the revised Internet Use policy in an
acceptance event and require your users to accept the policy or decline it with an explanation of
their choice. Finally, you can send a quiz event to the same users to find out if they understand your
revised policy by requiring them to correctly answer a series of questions.
Each event in a campaign has a start and stop date so you can create events in advance. The stop
date specifies the end to an event if the information it contains becomes irrelevant or no longer
requires distribution. Various formatting and delivery options are available for complete
customization of events. All events can include custom text and content from any application. You
can direct events to an individual user or group or to multiple users or multiple groups.
RSA Archer offers the following event types to equip you to effectively communicate information to
your users:
l Presentation Events are used to broadcast information to users or groups via emails or prompts
when a user logs in to RSA Archer.
l Acceptance Events are used to broadcast information to users in the form of a prompt when a
user logs in to RSA Archer.
l Quiz Events are used to test user knowledge of application content, and are presented to users as
a prompt when they log in to RSA Archer.

Example: Training and awareness timeline for a campaign delivered over several
weeks
The following table shows an example training and awareness timeline for a campaign delivered
over several weeks.
Date Action Event Description
Planning
1/1 Announce the Archer Send an email to all system administrators that the your
Policy Change Email VPN policy has been changed. Include a copy of the policy
Notification for administrators to review.
1/19 Repeat Pop-Up on Greet system administrators with a reminder to read the
Announcement Archer VPN policy.
Login
2/1 Announce a Archer Send a follow-up email to system administrators to inform

Policy Quiz Email them that a quiz on the new VPN policies will be
Notification administered on February 9.
2/9 Adminster the Archer Administer the VPN policy quiz to system administrators.
Quiz Quiz Optionally set a minimum passing grade or provide them
with open book guidance. Allow enough days for everyone
to take the quiz.
2/28 Analyze Quiz Archer Review the quiz results and determine the next course of
Results Reporting action.
Evaluation

Training and Awareness terminology

The following table describes training and awareness terms.
Term Definition
Campaign A campaign is an organizational structure that groups training and awareness events
with similar subjects or themes.
For example, a campaign called Password Compliance Training could contain the
following:
l A presentation event called Passwords and Security Parameters
l An acceptance event called Password Change Policy
l A quiz event called Password Change Policy Quiz
Event A method for communicating and gathering information through a campaign. The
following events are supported: Acceptance, Presentation, and Quiz and are presented
to users as a prompt when they log in to RSA Archer.
l Acceptance events communicate information and require action from the recipient.
l Presentation events communicate information to users and groups.
l Quiz events test users knowledge of content, for example, a change in policy.
Adding Training and Awareness Campaigns

A campaign is an organizational structure that groups Training and Awareness events with similar
subjects and themes. Use campaigns for highly effective education and assessment of your
employees. Campaigns include events that help you manage the training and awareness of your
employees.
For example, you can create a campaign that notifies the employees of a policy change, request an
acceptance from them acknowledging the notification, and a quiz to test their understanding of the
change in policy.
Campaign event types

You can define or modify the content of an event by entering text or selecting content from any
application for which you have ownership rights. Entering content from an application enables you to
communicate relevant information to specified users using existing information, such as Acceptable
Use policies. You can use introductory text to introduce application content, or to provide
instructions for taking quizzes.
RSA Archer offers the following event types to help you effectively communicate information to
your users:

l Presentation Events are used to broadcast information to users or groups via emails or prompts
when a user logs in to RSA Archer.
l Acceptance Events are used to broadcast information to users in the form of a prompt when a
user logs in to RSA Archer.
l Quiz Events are used to test user knowledge of application content, and are presented to users as
a prompt when they log in to RSA Archer.
Quiz behaviors
You can set the quiz behavior for determining:
l The passing grade
l The passing requirements
l The number of times a user can retake the quiz if the user did not pass the quiz
l Whether answers are marked as correct or incorrect
l Whether the quiz is open-book style, allowing users to navigate between the quiz and the content
while taking the quiz
The following rules apply when any of the behaviors are set:
l Users who pass the quiz are allowed to continue to the application.
l Users who fail the quiz may be forced to retake it based on a determined number of retakes.
Users are prompted to retake the quiz up to up to the maximum number of specified retakes. If a
user does not pass the quiz within the specified number of retakes, the user is allowed to continue
to the application.
If the answers are marked for showing the grading, correct answers appear with a green check mark
and incorrect answers appear with a red X.
Add a campaign
1. Go to the Manage Training and Awareness Campaigns page.

b. Under Training and Awareness, click Training and Awareness Campaigns.
2. Click Add New.

3. In the Campaign Name field, enter a name for the campaign.
4. In the Description field, enter a brief description of the campaign.
5. Click Save.

Adding Presentation Events

Presentation events broadcast information to users or groups using email or prompts when a user logs
in to RSA Archer. Recipients of presentation events are not required to acknowledge receiving the
event or to respond to the content of the event. Presentation events represent a passive form of
communication.
Use policies. You can use introductory text to introduce application content or to provide instructions
for taking quizzes.
Task 1: Add an event
1. Go to the campaign to which you want to add an event.

c. Select the campaign.
2. Click Add New.

3. In the Creation Method section, do one of the following:
l To add a new event, click Create a new Event from scratch and click Presentation.
l To make a copy of an existing event, click Copy an existing Event and select the event.
4. Click OK.
5. Select a delivery option, and click OK.
6. In the General Information section on the General tab, enter the name and description.
7. Click Apply.
Task 2: Define the content

2. In the Introduction field, type the text that you want to be displayed at the top of the event email
or prompt. Use the Rich Text Editor toolbar to format the text.
3. Do the following to provide content from an application after the introductory text:
a. In the Content field, click .

b. Select an application or questionnaire from the list and click OK

4. In the Closing field, enter the text that you want to be displayed at the bottom of the event. Use
the Rich Text Editor toolbar to format the text.
5. Click Apply.
Task 3: Select the delivery options

Your delivery options vary depending on the delivery method that you selected when you created the
event.
2. In the Delivery Options section, enter the name of the quiz and the begin and end dates of the
event.
3. In the Skip Setting field, select the behavior for allowing users to skip the questions in the event.
4. In the Reminders section, select the whether reminder notices are sent. If you select a
frequency, enter the following information:
l (Optional) In the Reminder Frequency field, select the frequency for sending the reminder
notices.
l In the From Address, enter the Email address of the sender. For example the sender Email
address might be noreply@acme.com.
l (Optional) In the From Alias field, enter the nickname of the sender.
5. Click Apply.
Task 4: Select event recipients

1. Click the Recipients tab.
l To specify users or groups, select the users and groups who you want to receive the event
from the Available list
l To search for a specific user or group, enter the name in the Find field, select the name type
from the adjacent list, and click . The results of your search are displayed in the Available
list.
l To remove a user or group from the list of recipients, click to the right of the appropriate
3. Click Apply.

Adding Acceptance Events

Acceptance events are used to broadcast information to users, and requires action from the recipient.
These events are presented to users as a prompt when they log in to RSA Archer. Users receiving
an acceptance event are required to accept or decline the event. Communicating an Acceptable Use
policy is an example of how to execute an acceptance event to ensure that users within an
organization have read the necessary material associated with their role.
Use policies. You can use introductory text to introduce application content or to provide instructions
for taking quizzes.
Task 1: Create an event

2. Click Add New.

l To add a new event, click Create a new Event from scratch and click Acceptance.
4. Click OK.
5. In the General tab, enter the name and description.
6. Click Apply.



5. Click Apply.

event.
notices.
5. Click Apply.
Task 4: Select recipients

list.
3. Click Apply.

Adding Quiz Events

Quiz events are used to test users knowledge of application content. These events are presented to
users as a prompt when they log in to RSA Archer. A quiz event is a method for determining not
only that a user received or accepted an event, but also that they have a complete understanding of
the required reading. The content in the quiz can be displayed prior to the quiz or can be available
for users to review as they take the quiz.
Quiz behaviors
You can set the quiz behavior for determining:
l The passing grade
l The passing requirements
l The number of times a user can retake the quiz if the user did not pass the quiz
l Whether answers are marked as correct or incorrect
l Whether the quiz is open-book style, allowing users to navigate between the quiz and the content
while taking the quiz
The following rules apply when any of the behaviors are set:
l Users who pass the quiz are allowed to continue to the application.
l Users who fail the quiz may be forced to retake it based on a determined number of retakes.
Users are prompted to retake the quiz up to up to the maximum number of specified retakes. If a
user does not pass the quiz within the specified number of retakes, the user is allowed to continue
to the application.
If the answers are marked for showing the grading, correct answers appear with a green check mark
and incorrect answers appear with a red X.
Task 1: Add a quiz event

2. Click Add New.


l To add a new event, click Create a new Event from scratch and click Quiz as the event type.
4. Click OK.
5. In the General Information section on the General tab, enter the name and description.
6. Click Apply.


5. Click Apply.

event.
notices.
5. Click Apply.

Task 4: Select recipients

list.
3. Click Apply.
Task 5: Define the question order and quiz behavior

1. Click the Questions tab and go to the Questions and Answer Setting section.
2. In the Question Numbering field, select the numbering format for the questions.
3. In the Answer Numbering field, select the format for the numbering answers.
4. In the Question Display Order field, select to list the questions manually or randomly.
5. Go to the Quiz Behavior section.
6. In the Passing Grade field, enter the percentage required to receive a passing grade.
7. Complete one or more of the following:
l To require users to pass the quiz, select Force retakes from the Passing Requirements list.
l To limit the number of times a user can retake a quiz, specify that number in the Retake Limit
field.
l To allow users to view incorrect answers when retaking a quiz, select Mark incorrect quiz
answers on retakes from the Show Grading list.
l To allow users to review the content of the quiz while taking the quiz, select Allow content
review during the quiz from the Review Content list.
Adding Questions to Quiz Events
You can add questions to the quiz either by entering them yourself or importing them from another
quiz.

Add questions to the quiz event
1. Go to the Questions tab of the quiz event that you want to update.

d. Select the quiz event.
e. Click the Questions tab.
2. In the Questions section, click Add New.

l To create a new question, click Create a new Question from scratch.
l To create a question from an existing question, click Copy an existing Question and select the
existing question from the list.
4. Click OK.
5. In the Question field, enter the question text.
6. In the Answers section, enter the answer text.
7. Click Add New to add another answer, and enter the answer in the blank field. Repeat this step
to create the answers for the question.
8. In the Correct column, click the checkbox to the right of the answer to designate it as the correct
answer for the question.
9. (Optional) In the Multiple Answer Selection field, select whether users can select more than one
answer for the question if the question is multiple choice and select the appropriate method for
listing the answers.
l To present the answers randomly for each quiz participant, select Random Answer Order.
l To present the answers in a specific order, select Manual Answer Order.
10. (Optional) In the Hint field, enter the text for providing the quiz participants a hint if they answer
the question incorrectly.
11. (Optional) Click Configure Display Order to reorder the answers by dragging each answer to its
position you want.
12. Click OK to save your question and answers.


Import questions into a quiz event
1. Go to the Questions tab of the quiz event that you want to update.

d. Select the quiz event.
e. Click the Questions tab.
2. In the Questions section, click Import.

3. Select one or more campaigns from which to copy the questions.
4. Click OK to import the questions.
5. Edit or delete the imported questions so that meet your needs for the quiz.
l To edit a questions, click and make the necessary changes by changing the order in which
they are listed, the answers to the question, and marking the correct answer.
l To delete a question, click .

l To add a new questions, click Add New and follow the instructions for adding a new question.
Deleting Campaigns and Events

When a campaign or event is no longer needed, you can delete them from the Manage Training and
Awareness Campaigns page.
Delete a campaign


.
2. Click in the row of the campaign that you want to delete.

3. Click OK to confirm.
Delete an event

2. Click the campaign that contains the event you want to delete.
3. Click in the row of the event that you want to delete.

4. Click OK to confirm.
Mail Merge
Mail Merge templates define how records are inserted from RSA Archer into a Microsoft Word
document using the Mail Merge functionality. This functionality is particularly useful for conducting
iterative vendor assessments and SOX compliance reviews.
After creation of a Mail Merge document in Microsoft Word, users can export a record using this
Word document containing Mail Merge fields that display data from your application. The exported
file is formatted according to the layout of the Word document with the exception of attachments.
The attachment is inserted inline on a separate page. All attachments must be a Word (.doc or .docx)
document. All other file types are not supported and are ignored in the exported file.
Note: ".Data" represents the field data of an attachment, which is how the data is retrieved.
Create a report template document for Mail Merge in Microsoft Word

1. Use the Mail Merge feature on the Mailings ribbon tab within Microsoft Word to construct a
report template for use in the RSA Archer Mail Merge functionality.

Note: You must insert the alias from any RSA Archer field you want to merge into the
corresponding field in the report template in Microsoft Word. If you use the Quick Parts menu on
the Insert ribbon tab to insert a field, populate the Field name box under Field properties with the
alias.
2. Add the completed report template to a Mail Merge template within RSA Archer.
Available field types for Mail Merge

The following list shows field types that are available for Mail Merge.
l Attachment l Record
l Cross- Permission
Reference l Record Status
l Date l Related
l External Link Records
l Image l Sub-form
l IP Address l Text
l First l Tracking ID
Published l User/Group
l Last Updated l Values List
l Matrix l Voting
l Numeric
Alias and merge regions

Most objects in RSA Archer, such as applications, levels, and fields, have aliases associated with
them. Use these aliases when creating an export template for the Mail Merge Template
functionality.
Note: Refer to the Application Field Detail report in Master Report Listing within RSA Archer, and
then filter for Application Field Detail to list the alias for every field within an application.

Example: Merge regions syntax
The following table describes the merge regions syntax.

Fields Syntax
Cross-Reference, Related «TableStart:FieldAlias»«RelatedFieldAlias»

Record, and Sub-Form «TableEnd:FieldAlias»
Values List «TableStart:FieldAlias»«ValuesList»«TableEnd:FieldAlias»
External Links (with either a «TableStart:FieldAlias»«Name»«URL»«TableEnd:FieldAlias»

Name or URL)
Note: Replace FieldAlias with the field alias name. For example, the following statement contains
several aliases to fields in another application. Opportunity is the cross-reference alias to related
levels:
«TableStart:Opportunity» «Product_Name» «Product _Code» «Quantity» «Unit Price»

«Total_Price» «TableEnd.Opportunity»
Mail merge terminology

The following table defines mail merge terminology.
Term Definition
Alias A unique name that identifies an object or component, such as fields, applications,
solutions, workspaces, and iViews. Assign aliases to fields when creating the report
template in Word.
Exported The final output produced from a Export template with data merged from an
File application.
Export The Microsoft Word document that is uploaded to the Mail Merge template.
Template
Mail A feature of Microsoft Word used to create reports.

Merge
Mail An entity that serves as a report template. The template contains the Word document
Merge template and settings.
Template

Mail Merge Syntax

Certain field types must be specified using a merge region, which enables the field to dynamically
grow portions of the document. To specify a merge region, insert TableStart at the beginning of the
region and TableEnd at the end of the region. Mail merge regions can be nested inside of each other.
Templates are associated with and can reference fields from a level. To reference a field in an
adjacent level, use the Cross-Reference field as the Level Reference.
Syntax formatting
Press [Alt]+[F9] to display the syntax codes.
The following table lists syntax formatting.
Control Type Field Type Syntax Formatting
List Cross-Reference <<List:Cross_A_to_B>>
Drop Down Date <<Drp_Dwn_DateTime>>
Text Box Date and Time <<Txt_Box_DateTime>>
Text Box Date/Time - Date <<Txt_Box_DateTime>>
List External Link <<List:External Link>>
List External Link URL <<List:External Link>>
List External Link Name <<List:External Link>>
First Published.Date <<First_Published>>
First Published.User Name <<First_Published>>
First Published.Display Name <<First_Published>>
IP Address <<IP Address>>
LastUpdated.Date <<Last_Published>>
LastUpdated.UserName <<Last_Published>>
LastUpdated.DisplayName <<Last_Published>>
Numbered Matrix.Row <<List:Values_Checkbox>>
Numbered Matrix.Column <<List:Values_Checkbox>>
Numeric <<Numeric>>

Control Type Field Type Syntax Formatting
Numbered Rec Status <<List:RecStatusField>>
List Record Permissions <<List:RecPerm>>
Bulleted Sub-form <<List:A__SubForm>>
Numbered Sub-form <<List:A__SubForm>>
Text <<Text>>
Tracking Id <<TrackingID>>
List User/Group DisplayName <<List:UGField>>
Bulleted User/Group ID <<List:UGField>>
Numbered User/Group Type <<List:UGField>>
Drop Down Values List <<List:Values_List_Drp_Dwn>>
Voting <<Voting>>
Alias syntax
To reference a field that is in the primary level insert the alias of that field into the export template.
Other field types require a merge region. For fields that have multiple options, use the reference as it
applies to your template.
The following table lists alias syntax.
Field Syntax
Date «Drp_Dwn_DateTime»
«Drp_Dwn_Date_Only»
«Txt_Box_DateTime»
«Txt_Box_Date_Only»
External Link «List_ExternalLink»
IP Address «IPAddress»
«List:IPField»
Adding Mail Merge Templates

The mail merge template must be formatted with the proper formatting syntax.

To use the Mail Merge Template functionality for exporting a record, create a Microsoft Word
document that serves as the export template. The export template defines which fields are merged
and the order in which the fields appear in the exported file.
Word documents and templates for export templates
l .docx (Microsoft Word 2007 or 2010)
l .dotx (Microsoft Word 2007 or 2010)
l .doc (Microsoft Word 2000 or 2003)
l .dot (Microsoft Word 2000 or 2003)
Add a mail merge template

1. Go to the Manage Mail Merge Templates page.

b. Under Management Reporting, click Mail Merge Templates.

l To create a new mail merge template, click Create Original.
l To add a mail merge template from an existing one, click Copy Existing and select the
template that you want to copy from the Mail Merge Templates list
3. Click OK.
5. In the Options section, do one of the following to select the application for the template.
l For a flat application, select the application from the Application list.
l For a leveled application, select the application from the Application list and select the
correct level from the Level list.
6. In the Output Type field, select the document format for the Mail Merge output file: DOC,
DOCX, or PDF.
7. In the Report Template section, click Add New.
8. Click Add New to upload a file.
9. Select the file you want and click OK.

Adding Report Templates to a Mail Merge Template

Only one report template can be active at time. If the mail merge template has an existing report
template, it is replaced with the one you are adding.
Note: You can only upload Microsoft Word 2010 or 2007, or Word 2003 files (.docx, .dotx, .doc, and
.dot).

2. Select the mail merge template that you want to update.

3. In the Report Template section, click Add New.
4. Click OK to replace the existing report template.
5. Click Add New, and select the file you want to upload.
6. Click OK.
Assigning Access Rights to Mail Merge Templates

Access rights determines whether all users or only select users or groups have access to the mail
merge template. System administrators can assign create, read, update, and delete (CRUD) rights to
users for mail merge templates as appropriate.
1. Go to the Access tab of the Mail Merge template you want to modify.

c. Select the mail merge template.
d. Click the Access tab.


l To enable any user to have access to the template, select Public.
l To restrict access to only designated users and groups, do the following:
a. Select Private.
b. In the Available section, select the users and groups that you want to have access to the
template.
Changing the Status of a Mail Merge Template

Activating a template makes it public, while deactivating a template makes it invisible to users in the
list.
1. Go to the General tab of the Mail Merge template you want to modify.

c. Select the mail merge template.
2. In the Options section, in the Status field, select the status: Active or Inactive.
Deleting Mail Merge Templates

Important: Deleting a mail merge template is permanent. The data cannot be recovered once the
template is deleted.


2. In the row of the mail merge template that you want to delete, click .
3. Click OK.
Alias Names
Numerous operations in RSA Archer require references to objects—everything from solutions,
applications, and fields to individual values list values—to specify the target for a particular activity.
One example is mail merge, in which you must create templates with unambiguous references to
individual fields in an application. Another example is the process of mapping external data to fields
in the Data Feed Manager. To provide a constant name that is also human readable, all RSA Archer
objects, such as workspaces, applications, fields, and notification templates, support an alias.
An alias is a short name for a unique object in the system that is human readable, but also can be
used in code or as a reference in configuration processes. All aliases must contain only
alphanumeric characters, beginning with a letter and containing no spaces. The maximum length is
40 characters.
An alias must be unique in the entity type. The following are additional points of consideration:
l Field aliases must be unique in the level.
l Values List Value aliases must be unique in a Values List.
l Level, Data Driven Event, Report, and Workflow Stage aliases must be unique in an application.
You can edit the alias for non-system provided entities, but the alias for system-provided entities is
read only.
Important: Applications cannot be named ContentID. Applications with this name are automatically
changed to Content_ID.
CAUTION: Alias is used in configuration processes, system processes, and web service API
integrations. Modifying the alias can cause these functions to fail.

Chapter 14: Data Integration

You can use RSA Archer as a point of consolidation for enterprise data of any type for supporting
analysis and process management. RSA Archer is vendor neutral, content independent, and provides
the following integration methods for consolidating data from disparate enterprise systems for
governance, risk, and compliance management.
l Data imports allow you to import data into an application or sub-form from an external data file
on a one-time basis.
l Data feeds allow you to build dynamic integrations with external enterprise systems and files that
can run automatically on an on-going schedule.
l The RSA Archer Web Services API also offers you a programmatic interface for automating the
exchange of information between RSA Archer and an external application.
l Finally, data publications allow you to extract data from your RSA Archer system and load it into
external systems for data analysis and modeling.
Data Imports
Use the Data Import feature to import records into an application, questionnaire, or sub-form from an
external data file.
When you define a data import from the Administration workspace, you have access to all
applicable applications, questionnaires, or sub-forms. The access role must have Create, Read, and
Update rights for data import.
In addition to granting access rights to data import in Integration, you must also grant the user access
to the application and solution in Access Control so that the user can run the Data Import from the
Navigation Menu.
When a user runs a data import, a job is created and queued in the Job Engine. The job runs
asynchronously from the job queue.

Import considerations
The following table lists data import considerations.
Condition Consideration
Importing When importing data into a leveled application, you must import data of each level
Data Into separately, starting with the top data level. Each level must be imported from a
Leveled separate external data file. You can create these separate source files by exporting
Applications data from the leveled application that contains the data that you want to import. You
must export data one level at a time.
Importing individual columns into specific levels from a single master file creates
duplicate upper-level records and lower-level records which are not associated with
their parent records.
Your level-2 import file must contain:
l All the level-2 field values that you want to import.
l The unique values for a field in level 1 of the application, such as the Tracking
ID field.
Your level-3 import file must contain:

l All the level-3 field values that you want to import.
l The unique values for a field in level 2 of the application, such as the Tracking
ID field.
Mapping After selecting unique record identifiers in the Data Import Wizard, you must map
Imported fields from your import file to fields in your application or sub-form. To assist you
Data to in this process, the Step 2 - Identification page of the wizard provides a preview of
Application the first 20 rows of data in your import file.
Fields Note the following information before you begin mapping your import data:
l If you are updating existing records or importing sub-form entries, you must map
the field that you selected as a unique identifier to the appropriate field in the
field mapping grid or an error message is displayed.
l Import values for a Cross-Reference field must be key field values for the cross-
referenced application. If the values are not key field values, the importer cannot
link the records.
l The format for Cross-References field values in the import file must be
consistent.

Condition Consideration
Using Excel When using Excel as a .CSV editor, Excel may make unexpected changes when
as a .CSV you save your data file.
Editor Note the following types of information that may change in your files:
l Date Values. Excel converts date values to use its format. You can use this
feature to your advantage if you are pulling values in from disparate sources.
l Points of Precision. Excel manipulates decimal places to use its format.
l Quoted Strings. Excel uses quoted strings if they are necessary, and strips extra
ones if they are not.
l Cell Limitations. A cell in an Excel spreadsheet holds a finite number of
characters. If your .csv file exceeds this limit, saving it in Excel corrupts your
data.

Data requirements and import results

Some fields require specific data formats for successful imports. The following table provides
information on data import results and data requirements for various field types.
The following table lists data requirements and import results.
Field Type Requirement Behaviors
Cross CAST values can be specified If you are adding additional field values rather
Application only during an import update. than updating existing values with your data
Status CAST values are specified in import, this field is not available in the
Tracking the target/child application. Application Fields drop-down list on the second
(CAST) page of the Data Import Wizard.
Because a CAST value is
specific to two different records, Example: Updating implementation status of two
you must include unique
vulnerabilities
identifiers for both the parent
and the child record. The following table shows an example where
you want to update the Implementation Status of
two vulnerabilities on 10 assets. You need 20
rows of data and the asset identifier, vul-
nerability identifier, and status value.
Field Value
Asset Identifier IP Address or Asset
Name
Vulnerability BugTraq ID
Identifier
Status value Implemented
Cross- Import values must be key-field If you import values that are not key-field values
Reference values for the related for the related application, the data importer
application. cannot link records in the import application to
records in the cross-referenced application.

IP Address An IP Address value must be

formatted as four octets
separated by periods. Each octet
can contain one, two, or three
numbers.
The following is an example of
an import value for an IP
Address field:
1.160.10.240

Matrix Specify the column name and If you import a Matrix value that contains a
corresponding row value for column or row value that does not display in the
each column in the Matrix field. application Matrix field, that column or row is
Separate column names and row added to the Matrix field.
values with a comma.
Example: Import value for a matrix field
Separate column and row pairs
with a semicolon. Maintenance Burden, Low; Portability, Medium;
Power Consumption, High
In this example, the column names are:
l Maintenance Burden
l Portability
l Power Consumption
The corresponding row values are:

l Low
l Medium
l High
If you do not want additional columns or rows to

be added to your Matrix field during a data
import, ensure that your external data file only
includes Matrix values that appear in your
application Matrix field.
For CSV (comma delineated) files, you must
group all of the Matrix Data together using the
configured Field Value Quotes, or you must
change the field delimiter to a different value.

Numeric Ranged Numeric field: Values outside of the defined range will not
l Values must be within the display when users execute record searches
defined ranges of the field. using numeric-range filters.
l Values must be within the

minimum and maximum value
defined for the numeric field,
or an error is reported.
l Values that exceed the
maximum number of decimal
places of a numeric field are
rounded to meet the field
requirements.
l Values with fewer decimal
places than the minimum
number of decimal places
allowed in the Numeric field
are padded with zeros, for
example, 4.22000.
Record If you import an empty value into a Record

Permissions Permissions field, the field is empty in the new
or updated record, even if the field is configured
with one or more default values.
When no value is selected in the Record
Permissions field, the only users who have
access to the record are those who are assigned
the System Administrator access role, and those
who are assigned as owners of the application.
Sub-Form During the import process, the

actual sub-form storing the data
from the data import must be
active.
Text This field is updated regardless of the content of

your data import.

User/Groups Users are identified using last_ If there is more than one user or group with the
List name, first_name, middle_name same value (name), the first one (based on the
format. Groups are identified by system ID) is used.
their name. Multiple values are separated with the
secondary delimiter specified on the first page of
the Data Import Wizard.
If you try to import a user or group that is not a
valid selection among the User/Groups List field
values list, an error is reported.
If you import an empty value into the
User/Groups List field, the field is empty in the
new or updated record, even if the field is
configured with one or more default values.
Values List If you import a value into a Values List field that
is not included in the values list of the field, the
value is added to the values list.
If the values list is global, the imported value is
displayed in the global values list for all fields
configured to use it.

Supported field types for data imports

The following table lists the field types that are supported for data imports.
Field Type Sub-Form Field Type
l Cross-Application Status Tracking (only available l Cross-Reference

for import updates) l Date (unless the field is configured as a
l Cross-Reference calculated field)
l Date (unless the field is configured as a l IP Address
calculated field) l Numeric (unless the field is configured
l External Links as a calculated field)
l IP Address l Text (unless the field is configured as a
calculated field)
l Matrix
l User/Groups List
l Numeric (unless the field is configured as a
calculated field) l Values List (unless the field is
configured as a calculated field)
l Record Permissions (only if the field is configured
to allow manual selection)
l Related Records
l Sub-Form
l Text (unless the field is configured as a
calculated field)
l User/Groups List
l Values List (unless the field is configured as a
calculated field)
Unsupported field types for data import

The following field types are unsupported for data imports:
l Access History
l Attachment
l Discussion
l First Published Date
l History Log
l Image
l Last Updated Date

l Multiple Reference Display Control

l Record Status
l Scheduler
l Tracking ID
l Voting
Preparing for Data Imports

Before you begin the data import process, examine both your external data file and the component
(application, questionnaire, or sub-form) into which your data will be imported to ensure the
following conditions are met.
Rules for delimited file formats

l The file is a delimited-values data file. Identify the primary and secondary delimiters used in your
data file prior to the data import.
l The import file is a flat file, delimited-values data file. A flat file contains all data in a single
table and does not include any hierarchical structure.
l Each row is equal to one record, and field values are separated in each record by a comma, tab,
or other designated character.
l If your file contains multiple values in individual fields, those values are separated with a
secondary delimiter, such as a semicolon or pipe (|).
l If your Field Delimiter is a character that appears in individual field values, for example, a
comma that separates text strings, the system reads those characters as delimiters and separates
the field data that comes before and after the commas into two separate field values. Do one of
the following to ensure that this does not occur:
o Use single or double quotes to enclose field values in your data file, for example, "Server,
Router." Characters enclosed in quotation marks are not interpreted as delimiters.
o Choose Field and Values Delimiters for your data file that do not occur anywhere in your field
values. The pipe (|) and circumflex accent (^) characters are good examples of uncommon
characters that work well as delimiters.
l The application contains all necessary fields before you begin the import process. Importing data
into an application copies data from an import file into existing fields, but does not create any new
fields.
l The fields from your external data file match the fields in the application. The system
automatically maps import fields to application fields when they have the same name.
l All fields from your external data file that will be mapped to a required field include a value for
that required field.

l The import file has a consistent format for date and time values. Note the separator that is used
between the date and time values and between the time and the AM/PM designation.
Rules for importing into leveled applications

l If you are importing data into a leveled application, create a separate external data file for each
level. You import the data of each level separately, starting with the top data level.
l If you are importing data into an application that contains a sub-form, create a separate external
data file for your application records and your sub-form entries.
o You must import application records and sub-form entries separately.
o The sub-form data file must contain unique field values from the application records, such as
Tracking ID values, so the sub-form entries can be appropriately mapped to the application
records where they will reside.
Important: If you are importing data that uses a double-byte character set, such as Japanese, the
alias of each field must be set to a single-byte character set, such as English.
Task 1: Enable end users to perform data imports

You must have rights to the Access Control feature. If you do not, contact your RSA Archer
administrator.
1. Go to the Navigation Menu tab of the application that you want to update.

2. Select the Show Item check box next to the menu item you want appear.
3. Click Save.
4. Go to the Rights tab of the Access Roles you want to update.


d. Click the Rights tab.
5. From the Application list, select the application that you just configured to display the Data
Import link in the Navigation Menu.
6. On the application Data Import page, select Read, Create, and Update.
Important: You must also grant access rights to the solution, for example, Policies. The access
role must include Create, Read, and Update rights to the Content Record and Data Import, for
example, Policies: Content Record and Policies: Data Import.

Task 2: Create and export a source file

Create separate source files by exporting data from the leveled application that contains the data that
you want to import.
1. Open the leveled application into which you want to import data.
2. Run an advanced search for level-1 fields.
3. Export the results and then save to a location on your local drive.
4. From the same application, run another advanced search and select the following:
l Level-2 fields
l A field from the first data level to include in your search results. This associates your level-2
records with your level-1 records. Values for the level-1 field must be unique for each record.
5. Export the results and save to a location on your local drive.
Importing Data Through the Data Import Wizard

After you have prepared your external data file and your application, questionnaire, or sub-form for
data import, you can begin the import process using the Data Import Wizard. The wizard asks you to
select your data file, configure import options, and map import data to application fields.
Task 1: Access the data import wizard
1. Go to the Manage Data Imports page.

b. Under Integration, click Data Imports.
2. Select the application, questionnaire, or sub-form to which you are importing data.
Task 2: Select the data file and import options
1. Go to the Manage Data Imports Page.

b. Under Integration, click Data Imports.
2. Click for the Data Import you want to view.

3. In the Import File field, do one of the following:
l Enter the source file name.
l Click Browse to select the source file.
a. Click Add New.
b. Select the file you wish to import.
c. Click OK.
Note: If you make changes to the source file after uploading it to the Data Import Wizard, you
must upload the file again before initiating the data validation and import process.
4. In the Format Options section, select the field, values, and escape delimiters.
l If the field delimiter for your import file is a character other than a comma or a tab, enter the
correct character in the Other field.
l If the values delimiter for your import file is a character other than a semicolon or pipe (|),
enter the correct character in the Other field.
l If the escape delimiter for your import file is a character other thank a backslash, enter the
correct character in the Other field.
5. In the Locale field, select the locale language of the input file.
6. In the Header Row field, do one of the following:
l If the first row of data in your file contains field names instead of actual record data, select
File Contains Header Row.
l If the first row of data in your file contains actual record data, select File Does Not Contain
Header Row.
7. In the HTML Formatting field, indicate whether fields in your data file contain HTML
formatting.

8. In the Advanced Options section, complete the fields for specifying advanced import options,
including how to determine if your data fields contain field value quotes and if you desire to send
a notification for each record created and updated after the import cross has completed.
Question Available Options
Are any field If yes, select the double quotes or single quotes option. If you have none,
values quoted in than select none.
your data file?
Should imported If notifications are enabled for the application into which you are
records be allowed importing data, you can select to send notifications for your imported
to trigger records.
notifications? If you are importing a large number of records, triggering a notification
email for each record may produce a heavy load on the email accounts of
users who are subscribed to a notification template for the application.
How should If you select to replace existing cross-reference values, the existing data
existing references in the application is replaced with the data from the import file. Data
be handled? existing prior to the import process is removed.
If you select to append cross-referenced data, the system leaves all
existing values in the record intact and adds new cross-reference values
from the data file to the records.
9. Click Next.
Task 3: Select unique record identifiers

The steps for selecting unique record identifiers vary depending on the type of data import you are
performing.
1. Begin on the Step 2 - Identification page of the Data Import Wizard.
2. In the General Information section, select one of the following options.
l Create New Records. If you are importing new records, existing records in your application
remain unchanged. The new records are added to the existing population of records in the
application.
l Update Existing Records. If you are updating existing records, the system examines them.
When there is a match between a record in your application and record in your external data
file, the existing record is updated with the imported record. If your external data file contains
records that do not match any records in your application (according to the unique record

identifier that you specify), those unmatched records are added as new records in your
application.
3. If you are updating existing records with your data import, under Import Field Mapping, do the
following:
a. In Application Field(s), click the drop-down menu.
b. Select one or more fields whose values serve as the unique record identifier.
This allows the Data Import Wizard to match records in your external data file with records
in the application, questionnaire, or sub-form.
Note: Some Data Imports will have required Application Field(s). In these instances, when
attempting to click Next a text box appears with information on which Application Field(s)
still need to be selected.
Task 4: Map import data to application fields
Note: You cannot map to Related Records fields if the key field type in the other application is
Application ID. Changing the key field type to System Tracking ID allows the mapping of Related
Records fields in the application into which you are importing data.
1. Begin on the Step 2 - Identification page of the Data Import Wizard.

2. In the Import Type field of the General Information section, select the file type.
3. (Optional) In the Application Field(s) select the fields for update.
4. In the Import Fields Mapping section, do one or more of the following:
l To map imported fields, select the corresponding field in the Application Fields drop-down.
l To specify not to import one or more columns of data from your import file, select Do Not
Import from the corresponding columns in the Data Import Wizard.
l To update existing records or to import sub-form entries, map the field that you selected as a
unique identifier to the appropriate field in the field mapping grid.
5. (Optional) If you have mapped a Date field in the import file to a Date field in the application,
specify the format for date and time values in the import file.
6. Click Next.
Task 5: Initiate data validation and import

1. Review the Data Import Wizard Settings.
2. Make any necessary corrections. and begin the import process again (starting on the first page of
the Data Import Wizard).

3. Click Import.
Important: Do not close this window or log off from the system during this stage of the import
process. Doing so causes adverse results.
4. (Optional) If additional errors are found, go back and correct them as necessary and click import
again.
5. When the import is completed successfully, click Continue.
Reviewing Job Queues

Complete this task to view the Review Job Queues page which lists the current status of data
imports for RSA Archer.
1. Do one of the following to navigate to the Review Job Queues page:
l As an RSA Archer Administrator:

b. Under Integration, click Review Job Queues.
l As an End User:
From the menu bar, click the System menu and select Data Import History.
2. Locate the data import that you want to view.
3. Click to display the Run Detail dialog box for that data import.
Troubleshooting Data Imports

RSA Archer validates the imported data and reports any errors. If errors are found, RSA Archer
terminates the import process. You must correct the errors in your data file before attempting the
data import again (starting on the first page of the Data Import Wizard). The Wizard can report up to
100 errors. If your data file contains more than 100 errors, they are not all reported.
The following table describes potential errors and resolutions.
Error Description Resolution
All unique If you are importing new sub-form records, you Verify that the unique
identifiers must map the fields that you selected to serve as identifiers are correctly
must be the application unique identifier to the mapped.
mapped for corresponding fields in the field mapping grid.
insert

All unique If you are updating existing master or sub-form Verify that the unique identifier
identifiers records, you must map the field that you selected is accurately mapped.
must be to serve as the application's unique identifier to
mapped for the corresponding field in the field mapping grid.
update.
Column Your external data file contains a value that does Change the value in your data
mismatch not match the data type of the field to which the file to match the data type
value is mapped. required by the field to which
you are mapping the value.
Could not Occurs if your external data file contains a group Do one of the following:
locate group value that is not a group value established in the l Change the group value in
name system. your data file so that it
matches a group in the
system
l Add the group from your data
file to the system from the
Manage Groups page in the
Access Control feature.
Date does Your external data file contains a date that does Reformat the date value so that
not match not match the date format that you have specified it matches the format that you
expected for the import. selected in the Data Import
format Wizard.
Field is Your external data file is missing one or more Enter the required values in
required values for a required field. your import file or change the
field in your application so it is
no longer a required field.
Field Your external data file is missing a value for a Enter the required value in your
requires a Values List field that requires a selected value. data file or change the field in
selected your application so that it no
value longer requires a certain
number of value selections.
Imported Occurs if you are importing sub-form data, and Select a unique field value from
subform the field from the parent record that you selected the parent record to serve as the
record as the unique identifier contains non-unique data. application unique record
cannot have identifier.
multiple
parents

Invalid IP Your external data file contains a value for an IP Reformat the value.
Address Address field that is not correctly formatted.
Invalid key Occurs if you are updating records with a Cross- Ensure that the identifiers are
(s) for cross Application Status Tracking (CAST) field and do valid and unique.
application not specify valid, unique identifiers for the
status field parent-application and child-application records
for associated with the CAST field.
application
Invalid Your external data file contains a value for a Reformat the value correctly.
matrix Matrix field that is not formatted correctly.
format
Invalid Occurs if you are importing a value into a Change the value in your
number Numeric field that contains alphabetic external data file so it contains
characters. only numeric characters.
Invalid Occurs if you are doing an import update, and the Change the value in your data
tracking ID Tracking ID field in your external data file file so that it is a valid, unique
contains a value that is not a valid tracking ID for tracking ID for the import
the application into which you are importing. The application.
tracking ID value may not exist in the system, or
it may be a valid tracking ID for another
application.
Multiple Occurs if more than one field from your data Ensure that your application
columns are import file is mapped to the same application fields are mapped to different
mapped to field. If you are performing a sub-form data fields and that the import data
the same import, a field from your data import file may be fields are mapped to the sub-
field mapped to the same field as the parent record. form fields.
Number is Occurs if you are importing a value into a Examine the Numeric field in
larger than Numeric field that is above the maximum value your application to determine
maximum allowed for the field. the maximum value it allows
value and change the value in your
data file to fall at or below that
maximum value.

Number is Occurs if you are importing a value into a Examine the Numeric field in
smaller than Numeric field that is below the minimum value your application to determine
minimum allowed for the field. the minimum value it allows
value and change the value in your
data file to fall at or above that
minimum value.
Too many This error can occur:

cross l If a record in your external data file contains l Examine the Cross-
references more values for a Cross-Reference field than Reference field in your
the maximum number of value selections than application to determine how
that field allows. many values can be selected
l If the key field for the cross-referenced for the field, and reduce the
application is not unique and your Cross- number of values in your
Reference field maps to one of the non-unique data file so that they fit
values. within that limit.
l Verify that the key field of
the cross-referenced
application is unique.
Unsupported Occurs if you are importing new records and Select Do Not Import from the
import type attempt to import data into a Tracking ID field. list for the Tracking ID field in
the field mapping grid.
Unsupported Occurs if you are updating records with your data Select a field type for the key
link type import and you select a field type for the key field that can serve as the key
field that cannot serve as the key field for a field for a record.
record. Examples of field types that cannot serve
as the key field for a record include:
l Last Updated Date
l Record Status
l Related Records

Data Feeds
Data Feed Manager is a flexible, code-free tool for aggregating data in RSA Archer. Use the tool to:
l Configure multiple, dynamic data feeds, and manage those feeds without relying on programming
resources.
l Build and configure dynamic integrations with external enterprise systems and files. From Data
Feed Manager, you can build a transport path between RSA Archer and an external source and
then map the data from that source to an existing target application or questionnaire in RSA
Archer.
l Configure the data feed to run on a schedule. After the initial configuration, the data feed
executes automatically with no need for you to intervene.
You can integrate data using Data Feed Manager for:

l Network and asset discovery data
l Vulnerability scan results
l Performance scorecards
l Incident reports
l Audit results and recommendations
Because RSA Archer is vendor neutral and content independent, you can use RSA Archer as a point
of consolidation for enterprise data of any type for supporting analysis and process management.
With a centralized view of data from point solutions, databases, spreadsheets, and other sources, you
can access content more easily that is relevant to your job functions. Re-purpose data to support a
variety of business processes.
A data feed must be both active and valid to run. As you configure your data feed, Data Feed
Manager validates the information for you. If it is not valid, an error message appears. You can save
the data feed and correct the errors later. However, the data feed does not process until you have
corrected the errors and the data feed validates.
Data feed types
Important: To avoid potential conflicts with other data feeds, RSA suggests that you use a different
user account for each data feed. Additionally, if you plan to run multiple data feeds simultaneously,
create a unique name to prevent termination of session tokens.
Data Feed Manager supports standard and transport data feeds.

The following table describes each type of data feed.

Feed
Description
Type
Standard Brings data from an external source into an application or questionnaire. This data feed
type requires that you:
l Define the fields and data format
l Map the fields in the source file to the target
l Perform a report-based search for an application or questionnaire that contains the
source data that you want to import into another application or questionnaire.
l Set up a user account as a Service account, which means this user account has all
necessary permissions to execute the data feed.
You can specify the following:

l Whether to send subscription notifications to specified users or groups when records
are modified.
l Whether to send a notification to specified users or groups when a data feed job
completes, identifying a successful or failed completion.
l The locale format of your source data. For example, different characters might be
used to indicate a decimal place.
Transport Locates a separate data file that contains additional instructions for launching
Only subsequent, standard data feeds.
l Ensure that a user account for the data feed and a target path for the separate data
file exist, but no additional data configuration.
l Create a unique name when running multiple data feeds simultaneously to prevent
termination of session tokens.
Data feed transporter types

The Data Feed Service (DFS) architecture accommodates the definition of various data retrieval
mechanisms.
The following table describes the out-of-the-box transporters.
Transporter Description
Archer Web Accesses the Web Services API and retrieves data from an instance of RSA
Services Archer. This transporter is used in Archer-to Archer data feeds.

Transporter Description
Database Returns results using an SQL query.

Query
DeepSight Uses the v2 Symantec web service to retrieve vulnerabilities threat feed data.
2.0 This transporter will soon become unusable because of deprecation by Symantec.
For DeepSight v4 data feeds that are available on the RSA Archer Community on
RSA Link, use the DeepSight 4.0 transporter.
DeepSight Uses the v4 Symantec web service to retrieve security risk and vulnerability
4.0 SCAP data feeds.
File Retrieves delimited data files, including support for multi-file manifests.
FTP Retrieves data files using the FTP protocol.
HTTP Executes a GET or POST to retrieve data from an HTTP or HTTPS site.
iDefense Retrieves vulnerabilities and geopolitical threat feed data.
JavaScript Executes a user-provided JavaScript file. If the result of that execution is a data
set, it is transformed and processed into the platform as normal.
Mail Monitor Retrieves content from monitored email accounts.
RSS Retrieves records from a configured RSS feed.
Supported and unsupported field types for data mapping

Supported Field Types
l Attachment
l CAST Detail
l Cross-Reference
l Date
l External Links
l Image
l Internal Reference
l IP Address
l Matrix
l Numeric

l Related Records
l Sub-Form
l Text
l User/Groups List
l Values List
Unsupported Field Types

l Access History
l CAST Score Card
l Discussion
l History Log
l Last Updated Date
l MRDC (Must be populated through reference fields.)
l Record Status
l System-generated Related Record that points to a Questionnaire
l Voting
Schema sources
The source for the schema of your data feed depends on which transporter you are using. The
following table identifies and describes the schema sources that are available for each of the out-of-
the-box transporters.
Important: The process of loading a source definition for a data feed times out at five minutes. You
may want to consider using a smaller set of source data when you set up the feed.
Source Description
Execute Executes the search in RSA Archer and detects the source schema from the results.
Search Recommended approach for an Archer-to-Archer data feed. Loads the source fields
directly from the report. When using this scheme, complete all required information on
the Transport and Navigation tabs.

Source Description
Execute Executes the query specified on the Transport tab and detects the source schema from
Query the resulting record set.
Using this option may trigger actions in the database associated with this query.
Sample Uses a skeleton of your actual source data file. For example, if you are importing data
File from a .csv file, the source data file is a .csv file that includes the column names from
your source data. If you are importing data from an .XML file, the source data file
includes the structure of your .XML without the actual field values.
When you select the sample file, the Source Fields section populates with the fields
specified in the sample data file.
For the Archer Web Services Transporter, select a file from an external location that
contains the data in a same format as the report format.
Load Loads the contents at the target URL and detects the source schema from the contents.
URL Using this option may trigger actions associated with accessing the target URL.
Standard Uses the standard mail schema.

Schema
Updating locked records

RSA Archer has an important feature that prevents the updating or altering of a locked record. A
record becomes locked when a user has opened it in Edit mode for the purpose of modifying it.
However, it is important to note that records can be updated through the RESTful and Web APIs, as
well as through data feeds, even when a user has locked them. The following are examples of
typical APIs that can update user-locked records:
l PUT content (RESTful )
l UpdateRecord (Web Services)
l UpdateRecords (Web Services)
Unique identifiers
A unique identifier is a field, or a combination of fields, whose values in individual records are
different from all other records, thereby uniquely identifying the record. A compound unique
identifier means that all fields in the key must match the fields in the target application in order for a
match to occur.

By establishing a unique identifier, you instruct the Data Feed Manager on how to update existing
data in the application or questionnaire from the matching source data. After setting the order of the
key fields, the Data Feed Manager scans the data source for matches to each unique key in the
specified order. If any key is found to match the field in the target application than the record is
considered matched. If no match is found, the Data Feed Manager creates a new target application
or questionnaire record.
For example, you can select an IP Address field in a record to be your unique identifier. If a data
source record has a matching value for the target application field, the source record data updates
the target application record data. If no match is found, the data feed creates a new application
record.
Note: Matching logic includes text formatting when matching the key fields in the data feed source
to a record in the RSA Archer database. When a data feed has two records with the same text, but
with different formatting tags, the records are distinguished as separate records.
Fields that act as unique identifiers for your data feed do not have to be the same as the key fields
for your target applications or questionnaires.
The following table lists the field types from a target applic-
ation or questionnaire that can be selected as unique iden-
tifiers.
Text-Based Field Types List-Based Field Types
Text Values Lists
Numeric Record Permission
Date User Groups
IP Address Sub-form Fields
Tracking ID ("System ID" only)
Note: You can only use the Tracking ID field as a key field if it is configured as System ID. If
configured as Application ID, it is not available for use as a key field.
When selecting cross-reference or related records fields as unique identifiers, you must select a
field from the related application matching one of the above field types. For example, if you select
the Vulnerabilities cross-reference field, which cross-references the Vulnerabilities application, in
an Assets application, you also select a qualifying field from the Vulnerabilities application to serve
as a unique identifier.

Matching criteria for unique identifiers

The following table describes the matching criteria for unique identifiers.
Option Description
MatchExact Specifies that data source field must match the unique identifier value exactly for
the target record to be updated. If the match is not exact, a new record is created.
For example, if a data source field has a value of "Renee Jones" and a mapped
application field that is specified as a unique identifier has a value of "Renee Ellen
Jones," the target application record is not updated because it is not an exact match.
MatchAny Specifies that the source data must match at least one condition in the list-based
field for the target record to be updated.
For example, if a target application record has the values Blue and Green selected
in the field specified as the unique identifier, and the mapped field in the source data
includes only the value Blue, the record is updated because at least one of the
values matches.
MatchAll Specifies that the source data must match all of the conditions in the list-based field
for the target record to be updated.
For example, if the target application record has the values Blue and Green selected
in the field specified as the unique identifier, and the mapped field in the source data
includes the values Blue and Green, the record is updated. However, if the source
data includes only the value Blue, the record is not updated. A new target
application record is created instead because there is not a complete match.
Data feed communication

The Data Feed Manager can be configured to retrieve or receive data from various external data
sources using a variety of transport protocols. When given the option, RSA recommends that you
select secured versions over unsecured versions.
To strengthen data feed security, RSA recommends that the Data Feed Manager require data feed
paths to be specified as relative paths.
Note: Relative path entry is set up as the default starting with RSA Archer 6.0. Because the setting
is not updated automatically on systems upgraded to version 6.0, RSA recommends manually setting
the requirement on upgraded systems.

Generating the Run Detail Report

The Detail report displays statistical details of the data feed run and includes descriptive messages
and the locations of any problems that may have occurred.
Display the Run Detail report
1. Go to the Schedule tab of the data feed that already been run.

b. Under Integration, click Data Feeds.
c. Select the data feed.
d. Click the Schedule tab.
2. In the Immediate Processing section, click Run Detail.

3. Review the report.
4. To close the report, click OK.
Statistics
The following table describes each element.

Element Description
Status Indicates the status of the data feed:

l Running - The data feed is in progress.
l Completed - The data feed has finished successfully.
l Faulted - The data feed did not complete because of
an error.
l Warning - The data feed finished, but it contains
warnings.
l Terminating - The data feed is in the process of
shutting down, either because of a user termination
or a failure.
l Terminated - The data feed has shut down.
l Pending - The data feed is in the queue, but has not
yet been started by the Job Engine Service.
Source Rows Indicates the number of rows processed in the data

feed.

Element Description
Modifications Indicates the number of target, sub-form, and child

records created, updated, and deleted, and also how
many records the data feed failed to process.
Messages
The following table describes each element .

Element Description
Message Indicates the nature of the problem.
Type Indicates the message type.
Date Indicates the date and time when the error occurred.
Row Displays the number of the row in which the error

occurred. This row is numbered starting from the first
row of actual data, not from the header row.
Location Displays the name of the source file processed and the
position of the character in question. For example, (3,
17) indicates the 3rd row, numbered this time starting
from the header row, and the 17th character in the row.
Running Data Feeds Now

The Run Data Feed Now option only runs the current data feed. This option does not force a data
feed referenced in another feed to run immediately.
1. Go to the Schedule tab of the data feed that you want to run.

2. In the Run Data Feed Now section, click Start.

Viewing the Execution History for Data Feeds

The Execution History page contains the following information:
l Name of the data feed
l Description of the data feed, if one has been provided
l Status of the data feed
l Start date and time of the data feed
l Date and time the data feed last completed an update
l Number of source rows processed
View the execution history of a data feed

1. Go to the Manage Data Feeds page.

2. Locate the data feed for which you want to view the Execution History.
Data Feed Tokens

Use data feed tokens to:
l Specify a value that is not known until the data feed runs (such as the File Information tokens).
l Modify parameters in certain feeds (such as the HTTP Transporter tokens).
l Configure the behavior of a data feed (such as the General tokens).
File Information Tokens
All tokens are case-sensitive and must be entered as indicated so that the token is recognized by the
data feed. Tokens are identified by including curly braces around the token, for example,
{TokenName}.
Example: File Information token
{DataFileDirectoryName}\success\{DataFileName}_{Now(yyyyMMddhhmmss)}.
{DataFileExtension}
In this example the File Information token:

l Renames a file by including the current date and time to the file.
l Moves the file to a subfolder of the folder where the file is currently located (the subfolders name
is “success”).
System tokens
The following table describes the system tokens.
Token Value Description
DataFileDirectoryName Text Returns the name of the directory.

l When used for the PostProcessing - Local Copy section,
the directory name refers to the working directory for
the temporary file created by the Data Feed service.
l When used in all other places, the token refers to the
source directory name.
DataFileName Text Returns the name of the data file without the extension.
DataFileExtension Text Returns the extension of the data file.
DataFileFullName Text Returns the information from the previous three tokens
combined. This token is the simplified version of
{DataFileDirectoryName}\{DataFileName}.
{DataFileExtension}

Now Current Returns the current system time. Formatting can be applied
Date/Time if desired. The default formatting is MM.dd.yyyy.
Example: Time token
On August 25, 2015 at 8:15:45PM, the token {Now}
(yyyyMMdd_hhmmss) returns the value 20150825_081445.
Common formatting options:
The following table describes common formatting options.

Format
Description Examples
Specifier
d The day of the month, 6/1/2009 1:45:30
from 1 through 31. PM -> 1
6/15/2009
1:45:30 PM ->
15
dd The day of the month, 6/1/2009 1:45:30

from 01 through 31. PM -> 01
6/15/2009
1:45:30 PM ->
15
h The hour, using a 12-hour 6/15/2009

clock from 1 to 12. 1:45:30 AM -> 1
6/15/2009
1:45:30 PM -> 1
hh The hour, using a 12-hour 6/15/2009

clock from 1 to 12. 1:45:30 AM ->
01
6/15/2009
1:45:30 PM ->
010

Format
Specifier
H The hour, using a 24-hour 6/15/2009
clock from 0 to 23. 1:45:30 AM -> 1
6/15/2009
1:45:30 PM ->
13
HH The hour, using a 24-hour 6/15/2009

clock from 00 to 23. 1:45:30 AM ->
01
6/15/2009
1:45:30 PM ->
13
m The minute, from 0 6/15/2009

through 59. 1:09:30 AM -> 9
6/15/2009
1:09:30 PM -> 9
mm The minute, from 00 6/15/2009

through 59. 1:09:30 AM ->
09
6/15/2009
1:09:30 PM ->
09
M The month, from 1 6/15/2009

through 12. 1:45:30 PM -> 6
MM The month, from 01 6/15/2009

through 12. 1:45:30 PM ->
06
s The second, from 0 6/15/2009

through 59. 1:45:09 PM -> 9

Format
Specifier
ss The second, from 00 6/15/2009
through 59. 1:45:09 PM ->
09
t The first character of the 6/15/2009

AM/PM designator. 1:45:30 PM -> P
tt The AM/PM designator. 6/15/2009

1:45:30 PM ->
PM
yy The year, from 00 to 99. 1/1/0001

12:00:00 AM ->
01
1/1/0900
12:00:00 AM ->
00
1/1/1900
12:00:00 AM ->
00
6/15/2009
1:45:30 PM ->
09
yyyy The year as a four-digit 1/1/0001

number. 12:00:00 AM ->
0001
1/1/0900
12:00:00 AM ->
0900
1/1/1900
12:00:00 AM ->
1900
6/15/2009
1:45:30 PM ->
2009

General tokens
General tokens modify the default behavior of data feeds.
The following table describes the general tokens.
VerboseLogging Boolean When this token is set to true, Verbose

Logging is turned on during the current
execution of the data feed.
This setting temporarily turns on Verbose
Logging for the entire system, not only for the
data feed process.
CrossReferencesMode LinkOnly When this token is set, the data feed process
does not update content in any cross-reference
fields. The data feed updates the link between
the two applications.
Using this token can improve the performance
of the data feed.
RelatedReferencesMode LinkOnly When this token is set, the data feed process
does not update content in any related-record
fields. The data feed updates the link between
the two applications.
Using this token can improve the performance
of the data feed.
MergeFiles Boolean When this token is set to true, XML files are
merged together before running the transform.
This token executes the transformation against
the entire source data set.
Example: The transform is written to eliminate
duplicates. By merging all XML files before
running the transform, all duplicates are
eliminated from the entire data set.

ExecuteCalcs Boolean By default, calculated fields that are affected

by the changed content are recalculated. Set
this token to false to not automatically refresh
the calculated field values.
Although setting this value to false can
significantly improve performance, use this
token with caution. When set to false, the
calculated fields must be refreshed manually.
The easiest way to manually recalculate a
field is to select the Launch Full Recalculation
button in Application Builder > Manage
Applications > Calculations. The manual
recalculation must be done for every
application in which content is updated by the
data feed.
LastFileProcessed Text Name of the last source file that was

processed in the last execution of data feed
job. This value is read-only and will be
overwritten at the end of every data feed run.
LastRunTime Date/Time Date and time is the last execution completed.

One use for this token is to process deltas of
the source content. For example, when running
a Database Query Transporter, this token can
be included in the WHERE clause of the query
string to only include records from the source
database that were inserted or updated since
the last time the data feed was run.

PreviousRunContext Text Note: This token is only used with the

JavaScript Transporter. If you set this token
for any other transporter type, it is an unused
token.
Use the PreviousRunContext token to provide

contextual information about a previously run
data feed.
If you assign a value to this property, it will be
available as an input the next time the feed
runs. If you do not provide a value, the system
clears the existing saved value.
To set this token within your JavaScript file,
add a previousRunContext parameter to the
callback. For example:
callback(null, {
output: myData,
previousRunContext: "My context here"
});
Note: As a best practice, RSA recommends

running the data feed often, using this token to
store where you left off, and then limiting the
amount of data in any one feed.
Important: The PreviousRunContext token

has a maximum length of 256 characters.

BatchContentSave Integer Use the BatchContentSave token to upload

large amounts of content records in batches
through a data feed. RSA recommends setting
this token value to 1,000 for the batch size.
Under the following conditions, the
BatchContentSave token is not applicable, and
the data feed reverts to normal operations:
l Target is a questionnaire.
l Target uses workflow or advanced
workflow.
l Target field mappings include CAST field
details.
l Target field mappings include data points
within a questionnaire. Linking functions as
expected.
l Token value contains a non-numeric value.
l Token value exceeds 5,000.
Note: If the data feed reverts to normal

operations, a warning message displays in the
Messages section of the Run Detail page.
The following conditions allow the

BatchContentSave token, but content changes
made with this token behave slightly
differently than a regular feed:
l Campaigns within questionnaires that target
the application do not recognize changes to
trigger on assessment.
l Target applications that include a field
using trending do not see the changes on the
trending display.
l Content changes made by data feeds with
the BatchContentSave token are not
captured within any RSA Archer History
Logs. However, the updates are noted

within the Field Audit History information.

l Notifications for Data Driven Event (DDE)
reminders still run normally, but non-
reminders are not triggered
EnableBatchContentSaveHistoryLog Boolean Use the EnableBatchContentSaveHistoryLog

token to enable the history log when the
BatchContentSave token is in use.
Note:When the batch content save history log
token is enabled, the cross reference and
related record fields are not updated in the
History Log.
Connection and transmission timeout tokens

The following table describes the connection and transmission timeout tokens.
ConnectionTimeout Integer The number of seconds the transporter will wait for the other site
to respond to the request.
TransmissionTimeout Integer The number of seconds the transporter will wait for all the
information to be transmitted.
These tokens change the timeout limits for the following transporters:
l Archer Web Service Transporter
l HTTP Transporter
l FTP Transporter
l RSS Transporter
l iDefense Transporter
l Database Query Transporter
Note: The Database Query Transporter only supports the TransmissionTimeout. Specify the
connection timeout in the connection string.
Connection string tokens

The configuration file stores the connection string information in plain text. If you do not want the

password to be stored in plain text, use the {password} token to encrypt the password. You can also
encrypt the username by using the {username} token. Although, it is not as critical as encrypting the
password because the username is not hidden when it is entered and is stored in the database as
plain text.
The following table describes the connection string tokens.
Token Description
username User name used to access the source database.
password Password used to access the source database.
Example:
Threat feed tokens

The following tokens modify the settings for the Deepsight (Symantec) and iDefense Transporters.
The following table describes the thread feed tokens.
Token value Description
SymantecSequenceNumber Numeric Do not modify this token.

Used by Symantec only. This token tracks the last
sequence number processed by the data feed. The
sequence number is used to identify downloadable content
from Symantec. Providing this sequence number to
Symantec when requesting threat information ensures the
previously receive content is not received again.
IDefenseFromDate Date Do not modify the date.

Used by iDefense only. This token tracks the date of the
last processed alert. The date is used to identify
downloadable content from iDefense. Providing this date
to iDefense when requesting threat information ensures
that previously received threats are not received again.
IDefenseLastProcessed Text Do not clear the value unless the IDefenseFromDate

token is changed manually.

Token value Description
GetLatestVersion Boolean Used by iDefense only. iDefense alert fetching is a two-

step process.
1. Gets a list of alert IDs with the versions for a
specified start date (IDefenseFromDate above).
2. Gets the full alert document for each alert ID.
By default, the version of the alert associated with the
corresponding date is the version that is downloaded.
When the value of the GetLatestVersion token is true,
step 2 is forced to fetch the latest version of the full alert
instead.
Setting this token to true may improve performance
because the same alert is only downloaded once per
execution.
Use this token only if you are not interested in the
historical information.
ChunkLimit Numeric iDefense only. The longer it takes to run a threat feed the
more risk there is of the data feed failing. When a job
fails, all alerts will be downloaded again.
To ensure a job completes in a reasonable time period, an
iDefense feed only processes 1000 alerts per job
execution. If more than 1000 alerts need to be processed,
the next set is picked up on the next data feed run. Use
this token to change the number of alerts that are
processed for each job execution.
RSA Archer recommends scheduling threat data feeds to
run several times a day. This schedule will help keep the
execution time of each job to a reasonable time period.

Threat feed baseload tokens

The following table describes the thread feed baseload tokens.
EnableSelectiveFieldUpdating Boolean This token, combined with some specialized

configuration settings, prevents a mapped related
reference field from updating.
Currently the specialized configuration is only available
with the Technologies mappings (Tech Vendor and
Technology specifically) and cannot be added to any
other related reference field.
IsBaseload Boolean Do not modify or add this value after it is automatically

removed. Changing this value can cause data integrity
issues.
The initial load (baseload) of the threat information can
take a significant amount of time. In many cases, it can
take up to two weeks to download all data feeds. When
this token is set to true, specialized logic is performed
to significantly increase performance.
AlertIdGuid GUID Used to identify the AlertId field for a threat

application.
Only change this value when the default setting does
not match the actual field GUID. This condition rarely
occurs because of the automated GUID remediation
process.
VersionGuid GUID Used to identify the Version field for a threat

application.
Only change this value when the default setting does
not match the actual field GUID. This condition rarely
occurs because of the automated GUID remediation
process.
Data tokens
Data tokens capture data from the last execution of a data feed. To specify that a field value is
saved, select the Token column of that field in the Source Data tab.

When the Token checkbox is selected for Device_Name, the Device_Name appears in the list of
tokens. After each run, the value from the last record is set in the Value field.
You can use this token in several settings throughout the data feed configuration.
Fields for the available tokens:
The following table lists the fields for the available tokens.
Field Input
Post processing Destination files
Archer Web Services transporter Configuration string
Database Query transporter Query
Symantec DeepSight transporter Sequence number
File transporter Path
FTP transporter Fully qualified URI
HTTP transporter Data request URI
HTTP transporter Data request header parameters
HTTP transporter Logon header parameters
HTTP transporter Logoff header parameters

Field Input
iDefense transporter URL
Mail Monitor transporter Filter
RSS transporter URL
Example 1
This example describes how to configure a data feed to process only users who have been added
since the last time the data feed ran using the Database Query Transporter.
The query looks like this:
SELECT UserId, UserName FROM UserTable WHERE UserId > {UserId} ORDER BY UserId
After the source fields are loaded, the Token checkbox is selected for the UserId field. After each
data feed execution, the last UserId from the source is stored in the token. The next execution of the
data feed includes only the UserIds that are after the stored token value. Notice that the query also
orders by UserId to ensure the last sequenced UserId value is the value stored in the token.
Example 2
This example shows how to configure a data feed to process records only from the source that were
modified since the last time the data feed ran using the Database Query Transporter.
SELECT Value1, Value2, etc FROM someTable WHERE LastUpdatedDate > {LastRunTime}
The {LastRunTime} token is a built-in token that exists in every data feed so there is no need to
define a custom data token.
Formula tokens
You can use formulas as tokens by placing an equals sign (=) in front of the first formula, after the
token symbol. The token starts with {=.
Nested token symbols are invalid. If you want to include tokens in a formula, use the GETTOKEN
function.
Example
This example shows how to configure a data feed to process records only from the sources that were
modified within the same year in which the last the date feed ran using the Database Query
Transporter.


SELECT Value1, Value2, etc FROM someTable WHERE LastUpdatedYear = {=YEAR
(DATEVALUE(GETTOKEN(LastRunTime)))}
The YEAR function requires a serial date, which is achieved by calling the DATEVALUE function.
The DATEVALUE function requires a string date and returns a serial date. Notice also that you
cannot nest the token symbol. To obtain the value of the LastRunTime token, use the GETTOKEN
function.
Supported functions
AND FALSE LEN POWER TRIM
CHAR HOUR LOWER RIGHT TRUE
CONCATENATE IF MATCH SECOND UPPER
DATE INDEX MID SQRT VALUE
DATEVALUE ISBLANK MINUTE SUBSTITUTE WEEKDAY
DAY ISNONTEXT MONTH TEXT YEAR
DAYS360 ISNUMBER NOT TIME
DOLLAR ISTEXT OFFSET TIMEVALUE
EXACT LEFT OR TODAY
Manipulating Data in the Source File of Standard Data Feeds

You can manipulate the field values of the source data so that the data is updated when imported into
the target. For example, you can use a calculated field to manipulate the original field value so the
output string is different.
Example: Common calculations

The following table provides example calculations.
Calculation Description
CONCATENATE Combines the values of two fields into a single value. For example, it
([TOLastName], ", ", would take the value “Doe” from the Last Name field and the value
[TOFirstName]) “John” from the First Name field and merge them into the value “Doe,
John.”

Calculation Description
If(LEN([Production Executes a logical operation to determine which field to use as the source
IP])>0,[Production value. If the Production IP field is not blank, the value from this field is
IP],If(LEN used. If the Production IP field is blank and the Maintenance IP field has
([Maintenance IP])>0, a value, the value from the Maintenance IP is used. If both fields are
[Maintenance IP], blank, the Backup IP value is used.
[Backup IP]))
Add child source fields

You can add a child source field to define structure for any of your data feed source fields.
Note: This option is available for all Archer-to-Archer standard data feeds and for other standard
data feed transport methods in which you have specified the XML File Iterator as the navigation
method.
1. Go to the Source Data tab of the data feed that you want to modify.

d. Click the Source Definition tab.
e. Click the Source Data tab.

l In the Source Fields title bar, click Add New to add a child source field to the first field in the
Source Fields list.
l In the Actions column of an existing source field, click to add a child to that source field.
If there are existing children for the source field, click the plus (+) symbol next to the source
field name to display the children.
Modify field values from the source file



e. Click the Data tab.
2. From the Field Type list of the source field that you want to translate, click Lookup Translation.
Lookup translation
Translation reconciles values from your source data to values that are acceptable in the RSA
Archer target application or questionnaire. Using an application as an intermediary ensures that
the data feed converts all of the external data into the proper format before importing it to the
destination application.
You can use Lookup Translation to translate a value from the source file into another value. You
would map a column in the source file to a field in an application, and map a field in the target
application to another field in the same application. Lookup Translation looks up the value of the
source file in the application and, when found, stores the value (from the same record) that is
mapped to the target application.
Example: Mapping external values to internal values
You may have a field in your external file with values of New York and California. However,
the application into which you are importing the data only accepts state abbreviations. Using the
Lookup Translation option, you can use a separate application to map your external values to the
proper internal values, as shown in the following table.
Destination
Source Data Translation Application
Application
Field Name: Field Name: State Field Name: State Field Name: State
State ID1 ID2
California California CA CA
Texas Texas TX TX
New York New York NY NY
Florida Florida FL FL
3. In the Actions column of that source field, click .

4. In the Source list, select the source field.
5. In the Application list, select the application that translates the values.

6. In the Exceptions list, select the function that the Data Feed Manager executes when a value
generates an exception.
Translation editor exception

The selections from the Original Value and Translation Value lists must be different, or a
warning message appears.
Option Description
Log Writes an error to the log file, and the value is not imported. No updates are
Warning made to the translation application.
Insert Raw Inserts the raw value from your source file in the target application if a match is
Data not found.
Original Identifies the field in the translation application that maps to the value from your
Value external data file.
Translation Identifies the field in the translation application that maps to the proper value in
Value the target application or questionnaire.
7. Click OK.
8. Click Apply.
Add a calculated field in the source data

Calculations for the Data Feed Manager use the same calculation engine and syntax as the
Application Builder feature. Apply calculations to source fields for generating new values
dynamically, which can be populated in an application or questionnaire.
Note: You cannot reference fields in a calculation that are nested in different parent fields.
1. Go to Source Data tab of the data feed that you want to modify.

d. Click the Definition tab.
e. Click the Source data tab.

2. From the Field Type list of the source field to which you want to apply a calculation, select
Calculated Field.
3. In the Actions column of that source field, click .

4. Type your calculated formula.
5. Click OK.
6. Click Apply.
Insert static text to a field value in the source data

Static Text adds an additional field to your data feed that adds context to the source data. For
example, you can add a Static Text field that specifies the name of the source, such as the database
name or threat feed.
In the RSA Archer target application or questionnaire, you can create a field called Data Source.
When the data feed completes, all records updated by this feed have the same value for the Data
Source field. Using this option, you can quickly identify and report on records updated from a
specific source
1. Go to the Source Definition tab of the data feed that you want to modify.

2. Click the Source Data tab.

3. From the Field Type list of the source field where you want to insert static text, select Static
Text.
4. In the Actions column of that source field, click and enter the static text.
5. (Optional) Click Validate Syntax. If necessary, correct the formula before continuing.
Note: The Validate Syntax function:
l Validates only the syntax of the formula.

l Cannot accommodate calculations containing cross-references or levels. Using them in
formulas causes a data feed run-time error.
l Cannot validate system functions.

l Cannot accommodate the use of certain special characters as field values.

l Requires that fields used in calculations appear on the source definition page.
6. Click OK.
7. Click Apply.
Troubleshooting Data Feeds

RSA Archer validates the data feeds and reports any errors. If errors are found, RSA Archer
terminates the data feed process. You must correct the errors in your data file before attempting the
data feed again.
Note: By default, the data feed process terminates when it encounters an error. However, if you
want to continue processing the data feed even if errors exist, select the Data Validation option on
the General tab of the data feed configuration before starting the feed.
The following table describes potential errors and resolutions.

All unique If your data feed contains new sub-form records, you Verify that the unique
identifiers must map the fields that you selected to serve as the identifiers are correctly
must be application unique identifier to the corresponding fields mapped.
mapped for in the field mapping grid.
insert
All unique If you are updating existing master or sub-form records, Verify that the unique
identifiers you must map the field that you selected to serve as the identifier is accurately
must be application's unique identifier to the corresponding field mapped.
mapped for in the field mapping grid.
update.
Column Your external data file contains a value that does not Change the value in your
mismatch match the data type of the field to which the value is data file to match the
mapped. data type required by the
field to which you are
mapping the value.

Could not Occurs if your external data file contains a group value Do one of the following:
locate group that is not a group value established in the system. l Change the group
name value in your data file
so that it matches a
group in the system
l Add the group from
your data file to the
system from the
Manage Groups page
in the Access Control
feature.
Date does Your external data file contains a date that does not Reformat the date value
not match match the date format that you have specified for the so that it matches the
expected import. format that you selected
format in the Data Import
Wizard.
Field is Your external data file is missing one or more values Enter the required values
required for a required field. in your import file or
change the field in your
application so it is no
longer a required field.
Field Your external data file is missing a value for a Values Enter the required value
requires a List field that requires a selected value. in your data file or
selected change the field in your
value application so that it no
longer requires a certain
number of value
selections.
Imported Occurs if you are importing sub-form data, and the field Select a unique field
subform from the parent record that you selected as the unique value from the parent
record identifier contains non-unique data. record to serve as the
cannot have application unique record
multiple identifier.
parents
Invalid IP Your external data file contains a value for an IP Reformat the value.
Address Address field that is not correctly formatted.

Invalid key Occurs if you are updating records with a Cross- Ensure that the identifiers
(s) for cross Application Status Tracking (CAST) field and do not are valid and unique.
application specify valid, unique identifiers for the parent-
status field application and child-application records associated
for with the CAST field.
application
Invalid Your external data file contains a value for a Matrix Reformat the value
matrix field that is not formatted correctly. correctly.
format
Invalid Occurs if you are importing a value into a Numeric Change the value in your
number field that contains alphabetic characters. external data file so it
contains only numeric
characters.
Invalid Occurs if you are doing an import update, and the Change the value in your
tracking ID Tracking ID field in your external data file contains a data file so that it is a
value that is not a valid tracking ID for the application valid, unique tracking ID
into which you are importing. The tracking ID value for the import
may not exist in the system, or it may be a valid application.
tracking ID for another application.
Multiple Occurs if more than one field from your data import file Ensure that your
columns are is mapped to the same application field. If you are application fields are
mapped to performing a sub-form data import, a field from your mapped to different fields
the same data import file may be mapped to the same field as the and that the import data
field parent record. fields are mapped to the
sub-form fields.
Number is Occurs if you are importing a value into a Numeric Examine the Numeric
larger than field that is above the maximum value allowed for the field in your application
maximum field. to determine the
value maximum value it allows
and change the value in
your data file to fall at or
below that maximum
value.

Number is Occurs if you are importing a value into a Numeric Examine the Numeric
smaller than field that is below the minimum value allowed for the field in your application
minimum field. to determine the
value minimum value it allows
and change the value in
your data file to fall at or
above that minimum
value.
Too many This error can occur:

cross l If a record in your external data file contains more l Examine the Cross-
references values for a Cross-Reference field than the Reference field in
maximum number of value selections than that field your application to
allows. determine how many
l If the key field for the cross-referenced application values can be selected
is not unique and your Cross-Reference field maps to for the field, and
one of the non-unique values. reduce the number of
values in your data file
so that they fit within
that limit.
l Verify that the key
field of the cross-
referenced application
is unique.
Unsupported Occurs if you are importing new records and attempt to Select Do Not Import
import type import data into a Tracking ID field. from the list for the
Tracking ID field in the
field mapping grid.
Unsupported Occurs if you are updating records with your data Select a field type for the
link type import and you select a field type for the key field that key field that can serve
cannot serve as the key field for a record. Examples of as the key field for a
field types that cannot serve as the key field for a record.
record include:
l Last Updated Date
l Record Status
l Related Records

The job Possible causes include a job that was ended by the In the JavaScript
process system administrator or by the job engine (due to being Transporter Settings
(####) unresponsive). Check the job log files for possible section of the
ended information about any errors. RSA Archer Control
abruptly for This error produces a log similar to the following: Panel, allocate additional
unknown memory in the Max
reasons in <JobType>ArcherTech.DataFeed.Workflows. Memory Limit field.
HH:MM:SS. WF4.MultistepProcessing.DataFeedScriptExecutionJob,
ArcherTech.DataFeed,
Version=Maj.Min.NNNNN.BBBB, Culture=neutral,
PublicKeyToken=null</JobType>
This error can be caused by the job exceeding the
allocated memory limit provided.
Archer-to-Archer Data Feeds

An Archer-to-Archer data feed provides the ability to pull data from one instance to another through
a report-based search. The source data is inserted in its raw or formatted state back into the same
application, a different application in the same instance, or an application in a different instance.
An Archer-to-Archer data feed uses the Archer Web Services Transporter. The Archer Web
Services Transporter accesses the RSA Archer Web Services API and retrieves data from the
specified instance or another instance of RSA Archer. The user account running the search in the
API must have at least Read access to the report being used and the application. Record permissions
are evaluated as well, and could limit the source data retrieved from the application. Report-based
data feeds can use either the report ID or the report GUID during configuration.
For report-based data feeds, create a Global Report and click Apply in the source application.
Ensure that content exists for every field in the source application from which you want to import
data. If a field in the source application is empty, it will not be available for you to select in the data
feed. Use the report GUID when working with the data feed before closing the report.
Important: Do not run the Archer-to-Archer data feed using the same account with which you have
logged in to RSA Archer. Using the same credentials logs you out of your session. In addition, do not
run multiple data feeds using the same account credentials. Each Archer-to-Archer data feed must
have its own separate and unique account for logging in and retrieving data.
Archer Web Services Transporter

The Archer Web Services Transporter must be configured with the same authentication method as
configured in Microsoft Internet Information Services (IIS) on the web server. If you do not know
the Microsoft IIS configurations, contact your system administrator before continuing.

Guidelines for designating the security credentials
l If IIS is configured for Anonymous authentication, use the Anonymous/Service Account User
option. When IIS is set to Anonymous authentication, the user account credentials are not sent
with the data feed request.
l If IIS is configured for Windows Integrated authentication, use either Anonymous/Service
Account User or Specific.
o If credentials are set to Anonymous/Service Account User, the service account running the
asynchronous job is sent with the data feed request.
o If credentials are set to Specific, the specified Windows account credentials are sent with the
data feed request.
You must also define the transport configuration for this transporter. The Web API uses the search
types described in the following table for processing data of a data feed.
Search
Description
Type
Report ID Retrieves data using the search report GUID or ID, which is provided in the search
results for the report.
Search Retrieves data using the module ID and a configuration string. This information is
XML obtained by running an XML search using an API call.
Statistic Retrieves data using the search statistical report GUID or ID, which is provided in
Report ID the search results for the statistical report.
Additionally, a data feed can access the source data through a proxy server and can handle post-
processing of the local copy of the source data.
Use the following tasks to add an Archer-to-Archer data feed:

l Adding Archer-to-Archer Standard Data Feeds
l Adding Archer-to-Archer Transport Only Data Feeds
For more information, see "Data Feeds" in the RSA Archer Online Documentation.
Adding Archer-to-Archer Standard Data Feeds
Task 1: Add a standard data feed


.

l To create a new data feed, select Create a new Data Feed from scratch.
l To create a data feed from an existing data feed, click Copy an existing Data Feed and select
a data feed from the Existing Data Feeds list.
3. Click OK.
4. In the General Information section on the General tab, enter the name, alias, and description.
5. From the Target list in the Feed Information section, select the application or questionnaire that
will receive the data from the external data source. If the application is leveled, select the level.
6. From the User Name list, do one of the following:
l Select the appropriate user account that is associated with the data feed.
l Create a new user account by selecting Other and entering the name of the new user account.
Note: If you are completing a large data import, you may need to increase the Session Timeout
for the Archer Services Security Parameter from 30 minutes to 6 hours. Adjustments for the
Archer Services Security Parameter must be made in the instance database by running an SQL
command.
7. In the Feed Type field, click Standard.

8. (Optional) In the Notifications section, specify whether to send an email notification when
records are created or updated and when the job status changes.
Option Description
Send Select whether to have the data feed trigger notification emails when records
Notifications are published or updated. If notifications are not enabled in the selected target
application, no notification emails are sent when the data feed runs.
Send Job Select whether to have job status notifications sent to selected users or groups.
Status You can also select email addresses to receive job status notifications. If
Notifications selected, job status notifications are sent showing whether a job succeeded or
failed to run.
9. (Optional) In the Additional Properties section, specify a different locale for your source data,
whether to override the rules of saving a record defined in the application, and whether to delay

running calculations until the data feed completes.

Option Description
Locale Specifies the country (language) format of your source data. Different cultures
or countries use different characters when formatting similar data.
Data Determines whether RSA Archer performs data validations against the selected
Validation target application when saving a record. Selecting this option bypasses
validation that is based on field definition and configuration (with some
exceptions). This option applies regardless of whether you are targeting a
questionnaire or application.
RSA Archer validates the following items regardless of whether this field is
selected:
l Attachment or image field - Validity of the file.
l Date/Time field - Minimum and maximum system values.
l Text field - Contains valid HTML.
l Field name - Uniqueness.
The required field settings are disregarded if you select to ignore the rules
defined within the target application. However, the unique selection cannot be
ignored.
Optimize Delays running calculations until the data feed completes and condenses
Calculations calculations for optimal processing. If this option is enabled, the optimized
calculation jobs run after the data feed completes. This improves the
performance of data feed processing and calculations.
Note: Condense jobs that are in the queue during an upgrade cause the jobs to
fail after the upgrade. Verify that there are no Condense jobs in the queue
before upgrading.
10. Click Apply.
Task 2: Define the transport method
1. Go to the Transport tab of the data feed you want to modify.



d. Click the Transport tab.
2. In the Transport Method field, select Archer Web Services Transporter.

3. In the Security section, do one of the following:
l Specify whether the current instance is set up for anonymous authentication.
l Specify whether the current instance uses Windows Authentication and enter the specific
credentials.
4. In Search Type, click Report ID or Statistics Report ID.
Note: If you want to use a data feed that was created in RSA Archer 4.x, you must run an
XML Record Search, and select Search XML as the Search Type. For information on the XML
Search feature, see the Running an XML Record Search for an Archer-to-Archer Data Feed
topic in the RSA Archer GRC Online Documentation.
5. In the Report or Statistics Report field, enter the report ID.

l To run the report with Windows credentials, select the Use Windows Authentication option.
Single Sign-On (SSO) must be configured to use this option.
l To run the report by a specific user, enter the credentials of the account that will be running
the report in User Name and Password.
Note: Use the account that has access role rights to the search.asmx page. The account
should also be an application owner with full access permissions to the content of the
applications. Do not use the same account that you used to log on.
7. (Optional) In the Domain field, enter the name of the domain to be searched against.
8. In the Instance field, enter the instance name for the instance to be searched against. Use the
instance name and not the PIN.
9. (Optional) In the Proxy section, enter the credentials of the proxy server if the data feed
accesses the source data through a proxy server.
Option Description
No Proxy Indicates that the data feed does not pass through a proxy.
Use System Indicates that the Data Feed Service runs the feed with the proxy configuration
Proxy that is set up in the Control Panel.

Option Description
Configure Indicates that the data feed must pass through a proxy. Continue with providing
Proxy the parameters for accessing the proxy.
10. (Optional) In the Post-Processing - Local Copy section, define the post-processing rules if the
data feed handles post-processing of the local copy of the source data.
To perform post-processing on the source file retrieved, in the Post-Processing - Local Copy
section, determine how the data feed should handle the local copy of the source data when the
integration is complete. In the On Success field, select from the following options.
Option Description
Nothing Does not alter the source file when the data feed successfully completes. If there is
a local copy of the source information, the local copy is deleted.

Option Description
Rename Saves the source file under a new name when the data feed successfully completes.
In Destination File, specify where the file should be saved and the new name for the
file.
To save the data, the path of the destination file must be accessible to the account
running the Job Engine service.
If you select this option, use filename tokens for specifying the location or name of
the file.
Filename tokens
Filename tokens are available for post processing when you want to save the source
information and specify a location or name for the file. When you select the Rename
option, you can use tokens to generate unique names automatically for the files.
Here are the usable tokens for renaming data files.
l Now. Insert a user-defined date format within the new filename. Possible formats
include Now(MM/dd/yyyy) or Now(MMM-dd-yyyy). See the Microsoft .Net
Framework Developer Center for available custom date/time formats.
l DataFileDirectoryName. Update the filename with the directory name, including
the drive, of your file.
l DataFileName. Insert the original filename, excluding the directory name and
extension.
l DataFileExtension. Insert the file extension, such as .csv, in the new filename.
l DataFileFullName. Insert the fully qualified filename. This data includes the
drive, directory, filename, and extension of the original file.
For example, if the data file came from the following location,
C:\DataFeed\Source\ESL\processed\ThreatData.csv, files that have been renamed
using tokens would have the following output.
Example 1
l Input Tokens: {DataFileDirectoryName}\success\{DataFileName}_{Now
(MM.dd.yyyy)}.{DataFileExtension}
l Output: C:\DataFeed\Source\ESL\processed\success\ThreatData_01.31.2008.csv
Example 2

Option Description
l Input Tokens: \\DFSRepository\{Now(yyyy)}\{Now(MM)}\{DataFileName}_

success.{DataFileExtension}
l Output: \\DFSRepository\2008\01\ThreatData_success.csv
11. Click Apply.
Task 3: Define the XML format of the source data

Use this task to transform the XML structure of the source file. The Xml File Iterator enables you to
import an XML file. You can also manipulate or restructure the data prior to importing.
1. Go to the Navigation tab of the data feed that you want to modify.

d. Click the Navigation tab.
2. In the Navigation Method list, select Xml File Iterator.

3. If your Xml file is in the desired format for processing, go to step 6. However, if you want to
manipulate the Xml file before processing, you can do one of the following:
l Enter your own transform information. Go to step 4.
l Load a transform. Go to step 5.
4. - (Optional) Enter your own transform information.
a. In the Xml File Definition section, select Transform.
b. Enter the transform information in the text box.
5. - (Optional) Load a transform.

b. In the Xml File Definition section toolbar, click Load Transform.

Note: A default Transform is included with the installation. If you require additional data
transformation, you can develop your own XSLT. For more information on XML formatting
guidelines and samples, see the appendix "XML Formatting Used in Field Results and Input"
in the RSA Archer Web Services API Reference Guide that you can download from the
RSA Archer Community.
c. Do one of the following:

l Select Default to load the out-of-the-box transform file. This option is typically used.
l Select File to load a previously created transform file.
6. Click OK.
7. Click Apply.
Task 4: Configure the source data

Use the options on the Source Definition tab to configure the source data to ensure that only the data
you want is included with the data feed. The Source Data tab is available only for Standard data
feed types.
Data options
l Import the data “as is” into RSA Archer or execute modifications and calculations against the
data to convert the incoming data into a format that matches the requirements of the application or
questionnaire it is imported into. Use several advanced options, such as lookup translations and
calculations, to prepare and modify the data to meet your individual business needs.
l Filter data so that only what you want to receive is imported into the target application or
questionnaire. By not defining filters on the Data Filter tab, you instruct Data Feed Manager to
return all records in the data feed. Use operator logic to add filters to include only records
meeting certain criteria in the data feed process.
l Capture tokens of data from the last execution of a data feed that can be used during the next run
to identify which data to retrieve. On the Tokens tab, you can add, edit, or delete token values in
preparation of the next data feed execution.



2. In the Source Field title bar, click Load Fields.

3. Define the Schema Source for retrieving the sample data file and click OK. This file contains
the list of source fields and is dependent on the transport method.
following table identifies and describes the schema sources that are available for each of the out-
of-the-box transporters.
Important: The process of loading a source definition for a data feed times out at five minutes.
You may want to consider using a smaller set of source data when you set up the feed.
Source Description
Execute Executes the search in RSA Archer and detects the source schema from the results.
Search Recommended approach for an Archer-to-Archer data feed. Loads the source fields
directly from the report. When using this scheme, complete all required information
on the Transport and Navigation tabs.
Sample Uses a skeleton of your actual source data file. For example, if you are importing
File data from a .csv file, the source data file is a .csv file that includes the column
names from your source data. If you are importing data from an .XML file, the
source data file includes the structure of your .XML without the actual field values.
For the Archer Web Services Transporter, select a file from an external location
that contains the data in a same format as the report format.
4. In the first line in the Source Fields section, select the appropriate field option for the record
definition.
Note: For more information about configuring source fields in standard data feeds, see
Manipulating Data in the Source File of Standard Data Feeds.
5. In the Field type list for the remaining source fields, select the application option.
6. Click Apply.

Task 5: Define data tokens
1. Go to the Tokens tab of the data feed that you want to modify.

e. Click the Tokens tab.
2. (Optional) Click Add New to add an additional token.

3. In the Value field of the token that you want to modify, enter the updated value.
4. (Optional) Click in the row of the token that you want to remove.
5. Click Apply.
Task 6: Map the source fields to the target fields
1. Go to the Field Map tab of the data feed that you want to modify.

d. Click the Data Map tab.
e. Click the Field Map tab.
2. Map the source field to the applicable application or questionnaire. Do one of the following:
l Click Auto-Populate to map the source fields to application or questionnaire fields. This option
maps fields from the data source to application or questionnaire fields that have the same
name. Auto-populate occurs on level 1 fields only. Additionally, if there is an exact name
match between the source field and the target field, and the field type is one of the following,
the field is not auto-populated: External links, Values list, Sub-form, Related records, Cross
reference, or CAST.
l Drag each source field and drop it next to the application or questionnaire field in the Target
Fields section. For target fields that have a field type of cross-reference, sub-form, or related
records, map the fields expanded under these field types. You cannot directly map to a target
field with any of these field types.

Note: You can drag the left or right border to resize the Source Field column so that it can
display long source field names.
3. (Optional) Do the following to configure the mapped fields:
a. In the Actions column, click .

b. Complete the options for the selected field type.
4. (Optional) Assign a trust level to your source data for a mapped field, enter a value from 0 to 99
in the Trust Level column of the field.
Note: You can enter a value from zero to 99, with zero being the highest trust level, and 99 the
lowest. A data feed cannot overwrite a previous feed that has a higher trust level. For example, a
data feed with a trust level of 75 cannot overwrite a data feed with a trust level of 20. By
default, this option is not available until Manual Trust is activated.

l To delete a mapping for a single field, click in the Actions column of the field that you
want to remove.
l To remove the mappings for all fields, click Clear Target Field Mappings located in the
Target Fields title bar.
6. Click Apply.
Task 7: Define key fields
Note: For some out-of-the-box applications, you may see the following message if you try to
configure key fields for a data feed:
Keys are not configurable for this module.

This message appears because the process of configuring key fields happens automatically. In this
case you cannot configure the key fields yourself.
To define key fields, complete the following steps:
1. Go to the Key Field Definition tab of the data feed that you want to modify.


e. Click the Key Field Definitions tab.
2. In the Reference Field section, select the field that requires a key field definition.
Note: The Reference Field section contains the target application or questionnaire and any
mapped cross-reference, related records, CAST, or sub-form fields that require the creation of a
key field definition.
3. In the Key Field Definitions title bar, click Add New Key.
Note: You can use the Key Field Definitions section to define the unique key identifiers and the
data feed actions during the feed execution.
4. In the Field Name field, select a target application or questionnaire field that uniquely identifies
the record.
5. (Optional) Assign compound unique identifiers for the record. Do the following:

b. From the Available Fields list, select the fields.
c. Click OK.
6. (Optional) In the Actions column, do one or more of the following:
l Click Add New to add multiple unique identifiers to the key field definition.
l Click in the Actions column to add unique identifiers in a hierarchical structure for sub-
form field types.
Note: After setting the order of key fields, the Data Feed Manager scans the data source file
for matches to each unique identifier in the specified order. When any key field is found as a
match to a field in the target application, the record is considered matched.
7. From the Action list, select the applicable option for the matching criteria for the unique
identifier.
8. Click Apply.
Task 8: Set rules for archiving and updating records

You can use the update and archive options to update existing records, create new records, or both.
In addition, when target records in RSA Archer cannot match records in the external data source,
you can select to modify or delete those records. This option can be useful if you are deferring the
accuracy and current status of your data to the external system. By deleting or modifying records in
the system that are not in your external data source, you ensure that both the external source and the
system are synchronized.

1. Go to the Update/Archive tab of the data feed that you want to modify.

e. Click the Update/Archive tab.
2. In the Update Options section, select whether to create or update records in the target
application.
Option Description
Create Create new records for data found in the source file and not in the target application
or questionnaire.
Update Updates records in the target application or questionnaire when a unique identifier
match exists in the source file. If you are also selecting the Archive Option of
Delete and want to retain existing records, make sure to select the Update option.
3. In the Archive Options section, select what happens when the matching record is not found in the
target application.
Option Description
None Does nothing when a matching record is not found.
Delete Deletes records in the target application or questionnaire when a matching record is
not in the source data. If you want to retain existing records, also select the Update
option.
Records are matched by a unique identifier only during the update process. If you
want to retain existing records while archiving the target application, also select
Update in Update Options. If you do not select the Update option, all records in the
target application will be permanently deleted.

Option Description
Set Sets a value in a Values List field in a record whenever the external data file does
Value not contain a matching record.
Use this option to set a Values List to a value that identifies this record as Inactive
or Not Current. For example, a Devices application with a record for a specific
laptop and the external data file does not have a matching record for that laptop. You
can use this option to set a Values List field in the laptop record to the value
Inactive.
When you select this option, you also select the Values List field in the target
application or questionnaire and the value that you want to set in that field.
You cannot set the value in the Values List field of the target leveled application
under the following conditions:
l Level 3 or lower in a leveled application.
l You are modifying the data feed configuration.
In most scenarios, RSA recommends selecting the Set Value option and flagging
these records with a specific value rather than deleting them. For example, you can
add a field to your application called Status and include the values Current and
Archived. If a data feed cannot find a matching record in the data source with a
system record, the system record could be updated to have a value of Archived for
the Status field.
4. Click Apply.
Task 9: Define the data feed schedule

You can set up data feeds to run automatically at regular intervals. This reduces the time and effort
required to import data from an external file. You can initiate data feeds at various times and
configure them to run in regular increments for an indefinite period of time.
To prevent excess server load, schedule data feeds on a staggered basis. You can schedule a
maximum of 10 data feeds to run at a time. If more than 10 data feeds are scheduled, each remaining
data feed executes as the previous one completes.
A reference feed allows you to specify another feed. This indicates to the Data Feed Service that
this feed will start executed as soon as the referenced feed completes successfully.
Important: When you configure an iDefense or DeepSight threat data feed, you need to set specific
parameters to connect the threat feed properly with your RSA Archer instance.

1. Go to the Schedule tab of the data feed that you want to modify.

2. Go to the Recurrences section and complete frequency, start and stop times, and time zone.
The following table describes the fields in the Recurrences section.
Field Description
Frequency Specifies the interval in which the data feed runs, for example, Minutely, Hourly,
Daily, Weekly, Monthly, or Reference.
l Minutely. Runs the data feed by the interval set.
For example, if you specify 45 in the Every list, the data feed executes every
45 minutes.
l Hourly. Runs the data feed by the interval set, for example, every hour (1),
every other hour (2) and so forth.
l Daily. Runs the data feed by the interval set, for example, every day (1), every
other day (2) and, so forth.
l Weekly. Runs the data feed based on a specified day of the week, for example,
every Monday of the first week (1), every other Monday (2), and so forth.
l Monthly. Runs the data feed based on a specified week of the month, for
example, 1st, 2nd, 3rd, 4th, or Last.
l Reference. Runs a specified data feed as runs before the current one. This
option indicates to the Data Feed Service that this data feed starts as soon as
the referenced data feed completes successfully.
For example, you can select to have a Threats data feed run immediately after
your Assets data feed finishes. From the Reference Feed list, select after
which existing data feed the current data feed starts.
A reference data feed will not run when immediately running a data feed. The
Run Data Feed Now option only runs the current data feed.
Every Specifies the interval of the frequency in which the data feed runs.

Field Description
Start Specifies the time the data feed starts running.

Time
Start Date Specifies the date on which the data feed schedule begins.
Time Specifies the time zone in of the server that runs the data feed.
Zone
3. Click Save.
Adding an Archer-to-Archer Transport Only Data Feed
Note: If you want to use a data feed that was created in RSA Archer 4.x, you must run an XML
Record Search, and select Search XML as the Search Type. For information on the XML Search
feature, see the Running an XML Record Search for an Archer-to-Archer Data Feed topic in the
RSA Archer Online Documentation.
Example: Archer-to-Archer data feed - XML search for transport only

The following table shows an example of the values of a data feed for the Archer Web Services
Transporter using an XML search to retrieve data from the RSA Archer Web Services API. The
example shows the settings for each property of the data feed and running the data feed without a
schedule.
Tab Section Field Value Notes
Gener General Name user defined The unique name of the data feed,
al Informati for example, AWS Transport
on ONLY Data Feed.
Alias default By default, the Alias is the same

as the Name, for example, AWS_
TO_Data Feed. The Alias name
designates the name of the folder
for this data feed in the home
directory.
Status Active The data feed must have an

Active status to run.

Feed User user defined The user name under which the
Informati Name data feed will run, for example,
on AWS_Transport_Only. This user
must have access to the Web
Service API and the XML search
report. The user name cannot be
the same as the user who is
currently logged in.
Feed Transport Only

Type
Target user defined The name and location of the file

Path being transported, for example,
AWS.xml.
Transp Transport Transport Archer Web Service

ort Method Transporter
Security URL [http://yoursiteURL/ws/sear For example, http://qa-

ch.asmx] web10.archerlab.local:8000/ws/se
arch.asmx. Replace yoursiteURL
with your actual URL to the RSA
Archer instance.
Use select the option for the Anonymous/Service Account

Credentia current instance User: Select if the current
ls instance is set up for anonymous
authentication.
Specific: Select if the current
instance is set up for windows
authentication. You will need to
provide: User Name and
Password for Windows
authentication. The Domain is
optional.
Transport Search Search XML

Configura Type
tion

User user defined The user who has access to the

Name RSA Archer Web Services API
and the report.
Password user defined The password for the user in

which the data feed will run.
Instance user defined For example, South Beach.
Records 10,000 Recommendation to ensure fewer

Per File files need to be retrieved in the
API call.
Applicati system defined From the Record Search in RSA

on GUID Archer, for example, C6A312AC-
F4F1-4F33-BCFD-
CE30232400C5.

Configura For Example:

tion <Search><ReturnDomain
String value="1"/><ShowFieldName
value="1"/><Display><Field
id="35097"/><Field
id="35096"/><Field
id="35047"/><Field
id="35061"/><Field
id="35057"/><Field
id="35046"/><Field
id="35081"/><Field
id="35094"/><Field
id="34977"/><Field
id="34985"/><Field
id="34998"/><Field
id="34997"/><Field
id="34989"/><Field
id="34988"/><Field
id="34987"/><Field
id="34986"/><Field
id="34984"/><Field
id="34981"/><Field
id="34996"/><Field
id="34995"/><Field
id="34994"/><Field
id="34993"/><Field
id="34992"/><Field
id="34991"/><Field
id="34990"/><Field
id="34980"/><Field
id="35009"/><Field
id="35031"/><Field
id="35029"/><Field
id="35026"/><Field
id="35028"/><Field
id="35024"/><Field
id="35027"/><Field
id="35025"/><Field

id="35051"/><Field
id="35037"/><Field
id="34979"/><Field
id="35032"/><Field
id="34978"/><Field
id="35039"/><Field
id="35022"/><Field
id="35021"/><Field
id="35038"/><Field
id="35020"/><Field
id="35042"/><Field
id="35007"/><Field
id="35045"/><Field
id="35044"/><Field
id="35043"/><Field
id="35002"/><Field
id="34999"/><Field
id="35104"/><Field
id="35107"/><Field
id="35108"/><Field
id="35105"/><Field
id="35106"/><Field
id="35109"/><Field
id="35110"/><Field
id="35115"/><Field
id="35117"/><Field
id="35112"/><Field
id="35113"/><Field
id="35111"/><Field
id="35065"/><Field
id="35116"/><Field
id="35114"/></Display></Search>
Proxy Proxy user defined Select the applicable option if

Options using a proxy server for running
the data feed.

Sched Immediat Run Data Start Click Start to run the data feed.
ule e Feed
Processin Now
g
Task 1: Add a transport data feed

c. Click Add New.

l To add a new data feed from scratch, click Create a new Data Feed from scratch.
l To add a new data feed from an existing data feed, click Copy an existing Data Feed and
select the data feed you want to copy.
3. Click OK.
5. In the Feed Information section, click Transport Only.
Option Description
Standard Integrates data from an external source into an application or questionnaire.
Transport Locates a specific data file. This file contains additional instructions for launching
Only subsequent, standard data feeds. With this data feed type, the data feed only
completes the Transport and Navigation activities. The Source Definition and Field
Mapping activities are not allowed. Processing of the data feed does not attempt to
process the data.

Important: If you intend to use the data feed as part of a convoy, or you are troubleshooting the
data being pulled, select the Transport Only option. This option enables you to use a transform to
manipulate the data being returned by bringing the source data in as a flat file and then configure
a subsequent XML-based feed that includes an XSLT file. For more information on XML
formatting guidelines and samples, see the appendix “XML Formatting Used in Field Results and
Input” in the RSA Archer Web Services API Reference Guide that you can download from the
6. In the User Name list, do one of the following:

When you save your data feed settings, the Data Feed Manager automatically creates the new
user account.
7. In the Target Path field, enter the path where you want to store the output file of the Transport
Only data feed.
8. Click Apply.
Task 2: Set up a report search
1. Go to the Transport tab of the data feed you want to modify.

2. In the Transport Method field, select Archer Web Services Transporter.

3. In the Security section, do one of the following:
l Specify whether the current instance is set up for anonymous authentication.
l Specify whether the current instance uses Windows Authentication and enter the specific
credentials.
4. In Search Type, click Report ID or Statistics Report ID.
Note: If you want to use a data feed that was created in RSA Archer 4.x, you must run an
XML Record Search, and select Search XML as the Search Type. For information on the XML
Search feature, see the Running an XML Record Search for an Archer-to-Archer Data Feed
topic in the RSA Archer GRC Online Documentation.
5. In the Report or Statistics Report field, enter the report ID.


l To run the report with Windows credentials, select the Use Windows Authentication option.
Single Sign-On (SSO) must be configured to use this option.
l To run the report by a specific user, enter the credentials of the account that will be running
the report in User Name and Password.
Note: Use the account that has access role rights to the search.asmx page. The account
should also be an application owner with full access permissions to the content of the
applications. Do not use the same account that you used to log on.
7. (Optional) In the Domain field, enter the name of the domain to be searched against.
8. In the Instance field, enter the instance name for the instance to be searched against. Use the
instance name and not the PIN.
9. (Optional) In the Proxy section, enter the credentials of the proxy server if the data feed
accesses the source data through a proxy server.
Option Description
10. (Optional) In the Post-Processing - Local Copy section, define the post-processing rules if the
data feed handles post-processing of the local copy of the source data.
Option Description

Option Description
file.
the file.
Filename tokens
extension.
Example 1
Example 2

Option Description

11. Click Apply.



Field Description
45 minutes.

Time
Zone
3. Click Save.

Database Query Data Feeds

The Database Query Transporter data feed enables you to pull data directly from a database by
query and insert the data in its raw or manipulated state into a RSA Archer instance.
The numerous types of supported database connections are Odbc, OleDb, Oracle, SQL, and many
others. As long as the connection string is configured successfully and the client driver is installed
on the system, RSA Archer can integrate regardless of the database type.
A Database Query Transporter data feed can be configured as a standard or transport data feed type.
RSA recommends that the external database from which you are capturing data is located within
your corporate network and that data transmission occurs over an encrypted communications
channel. RSA also recommends that the credentials you use to retrieve the data have read-only
permissions. For more information, see "Define a Database Query Transporter" in "Data Feed
Manager" in the RSA Archer Online Documentation.
Use the following tasks to add a database query data feed:
l Adding Standard Database Query data feeds
l Adding Transport Only Database Query data feeds
Adding Standard Database Query Data Feeds


3. Click OK.


command.

Option Description
failed to run.
Option Description

Option Description
selected:
ignored.
before upgrading.
10. Click Apply.
Important: For the data feed to execute successfully, the server responsible for running the data
feed must have the required network access to the database.
1. Set up a report-based search for an application or questionnaire that contains the source data that
you want to import into another application or questionnaire.
Note: If the data feed uses the Database Query transporter in a multiple server environment, you
must install the data provider on all servers.
2. Go to the Transport tab of the data feed that you want to modify.


c. In the Name column, click the data feed.
3. From the Transport Method list, select Database Query Transporter.

4. In the Database Configuration section, complete the configuration options.
Option Description
Provider Specifies the data provider based on the type of connection string used.
If Oracle dotConnect is the data provider, you do not need to install the drivers
for Oracle because these drivers are included in the RSA Archer installation. To
determine the connection string for this data provider, go to the following URL:
http://www.devart.com/dotconnect/oracle/docs/Devart.Data.Oracle~
Devart.Data.Oracle.OracleConnection~ConnectionString.html.
Connection Specifies the timeout parameter in seconds to force the feed to fail because of
Timeout long-running queries.
Connection Allows the data feed to locate and access the database and retrieve the specified
String source data.
User Specifies the user name for an account that has access to query the database if
Name one was not inserted as part of the connection string in the previous step.
Password Specifies the password for an account that has access to query the database if
one was not inserted as part of the connection string in the previous step.

Option Description
Query Specifies the query that you want to execute against the database.
You can also execute a stored procedure by entering it in the Query field. This
field cannot be longer than 4,000 characters.
The following figure shows a stored procedure that you can execute.
Contact your database administrator prior to executing any queries against the
corporate data of your company . If you configure the query string incorrectly,
you may alter the data stored in the database.
Always verify your results by manually running the query directly against the
database first.
5. In the Post-Processing - Local Copy section, determine how the data feed should handle the local
copy of the source data after the integration completes.
Option Description

Option Description
file.
the file.
Filename tokens
extension.
Example 1
Example 2

Option Description

In the On Success field, select Nothing or Rename to either remove or save the source file.
l If you selected Nothing, continue to the next step.
l If you selected Rename, enter the location and name of the new file you want to save in the
Destination File field.
6. Click Apply.
Task 3: Define the XML file for the source data

This task applies only to Standard data feed types and to whether you need to transform the XML
structure of the source file.
The Xml File Iterator enables you to import an XML file. You can also manipulate or restructure the
data prior to importing.

2. In the Navigation Method list, select Database Query Iterator.

3. In the Xml File Definition section, select Transform.
4. In the Xml File Definition section toolbar, click Load Transform.
Note: You must load a transform. A default transform is included with the installation. If you
require additional data transformation, you can develop your own XSLT. For more information
on XML formatting guidelines and samples, see the appendix XML Formatting Used in Field
Results and Input in the RSA Archer Web Services API Reference Guide that you can download
from the RSA Archer Community.


l Select File if you require additional data transformation and want to develop your own XSLT.
6. Click OK.
7. Click Apply.

feed types.
Data options



Source Description
Execute Executes the query specified on the Transport tab and detects the source schema
Query from the resulting record set.
Using this option may trigger actions in the database associated with this query.
definition.
6. Click Apply.
Task 5: Define data filters

Use data filters to limit the number of records retrieved from your source data. If no filters are
defined, the Data Feed Manager returns all records. After a filter has been added, only those records
meeting the defined criteria are included in the data feed. You can combine your data filters through
advanced operator logic to provide additional filters to your data.
Important: Do not use this option for an Archer-to-Archer data feed. RSA recommends that you
filter the report data instead.

1. Go to the Data Filter tab of the data feed that you want to modify.

e. Click the Data Filter tab.
2. In the Sources column, select the source name to which you want to apply a filter.
3. From the Field Name list, select the field name from your data source to which you want to
apply a filter.
4. From the Operator list, select an operator to define which type of filter you want to apply to the
source data.
5. In the Values column, enter a value based on your selection in the Operator column.
6. (Optional) In the Advanced operator logic field, enter the custom operator logic to create custom
operator logic to form relationships between the individual filters.
7. Complete either of the following optional tasks:
l To add an additional data filter, click Add New Filter located in the Data Filter section title
bar.
l To remove a data filter, in the Actions column of the filter you want to remove, click .
8. Click Apply.



5. Click Apply.

reference, or CAST.



want to remove.
6. Click Apply.


the record.


c. Click OK.
form field types.
identifier.
8. Click Apply.



application.
Option Description
or questionnaire.
target application.
Option Description
option.

Option Description
Inactive.
the Status field.
4. Click Apply.



Field Description
45 minutes.

Field Description

Time
Zone
3. Click Save.
Adding Transport Only Database Query Data Feeds

c. Click Add New.

3. Click OK.
Option Description
process the data.


user account.
Only data feed.
8. Click Apply.
feed must have the required network access to the database.
1. Set up a report-based search for an application or questionnaire that contains the source data that
you want to import into another application or questionnaire.
Note: If the data feed uses the Database Query transporter in a multiple server environment, you
must install the data provider on all servers.

c. In the Name column, click the data feed.
3. From the Transport Method list, select Database Query Transporter.

4. In the Database Configuration section, complete the configuration options.


Option Description
Provider Specifies the data provider based on the type of connection string used.
If Oracle dotConnect is the data provider, you do not need to install the drivers
for Oracle because these drivers are included in the RSA Archer installation. To
determine the connection string for this data provider, go to the following URL:
http://www.devart.com/dotconnect/oracle/docs/Devart.Data.Oracle~
Devart.Data.Oracle.OracleConnection~ConnectionString.html.
Connection Specifies the timeout parameter in seconds to force the feed to fail because of
Timeout long-running queries.
Connection Allows the data feed to locate and access the database and retrieve the specified
String source data.
User Specifies the user name for an account that has access to query the database if
Name one was not inserted as part of the connection string in the previous step.
Password Specifies the password for an account that has access to query the database if
one was not inserted as part of the connection string in the previous step.
Query Specifies the query that you want to execute against the database.
You can also execute a stored procedure by entering it in the Query field. This
field cannot be longer than 4,000 characters.
The following figure shows a stored procedure that you can execute.
Contact your database administrator prior to executing any queries against the
corporate data of your company . If you configure the query string incorrectly,
you may alter the data stored in the database.
Always verify your results by manually running the query directly against the
database first.
5. In the Post-Processing - Local Copy section, determine how the data feed should handle the local
copy of the source data after the integration completes.


Option Description

Option Description
file.
the file.
Filename tokens
extension.
Example 1
Example 2

Option Description

In the On Success field, select Nothing or Rename to either remove or save the source file.
6. Click Apply.



Field Description
45 minutes.

Time
Zone
3. Click Save.

File Data Feeds

The File data feed enables you to pull data directly from a flat file and insert that data in its raw or
manipulated state into the RSA Archer instance.
The source files must delimited text files or XML files. You can use an XSLT to transform your
XML data into a consumable format. The Data Feed Manager can access files located on a network
server that is accessible to the Data Feed Manger. For example, a delimited file must reside on the
network server rather than your personal computer.
feed must have the required access to the files.
File Transporter
The File Transporter allows a file from an external source with unknown contents and integrity to be
brought onto RSA Archer servers. This flexibility introduces a potential attack vector where the
associated risk must be accepted by the customer.
RSA recommends that you disable the File Transporter if a business need does not require its use. If
the File Transporter must be used, RSA recommends selecting Zip File as the File Type and using
encryption by selecting an Encryption Type.
For more information, see "Transporter Availability" in the RSA Archer Control Panel Help. For
information on configuring the File Transporter, see the "Data Feed Manager" section of "Define a
File Transporter" in the RSA Archer Online Documentation.
A File Transporter data feed can be configured as a standard or transport data feed type.
Use the following tasks to add a file data feed:
l Adding Standard File data feeds
l Adding Transport Only File data feeds
Adding Standard File Data Feeds
Task 1: Add a data feed



3. Click OK.
command.

Option Description
failed to run.


Option Description
selected:
ignored.
before upgrading.
10. Click Apply.


2. From the Transport Method list, select File Transporter.

3. In the Transport Configuration section, complete the configuration options.
Option Description
Single References a single data file. This option requires you to specify a path in the Path
Data field. You can filter which files to process by entering a standard file expression in
File the File Filter field.
Note: The JSON Iterator only supports the Single Data File type.
Manifest Points the Data Feed Manager to a file that contains instructions for locating a
File series of data files. This option requires you to specify a path in the Path field. You
can filter which files to process by entering a standard file or regular expression in
the File Filter field.
Zip File References a ZIP file. This option requires you to specify a path in the Path field.
When filtering files, the parent directory is searched and then the file inside the
selected ZIP files is searched based on the filter. Use the Encryption Type list to
identify the encrypted file type. If the encrypted ZIP file is password protected,
enter the password in the Password field.
File Filtering is a single file filter or a list of file filters separated by semicolons.
The data feed only processes data included in the File Filter. The File Filter must
contain the ZIP or CSV file and all related files. Do not include files for
Attachment fields.
Note: All file names within a ZIP file must consist of characters from the code
page 437 character set.
4. (Optional) In the Post-Processing section, determine how the data feed should handle the source
information when the integration is complete.
To perform post-processing on the source file retrieved, in the Post Processing section, determine
how the data feed should handle the local copy of the source data when the integration is
complete.


Option Description

Option Description
file.
the file.
Filename tokens
extension.
Example 1
Example 2

Option Description
Delete Deletes the source file when the data feed completes successfully.
This option is available only for File and FTP transport methods.
5. (Optional) In the Post-Processing - Local Copy section, determine how the data feed should
handle the local copy of the source data when the integration is complete.
Option Description

Option Description
file.
the file.
Filename tokens
extension.
Example 1
Example 2

Option Description


7. Click Apply.
Task 3: Define the file format of the source data

Option 1: Define delimited text files

2. In the Navigation section, select Delimited Text File Iterator.

3. In the File Definition section, select the encoding and delimiters to match the source file.
The following table describes the text encoding format options.
Format Description
Quote Specifies the character that is used to identify quotes in your source data.
Identifier
Escape Specifies the character that is used to escape from normal data into control data.
Sequence

Format Description
Record Specifies the control code that is used to identify a new record in your source data.
Delimiter
Skip Indicates the number of lines that the Data Feed Manager should ignore in the
Record source data before finding data. For example, if the first row in your source data
Count contains column names, you type "1" so that the Data Feed Manager ignores this
row and moves to the next row to start reading data.
Field Specifies the character that is used to identify a new field in your data source. If
Delimiter you select Other, type the character you want to use.
List Specifies the character that is used to identify a new list in your data source. If you
Delimiter select Other, type the character you want to use.
Leveled Specifies the character that is used to identify a new leveled list in your data
List source. If you select Other, type the character you want to use.
Delimiter
4. Click Apply.
Option 2: Define the XML format

2. In the Navigation Method list, select XML File Iterator.

3. In the XML File Definition section, select Transform.
4. In the XML File Definition section toolbar, click Load Transform.
on XML formatting guidelines and samples, see the appendix "XML Formatting Used in Field
Results and Input" in the RSA Archer Web Services API Reference Guide that you can
download from the RSA Archer Community.


6. Click OK.
7. Click Apply.
Option 3: Define the JSON format
JSON File Iterator
The JSON Iterator is supported for the File, FTP, and HTTP transporters. JSON processing only
supports the Single Data file type.
Requirements
The following requirements apply to using the JSON Iterator:

l XLST input is a required field.
l A source file can be either a valid JSON or JSON enclosed in XML tags.
The following requirements apply to the XML input:

l For JSON that is not enclosed in the XML node, input is added inside the <root> node. Characters
are encoded according to the XML specifications.
l For JSON that is enclosed in the XML node, input must be coded according to the XML
specifications.
Examples
The following examples show that a source file can be either a valid JSON or JSON enclosed in
XML tags:
l Valid JSON
{"Assets": [ { "Asset": {"Name": "IP Phone","Description": "<my description>","Status":
"Active"}}, { "Asset": {"Name": "Laptop","Description": "My Laptop","Status": "Active"}}] }
l JSON enclosed in XML tags
<data> {"Assets": [ { "Asset": {"Name": "IP Phone","Description": "<my
description>","Status": "Active"}}, { "Asset": {"Name": "Laptop","Description": "My
Laptop","Status": "Active"}}] }</data>


2. In the Navigation Method list, select JSON File Iterator.
Note: JSON Iterator only supports the Single Data file type.
3. In the JSON File Definition section toolbar, click Load Transform.

5. Click OK.
6. Click Apply.

feed types.
Data options



3. Select the file that contains the data you want to load and click Open.
definition.
6. Click Apply.


apply a filter.

source data.
bar.
8. Click Apply.


5. Click Apply.


reference, or CAST.


want to remove.
6. Click Apply.



the record.

c. Click OK.
form field types.

identifier.
8. Click Apply.


application.
Option Description
or questionnaire.

target application.
Option Description
option.
Inactive.
the Status field.
4. Click Apply.





Field Description
45 minutes.

Time
Zone
3. Click Save.

Adding Transport Only File Data Feeds

c. Click Add New.

3. Click OK.
Option Description
process the data.


user account.
Only data feed.
8. Click Apply.

2. From the Transport Method list, select File Transporter.

3. In the Transport Configuration section, complete the configuration options.
Option Description
Note: The JSON Iterator only supports the Single Data File type.
can filter which files to process by entering a standard file or regular expression in
the File Filter field.

Option Description
Zip File References a ZIP file. This option requires you to specify a path in the Path field.
When filtering files, the parent directory is searched and then the file inside the
selected ZIP files is searched based on the filter. Use the Encryption Type list to
identify the encrypted file type. If the encrypted ZIP file is password protected,
enter the password in the Password field.
File Filtering is a single file filter or a list of file filters separated by semicolons.
The data feed only processes data included in the File Filter. The File Filter must
contain the ZIP or CSV file and all related files. Do not include files for
Attachment fields.
Note: All file names within a ZIP file must consist of characters from the code
page 437 character set.
information when the integration is complete.
complete.
Option Description

Option Description
file.
the file.
Filename tokens
extension.
Example 1
Example 2

Option Description
handle the local copy of the source data when the integration is complete.
Option Description

Option Description
file.
the file.
Filename tokens
extension.
Example 1
Example 2

Option Description


7. Click Apply.



Field Description
45 minutes.

Time
Zone
3. Click Save.

FTP Data Feeds

The FTP data feed enables you to pull data files using the FTP protocol, and insert that data in its
raw or manipulated state into the RSA Archer instance.
The source files can be delimited text files or XML files. You can use an XSLT to transform your
XML data into a consumable format.
FTP Transporter
The FTP Transporter allows a file from an external source with unknown contents and integrity to be
brought onto RSA Archer servers. This flexibility introduces a potential attack vector where the
RSA recommends that you disable the FTP Transporter if a business need does not require its use. If
you must use the FTP Transporter, RSA recommends selecting Zip File as the File Type and using
encryption by selecting an Encryption Type.
An FTP Transporter data feed can be configured as a standard or transport data feed type.
Use the following tasks to add an FTP data feed:
l Adding Standard FTP data feeds
l Adding Transport Only FTP data feeds
Adding Standard FTP Data Feeds


3. Click OK.


command.

Option Description
failed to run.
Option Description

Option Description
selected:
ignored.
before upgrading.
10. Click Apply.

2. From the Transport Method list, select FTP Transporter.

3. In the Transport Configuration section, select the File Type.

Option Description
Note: The JSON Iterator only supports single data files.
can filter which files to process by entering a standard file expression in the File
Filter field.
Zip File References a .zip file. The .zip file can be a single, compressed data source file or
a collection of files. This option requires you to specify a path in the Path field. You
can filter which files from the .zip file to process by entering a standard file
expression in the File Filter field. Use the Encryption Type list to identify the
encrypted file type, if any. If the encrypted .zip file is password protected, enter the
password in the Password field.
4. (Optional) In the Proxy field, select the applicable proxy option.

Option Description
5. (Optional) Complete the applicable fields if you selected a proxy option.

Field Description
Name Specifies the proxy server name.

Field Description
Port Specifies the port ID of the proxy server.
Domain Specifies the domain of the proxy server.
User Specifies the name of the user who has credentials for logging on to the proxy
Name server.
Password Specifies the password of the credentialed user.
information when the integration is complete. In the On Success field, select one of the following
options:
complete.
Option Description

Option Description
file.
the file.
Filename tokens
extension.
Example 1
Example 2

Option Description
handle the local copy of the source data when the integration is complete. In the On Success
field, select one of the following options.
Option Description

Option Description
file.
the file.
Filename tokens
extension.
Example 1
Example 2

Option Description


9. Click Apply.



Format Description
Identifier
Sequence

Format Description
Delimiter
Delimiter
4. Click Apply.




6. Click OK.
7. Click Apply.
JSON File Iterator
Requirements


specifications.
Examples
XML tags:
l Valid JSON



5. Click OK.
6. Click Apply.

feed types.
Data options



definition.
6. Click Apply.


apply a filter.

source data.
bar.
8. Click Apply.


5. Click Apply.


reference, or CAST.


want to remove.
6. Click Apply.



the record.

c. Click OK.
form field types.

identifier.
8. Click Apply.


application.
Option Description
or questionnaire.

target application.
Option Description
option.
Inactive.
the Status field.
4. Click Apply.





Field Description
45 minutes.

Time
Zone
3. Click Save.

Adding Transport Only FTP Data Feeds

c. Click Add New.

3. Click OK.
Option Description
process the data.


user account.
Only data feed.
8. Click Apply.

2. From the Transport Method list, select FTP Transporter.

3. In the Transport Configuration section, select the File Type.
Option Description
Note: The JSON Iterator only supports single data files.
can filter which files to process by entering a standard file expression in the File
Filter field.
Zip File References a .zip file. The .zip file can be a single, compressed data source file or
a collection of files. This option requires you to specify a path in the Path field. You
can filter which files from the .zip file to process by entering a standard file
expression in the File Filter field. Use the Encryption Type list to identify the
encrypted file type, if any. If the encrypted .zip file is password protected, enter the
password in the Password field.


Option Description

Field Description
Name server.
information when the integration is complete. In the On Success field, select one of the following
options:
complete.
Option Description

Option Description
file.
the file.
Filename tokens
extension.
Example 1
Example 2

Option Description
Option Description

Option Description
file.
the file.
Filename tokens
extension.
Example 1
Example 2

Option Description


9. Click Apply.



Field Description
45 minutes.

Time
Zone
3. Click Save.

HTTP Data Feeds

The HTTP Transporter data feed enables you to execute a GET or POST to retrieve data from an
HTTP or HTTPS site. The data is inserted in its raw or manipulated state into the RSA Archer
instance.
The source files must be text delimited files or XML files. You can use an XSLT to transform your
XML data into a consumable format.
HTTP Transporter
The HTTP Transporter allows a file from an external source with unknown contents and integrity to
be brought onto RSA Archer servers. This flexibility introduces a potential attack vector where the
RSA recommends that you disable the HTTP Transporter if a business need does not require its use.
If you must use the HTTP Transporter, RSA recommends using HTTPS, selecting Zip File as the
File Type, and using encryption by selecting an Encryption Type.
An HTTP Transporter data feed can be configured as a standard or transport data feed type.
Weak ciphers disabled
Important: When weak ciphers have been disabled, data access from an external HTTP or HTTPS
site may be impacted. If data is from an external HTTP or HTTPS site, you must be able to access
that external site from the server running the services for the data feed to execute successfully.
For more information about disabling weak ciphers, see Host Hardening.
Use the following tasks to add an HTTP data feed:
l Adding Standard HTTP data feeds
l Adding Transport Only HTTP data feeds
Adding Standard HTTP Data Feeds



3. Click OK.
command.

Option Description
failed to run.


Option Description
selected:
ignored.
before upgrading.
10. Click Apply.


2. From the Transport Method list, select HTTP Transporter.

3. In the Transport Configuration section, the complete the File Type, Action Type, and File Filter
fields.
Available
Description
selections
Single Data References a single data file. This option requires you to specify a path in the
File Path field. You can filter which files to process by entering a standard file
expression in the File Filter field.
File series of data files. This option requires you to specify a path in the Path field.
You can filter which files to process by entering a standard file expression in the
File Filter field.
Zip File References a .zip file. The .zip file can be a single, compressed data source file
or a collection of files. This option requires you to specify a path in the Path
field. You can filter which files from the .zip file to process by entering a
standard file expression in the File Filter field. Use the Encryption Type list to
identify the encrypted file type, if any. If the encrypted .zip file is password
protected, enter the password in the Password field.
Get Uses the GET type of HTTP request. This type adds the parameters on the query
string.
Put Uses the POST type of HTTP request. This type includes the parameters as form
parameters on the request.
4. In the Logon Properties section, enter the applicable credentials for logging on to the HTTP site.


Option Description
Use Specifies whether the HTTP site allows public access or restricts access to the
Credentials data.
l Anonymous. Allows public access to the data.
l Specific. Restricts access to the data. From the Specify Credentials options,
specify from which authorized account to make the HTTP request, and enter
the credentials for the appropriate account.
Specify Specifies the authorized account that makes the HTTP request.
Credentials l Data Feed Service
l Other (when you select this option, you must specify the user name, password,
and domain.)
User Specifies the user name for a separate account to make request to the HTTP site.
Name
Password Specifies the password for a separate account to make request to the HTTP site.
Domain Specifies the domain for a separate account to make request to the HTTP site.
5. In the Data Request Properties section, complete the following fields.

Option Description
Data Specifies the uniform resource identifier (URI) of the HTTP or HTTPS site that
Request contains the data you want to import. This field also allows you to specify a port,
URI for example, http://company-server:8080/httpFeed/.
Header Specifies the key/value pair that may be required as part of your Get or Put
Parameters operation in Header Parameters.
To add another header parameter, click Add New. To remove a header
parameter, click in the row of that header parameter.
Post Data Specifies the posting data.

This field is available only if you have selected Put as the Action Type.
6. (Optional) In the Proxy Options field, select the applicable proxy option.


Option Description

Field Description
Name server.
Option Description
file. For information on using filename tokens when renaming files, see Filename
Tokens.


l If you have selected Nothing, continue to the next step.
l If you have selected Rename, enter the location and name of the new file you want to save in
the Destination File field.
10. Click Apply.



Format Description
Identifier
Sequence
Delimiter

Format Description
Delimiter
4. Click Apply.



6. Click OK.
7. Click Apply.

JSON File Iterator
Requirements


specifications.
Examples
XML tags:
l Valid JSON




5. Click OK.
6. Click Apply.



Source Description
Load Loads the contents at the target URL and detects the source schema from the
URL contents.
Using this option may trigger actions associated with accessing the target URL.
definition.
6. Click Apply.



apply a filter.
source data.
bar.
8. Click Apply.



5. Click Apply.

reference, or CAST.



want to remove.
6. Click Apply.


the record.


c. Click OK.
form field types.
identifier.
8. Click Apply.



application.
Option Description
or questionnaire.
target application.
Option Description
option.

Option Description
Inactive.
the Status field.
4. Click Apply.



Field Description
45 minutes.

Field Description

Time
Zone
3. Click Save.
Adding Transport Only HTTP Data Feeds

c. Click Add New.

3. Click OK.
Option Description
process the data.


user account.
Only data feed.
8. Click Apply.

2. From the Transport Method list, select HTTP Transporter.

3. In the Transport Configuration section, the complete the File Type, Action Type, and File Filter
fields.
Available
Description
selections
Single Data References a single data file. This option requires you to specify a path in the
File Path field. You can filter which files to process by entering a standard file
expression in the File Filter field.

Available
Description
selections
File series of data files. This option requires you to specify a path in the Path field.
You can filter which files to process by entering a standard file expression in the
File Filter field.
Zip File References a .zip file. The .zip file can be a single, compressed data source file
or a collection of files. This option requires you to specify a path in the Path
field. You can filter which files from the .zip file to process by entering a
standard file expression in the File Filter field. Use the Encryption Type list to
identify the encrypted file type, if any. If the encrypted .zip file is password
protected, enter the password in the Password field.
Get Uses the GET type of HTTP request. This type adds the parameters on the query
string.
Put Uses the POST type of HTTP request. This type includes the parameters as form
parameters on the request.
4. In the Logon Properties section, enter the applicable credentials for logging on to the HTTP site.
Option Description
Use Specifies whether the HTTP site allows public access or restricts access to the
Credentials data.
l Anonymous. Allows public access to the data.
l Specific. Restricts access to the data. From the Specify Credentials options,
specify from which authorized account to make the HTTP request, and enter
the credentials for the appropriate account.
Specify Specifies the authorized account that makes the HTTP request.
Credentials l Data Feed Service
l Other (when you select this option, you must specify the user name, password,
and domain.)
User Specifies the user name for a separate account to make request to the HTTP site.
Name

Option Description
Password Specifies the password for a separate account to make request to the HTTP site.
Domain Specifies the domain for a separate account to make request to the HTTP site.
5. In the Data Request Properties section, complete the following fields.

Option Description
Data Specifies the uniform resource identifier (URI) of the HTTP or HTTPS site that
Request contains the data you want to import. This field also allows you to specify a port,
URI for example, http://company-server:8080/httpFeed/.
Header Specifies the key/value pair that may be required as part of your Get or Put
Parameters operation in Header Parameters.
To add another header parameter, click Add New. To remove a header
parameter, click in the row of that header parameter.
Post Data Specifies the posting data.

This field is available only if you have selected Put as the Action Type.
6. (Optional) In the Proxy Options field, select the applicable proxy option.
Option Description

Field Description

Field Description
Name server.
Option Description
Tokens.

l If you have selected Nothing, continue to the next step.
l If you have selected Rename, enter the location and name of the new file you want to save in
the Destination File field.
10. Click Apply.




Field Description
45 minutes.

Time
Zone
3. Click Save.

JavaScript Data Feeds

The JavaScript data feed enables you to execute a JavaScript file, and insert that data into the RSA
Archer instance if the result of the script is a data set.
The source files can be delimited text files, JSON files, or XML files. You can use an XSLT to
transform your data into a consumable format.
JavaScript Transporter
The JavaScript Transporter can be used to push data from RSA Archer to somewhere else, or it can
manipulate data in an external system. To do so, return an empty data set to RSA Archer.
Note: RSA Support is not responsible for data interaction with third party resources.
A JavaScript Transporter data feed can be configured as a standard or transport only data feed type.
Important: Before you can run a JavaScript Data Feed, ensure that your JavaScript Transport
Settings in the RSA Archer Control Panel have been set. For more information, see "Configuring
JavaScript Transporter Settings" in the RSA Archer Control Panel Help.
Use the following tasks to add a JavaScript data feed:

l Adding Standard JavaScript data feeds
l Adding Transport Only JavaScript data feeds
Adding Standard JavaScript Data Feeds


3. Click OK.

command.

Option Description
failed to run.
Option Description

Option Description
selected:
ignored.
before upgrading.
10. Click Apply.

2. From the Transport Method list, select JavaScript Transporter.

3. In the Transport Configuration section, select the JavaScript file you want to upload.
a. From the Transport Configuration section, click Upload.
b. In the Upload JavaScript File dialog, click Add New.
c. Navigate to and select the file you want to upload, and click Open.
d. In the Upload JavaScript File dialog, click OK.
Important: If the JavaScript Transporter has been set up in the RSA Archer Control Panel to
only allowed digitally signed JavaScript files from trusted sources, only digitally signed
JavaScript files coming from trusted sources can be selected.
Note: RSA Archer provides a JavaScript sample in the Transport Configuration section,
describing each part of the script, and how to configure each part for your environment.
4. (Optional) In the Custom Parameters section, enter the custom parameters you want to reference
within the selected JavaScript file.
a. In the Customer Parameters section, click Add New.
b. In the Key field, enter the variable name you want to use.
c. In the Type field, select Plain Text or Protected.
Note: Protected mode encrypts the value in the database and masks it in the UI. RSA
recommends using the Protected type for sensitive information.
d. In the Value field, enter the value you want to assign to the key.
e. If you want to add more customer parameters, repeat steps a - d.
Option Description

Option Description
file.
the file.
Filename tokens
extension.
Example 1
Example 2

Option Description


7. Click Apply.



Format Description
Identifier
Sequence

Format Description
Delimiter
Delimiter
4. Click Apply.




6. Click OK.
7. Click Apply.
JSON File Iterator
Requirements


specifications.
Examples
XML tags:
l Valid JSON



5. Click OK.
6. Click Apply.

feed types.
Data options



definition.
6. Click Apply.


apply a filter.

source data.
bar.
8. Click Apply.


5. Click Apply.


reference, or CAST.


want to remove.
6. Click Apply.



the record.

c. Click OK.
form field types.

identifier.
8. Click Apply.


application.
Option Description
or questionnaire.

target application.
Option Description
option.
Inactive.
the Status field.
4. Click Apply.





Field Description
45 minutes.

Time
Zone
3. Click Save.

Adding Transport Only JavaScript Data Feeds

c. Click Add New.

3. Click OK.
Option Description
process the data.


user account.
Only data feed.
8. Click Apply.

2. From the Transport Method list, select JavaScript Transporter.

3. In the Transport Configuration section, select the JavaScript file you want to upload.
a. From the Transport Configuration section, click Upload.
b. In the Upload JavaScript File dialog, click Add New.
c. Navigate to and select the file you want to upload, and click Open.
d. In the Upload JavaScript File dialog, click OK.
Important: If the JavaScript Transporter has been set up in the RSA Archer Control Panel to
only allowed digitally signed JavaScript files from trusted sources, only digitally signed
JavaScript files coming from trusted sources can be selected.
Note: RSA Archer provides a JavaScript sample in the Transport Configuration section,
describing each part of the script, and how to configure each part for your environment.
4. (Optional) In the Custom Parameters section, enter the custom parameters you want to reference
within the selected JavaScript file.
a. In the Customer Parameters section, click Add New.
b. In the Key field, enter the variable name you want to use.

c. In the Type field, select Plain Text or Protected.
Note: Protected mode encrypts the value in the database and masks it in the UI. RSA
recommends using the Protected type for sensitive information.
d. In the Value field, enter the value you want to assign to the key.
e. If you want to add more customer parameters, repeat steps a - d.
Option Description

Option Description
file.
the file.
Filename tokens
extension.
Example 1
Example 2

Option Description


7. Click Apply.



Field Description
45 minutes.

Time
Zone
3. Click Save.

Mail Monitor Data Feeds

The Mail Monitor Transporter data feed enables you to monitor email accounts using mail fields or
plain text body XML to specific fields in an application. By pulling email content into RSA Archer,
you can assess and process disparate email information, then create and document clear action plans
based on the information.
When integrating an application or questionnaire with a Mail Monitor data feed, you can do the
following:
l Insert email content into an application or questionnaire.
l Retrieve email messages, such as vulnerability alerts and open source monitoring alerts.
l Define field mapping from email content to content records.
l Configure mail protocols, mail servers, email accounts, and scheduling intervals.
Note: RSA recommends that you configure an SSL connection to connect with the email server.
feed must have a service account with valid logon credentials.
Use the following tasks to add a mail monitor data feed:

l Adding Standard Mail Monitor data feeds
l Adding Transport Only Mail Monitor data feeds
Adding Standard Mail Monitor Data Feeds


3. Click OK.

command.

Option Description
failed to run.
Option Description

Option Description
selected:
ignored.
before upgrading.
10. Click Apply.

2. From the Transport Method list, select Mail Monitor Transporter.

3. In the Transport Configuration section, enter the protocol and mail server credentials.
Option Description
Protocol Specifies which protocol retrieves emails from your mail server.
l POP3
l IMAP4
l Exchange
SSL Specifies whether there is an encrypted link between the browser and mail server
Connection through Secure Sockets Layer.
Port Specifies the port number as the communications endpoint for communicating
between the mail server and protocol type.
Mail Box (for IMAP4 only) Specifies the name of the mail folder into which emails are
Name received, for example Inbox.
Mail Specifies the name of the mail server, for example, https://usa.mailserver/mail/.
Server
User Specifies the user name of the account used for logging in to the mail server.
Name
Password Specifies the password for the user account used for logging in to the mail server.
Retrieval Specifies whether the email message is deleted or copied on the mail server.
Method l Delete. Remove the email messages from the mail server when retrieving.
l Leave Copy. Leave a copy of the email messages on the mail server when
retrieving.
Message Specifies whether the data retrieved from the email is contained in standard mail
Data Type fields or the body of the message.
l Use the Mail Fields option for basic fields like To, From, Cc, Date, Subject,
Body Text, Body HTML, Return Path, MIME Version, and Message Id.
l Use Content Only or a custom transform to process XML data in the email
body.

Option Description
Filter Specifies the filters for retrieving data from the email message. A filter allows
the checking of any header field or the body. Examples:
l Body like "mortgage rates*"
l To = "bankrates@abc.com"
The following are general rules for forming filter expressions:
l Use any Multipurpose Internet Mail Extension (MIME) header field (not case-
sensitive).
l Enclose literal strings in double quotation marks (not case-sensitive).
l Match the * wild card character with zero or more occurrences of any
character.
l Include parentheses to control precedence.
l Use the logical operators AND, OR, and NOT (not case-sensitive).
l Use the comparison operators =, <, >, <=, >=, and <>.
l Use the string comparison operators CONTAINS, LIKE (not case-sensitive).
4. (Optional) In the Post-Processing -Local Copy section, determine how the data feed should
Option Description
Tokens.


6. Click Apply.






6. Click OK.
7. Click Apply.

feed types.
Data options



definition.
6. Click Apply.


apply a filter.
source data.
bar.
8. Click Apply.



5. Click Apply.

reference, or CAST.



want to remove.
6. Click Apply.



the record.

c. Click OK.
form field types.
identifier.
8. Click Apply.



application.
Option Description
or questionnaire.
target application.
Option Description
option.

Option Description
Inactive.
the Status field.
4. Click Apply.



Field Description
45 minutes.

Field Description

Time
Zone
3. Click Save.
Adding Transport Only Mail Monitor Data Feeds

c. Click Add New.

3. Click OK.
Option Description
process the data.


user account.
Only data feed.
8. Click Apply.

2. From the Transport Method list, select Mail Monitor Transporter.

3. In the Transport Configuration section, enter the protocol and mail server credentials.
Option Description
Protocol Specifies which protocol retrieves emails from your mail server.
l POP3
l IMAP4
l Exchange

Option Description
SSL Specifies whether there is an encrypted link between the browser and mail server
Connection through Secure Sockets Layer.
Port Specifies the port number as the communications endpoint for communicating
between the mail server and protocol type.
Mail Box (for IMAP4 only) Specifies the name of the mail folder into which emails are
Name received, for example Inbox.
Mail Specifies the name of the mail server, for example, https://usa.mailserver/mail/.
Server
User Specifies the user name of the account used for logging in to the mail server.
Name
Password Specifies the password for the user account used for logging in to the mail server.
Retrieval Specifies whether the email message is deleted or copied on the mail server.
Method l Delete. Remove the email messages from the mail server when retrieving.
l Leave Copy. Leave a copy of the email messages on the mail server when
retrieving.
Message Specifies whether the data retrieved from the email is contained in standard mail
Data Type fields or the body of the message.
l Use the Mail Fields option for basic fields like To, From, Cc, Date, Subject,
Body Text, Body HTML, Return Path, MIME Version, and Message Id.
l Use Content Only or a custom transform to process XML data in the email
body.

Option Description
Filter Specifies the filters for retrieving data from the email message. A filter allows
the checking of any header field or the body. Examples:
l Body like "mortgage rates*"
l To = "bankrates@abc.com"
The following are general rules for forming filter expressions:
l Use any Multipurpose Internet Mail Extension (MIME) header field (not case-
sensitive).
l Enclose literal strings in double quotation marks (not case-sensitive).
l Match the * wild card character with zero or more occurrences of any
character.
l Include parentheses to control precedence.
l Use the logical operators AND, OR, and NOT (not case-sensitive).
l Use the comparison operators =, <, >, <=, >=, and <>.
l Use the string comparison operators CONTAINS, LIKE (not case-sensitive).
Option Description
Tokens.


6. Click Apply.



Field Description
45 minutes.

Time
Zone
3. Click Save.

RSS Data Feeds

The RSS data feed provides the ability to retrieve records from a configured RSS feed into an RSA
Archer instance.
Note: RSA recommends that you rely on HTTPS for secure communications between the web
server and the RSS transporter. RSA also recommends that you set the RSS iView Content Handling
option in the RSA Archer Control Panel to Scrub or Encode to address this issue.
feed must have a service account with valid logon credentials.
Use the following tasks to add an RSS data feed:

l Adding Standard RSS data feeds
l Adding Transport Only RSS data feeds
Adding Standard RSS Data Feeds


3. Click OK.

command.

Option Description
failed to run.
Option Description

Option Description
selected:
ignored.
before upgrading.
10. Click Apply.

2. From the Transport Method list, select RSS Transporter.

3. In the Transport Configuration section, enter the URL and credentials of the RSS feed for
retrieving source data.
Option Description
URL Specifies the URL for the RSS feed.
Retrieval Specifies the number of records that will be retrieved from the RSS feed.
Count
Retrieval Units Specifies how data is contained in the RSS feed, for example, Days or
Articles.
User Name Specifies the name of the user account used for retrieving data.
Password Specifies the password of the user account used for retrieving data.

Option Description

Field Description
Name server.

Option Description

Option Description
file.
the file.
Filename tokens
extension.
Example 1
Example 2

Option Description


l If you selected Nothing, continue at the next step.
8. Click Apply.






6. Click OK.
7. Click Apply.

feed types.
Data options



Source Description
URL contents.
definition.
6. Click Apply.



apply a filter.
source data.
bar.
8. Click Apply.



5. Click Apply.

reference, or CAST.



want to remove.
6. Click Apply.



the record.

c. Click OK.
form field types.
identifier.
8. Click Apply.



application.
Option Description
or questionnaire.
target application.
Option Description
option.

Option Description
Inactive.
the Status field.
4. Click Apply.



Field Description
45 minutes.

Field Description

Time
Zone
3. Click Save.
Adding Transport Only RSS Data Feeds

c. Click Add New.

3. Click OK.
Option Description
process the data.


user account.
Only data feed.
8. Click Apply.

2. From the Transport Method list, select RSS Transporter.

3. In the Transport Configuration section, enter the URL and credentials of the RSS feed for
retrieving source data.
Option Description
Count

Option Description
Articles.

Option Description

Field Description
Name server.


Option Description

Option Description
file.
the file.
Filename tokens
extension.
Example 1
Example 2

Option Description


8. Click Apply.



Field Description
45 minutes.

Time
Zone
3. Click Save.

Threat Data Feeds

Threat data feeds aggregate data from external data feed sources into RSA Archer on a dynamic and
scheduled basis. The Data Feed Manager supports iDefense and DeepSight threat feeds.
RSA recommends that you rely on HTTPS for secure communications between the web server and
the threat feed. For information on enabling HTTPS, see "Web Server Communication" in the RSA
Archer Platform Security Configuration Guide or in the RSA Archer Online Documentation.
Supported DeepSight feed types

The following table describes the supported Deep-
Sight feed types.
Transporter Supported Feeds
DeepSight Transporter 2.0 Vulnerabilities
DeepSight Transporter 4.0 Security Risk

Vulnerabilities SCAP
Note: Data feeds using the DeepSight 2.0 transporter will soon become unusable because of
deprecation by Symantec. From the RSA Archer Community on RSA Link, download a copy of the
data feeds that use the DeepSight 4.0 transporters and import them.
Supported iDefense threat feed types

l Vulnerabilities
l Geopolitical Threat
RSA Archer provides a configuration file to establish a connection between an iDefense or

DeepSight threat feed and your instance of RSA Archer. Each of the threat feeds can be quickly
integrated with your instance of RSA Archer by importing the configuration file.
For a new threat feed, the first run is the baseload run, which should take place before regular threat
feeds run.
l For DeepSight threat feeds, the baseload runs as one job.
l For iDefense, the baseload runs in a series of jobs that pull up to 1,000 alerts at a time. Baseload
runs may take a long time to complete—typically under 14 days.
Before you begin: Visit the Integration Exchange

Before you begin a new integration project with Data Feed Manager, visit the RSA Archer
Community on RSA Link. In the Integrations category, you can review prebuilt integration packages

from RSA Archer and third-party providers such as Qualys, nCircle, and Sendmail.
New integration packages are available regularly, and each package includes the following items:
l Data feed configuration file
l Target application(s)
l Any supporting files (such as an .xslt file)
When you download an integration package from the RSA Archer Community on RSA Link, you can
import the configuration file directly into the Data Feed Manager and, if necessary, modify the
configuration. You can also import the target applications into the RSA Archer environment and
modify the applications through Application Builder.
Adding DeepSight Threat Data Feeds
You can add a DeepSight threat data feed to integrate source data with an RSA Archer application.
Threat data feeds can only be initiated from a standard data feed type.
Important: Only one version of the DeepSight transporter can be active at a time. If you try to
activate a threat feed that uses one of the two DeepSight transporters, and another threat feed that
uses the other DeepSight transporter is already active, a warning message appears. To continue
activating this threat feed, set the Status for the other DeepSight threat feed to Inactive.
Supported DeepSight feed types
The following table describes the supported Deep-

Sight feed types.
Transporter Supported Feeds
DeepSight Transporter 2.0 Malicious Code

Vulnerabilities
DeepSight Transporter 4.0 Security Risk

Vulnerabilities SCAP


3. Click OK.
command.

Option Description
failed to run.


Option Description
selected:
ignored.
before upgrading.
10. Click Apply.


2. From the Transport Method list, select the applicable transporter: DeepSight Transporter 2.0 or
DeepSight Transporter 4.0.
3. In the Transport Configuration section, enter the URL and credentials for retrieving source data.
Option Description
Count
Articles.

Option Description

Field Description

Field Description
Name server.
Option Description

Option Description
file.
the file.
Filename tokens
extension.
Example 1
Example 2

Option Description


8. Click Apply.






6. Click OK.
7. Click Apply.

feed types.
Data options



Source Description
URL contents.
definition.
6. Click Apply.



apply a filter.
source data.
bar.
8. Click Apply.



5. Click Apply.

reference, or CAST.



want to remove.
6. Click Apply.



the record.

c. Click OK.
form field types.
identifier.
8. Click Apply.



application.
Option Description
or questionnaire.
target application.
Option Description
option.

Option Description
Inactive.
the Status field.
4. Click Apply.



Field Description
45 minutes.

Field Description

Time
Zone
3. Click Save.
Adding iDefense Threat Data Feeds
Complete this task to add a iDefense threat data feed for integrating source data with an
RSA Archer application. Threat data feeds can only initiated from a standard data feed type.
Supported iDefense threat feed types
l Vulnerabilities
l Geopolitical Threat


3. Click OK.

command.

Option Description
failed to run.
Option Description

Option Description
selected:
ignored.
before upgrading.
10. Click Apply.

2. From the Transport Method list, select the applicable transporter: DeepSight Transporter 2.0 or
DeepSight Transporter 4.0.

3. In the Transport Configuration section, enter the URL and credentials for retrieving source data.
Option Description
Count
Articles.

Option Description

Field Description
Name server.

Option Description

Option Description
file.
the file.
Filename tokens
extension.
Example 1
Example 2

Option Description


8. Click Apply.






6. Click OK.
7. Click Apply.

feed types.
Data options



Source Description
URL contents.
definition.
6. Click Apply.



apply a filter.
source data.
bar.
8. Click Apply.



5. Click Apply.

reference, or CAST.



want to remove.
6. Click Apply.



the record.

c. Click OK.
form field types.
identifier.
8. Click Apply.



application.
Option Description
or questionnaire.
target application.
Option Description
option.

Option Description
Inactive.
the Status field.
4. Click Apply.



Field Description
45 minutes.

Field Description

Time
Zone
3. Click Save.
Importing Threat Data Feeds
Before you begin

Before you work with threat feeds in RSA Archer, verify that you have the following:
l License to one of the supported threat feed providers, including a user name and password.
l License to the RSA Archer Threat Management solution master.
l A user account for RSA Archer with full access rights to the Data Feed Manager.
l Access to the RSA Archer Community on RSA Link to download the threat feed package file.
Task 1: Import a data feed

b. Under Integration, click Manage Data Feeds.
2. Click Import.
3. In the Open dialog box, click the configuration file and select its RSA Archer version number.
4. Click Open.
Task 2: Review and configure the imported data feed

1. From the Data Feeds list, select the data feed that you imported.
2. Click the General tab and go to the Feed Information section.
3. In the User Name field, select the user account that is appropriate for your threat feed.
4. Verify that the imported values match the following values.

The following table describes the values.

Imported
Section Field Action
Value
Feed Feed Type Standard Do not change

Information
Notifications Send Blank Change this value only after the threat feed loading
Notifications the data in to your RSA Archer completes.
After this completes and whenever the threat feed
runs, existing data is deleted or updated, and new
data is inserted.
Additional Data imported Do not change

Properties Validation data
5. Click the Transport tab and do not change the transport method or configuration.
6. Select the rules for post-processing.
Post-Processing options
complete.
Option Description

Option Description
file.
the file.
Filename tokens
extension.
Example 1

Example 2

Option Description
Post-Processing - Local Copy options

Option Description

Option Description
file.
the file.
Filename tokens
extension.
Example 1


Option Description
Example 2

Important: Do not change the navigation method or file definition on the Navigation tab.
7. Click the Source Definition tab, and do not edit or remove fields.
Imported
Tab Field Action
Value
Source Source imported Do NOT edit or remove imported fields.

Data Fields data Add new calculated, static text, or lookup translation fields
as needed. For information on Manipulating Data, see the
Manipulating Data in the Source File of Standard Data
Feeds topic in the RSA Archer Online Documentation.
Data Data imported Do not change

Filter Filters data
Tokens Data imported Do not change

Validation tokens l The token for DeepSight threat feeds identifies the last
sequence number retrieved.
l The token for iDefense identifies the date from which the
threat feed begins retrieving records.
8. Click the Data Map tab, and verify and map data if you added new source fields.


Imported
Tab Field Action
Value
Field Map Source Field mappings If you added any source fields, map
Fields/Target for default these fields to the target application.
Fields sources files For DeepSight threat feeds, do the
following:
1. Change the mapping of the Patch
ID.
2. Create a numeric field for the Patch
ID in the Patches application called
Patch ID Numeric.
3. Map the field to the Patch ID in the
threat feed, and assign the field as a
key field.
4. Remove patch Name as a key field.
Key Field Key Fields imported key Do not change

Definitions fields Sub-forms do not have keys defined by
default and do not need to have keys
added.
Update/Archive Update Options imported data Do not change

and Archive
Options
9. Click the Schedule tab, verify that the imported values are appropriate for the data feed. If not,
make the necessary changes.
10. Click Save.
Data Publications
The Data Publication Manager allows users to extract data from RSA Archer and load it into
external systems for data analysis and modeling. To build a data publication, select the solution
whose data you want to publish, provide credentials for the database where the data is to be loaded,
and provide a schedule for automatically executing the publication. You can view the detail history
of data publication jobs, including detailed information on errors or records tried or failed.

Data publication process

The data publication process converts records residing in system applications into a relational
database structure. Applications, questionnaires, and sub-forms are created as tables in the
destination database and maintain their linkages, and fields are represented as columns in the table
of their parent entity (application, questionnaire, or sub-form).
When generating the names of columns and tables, the data publication process uses the Alias value
for applications, questionnaires, sub-forms, fields, and values lists. Using the alias values allows
administrators more flexibility in referencing a separate identifier than the display name and
provides a method for ensuring naming consistency, independent of the display name.
Supported field types

The following field types are supported for data publication.
l Attachment l Record Permissions
l Cross-Reference/Related Records (Upon l Record Status
publication, reference field values display a link to l Sub-Form (Upon publication, sub-form
the table containing the sub-form data.) field values display a link to the table
l Date containing the sub-form data.)
l External Links l Text
l First Published Date l Tracking ID (Prefixes and suffixes can
l Image be published.)
l IP Address l User/Groups List
l Last Updated Date l Values List (Fields that display the value
"No Selection" contain no value in the
l Matrix published version.)
l Numeric (Prefixes and suffixes cannot be
published.)
Data publication database output naming

The following concepts are important to understand before explaining the naming conventions:
l Any field type that can contain multiple values creates a separate table (Attachments, External
Links, Image, Subform, Users/Groups, and Values List). All other field types store their
information in the main table.
l The table or column names of the destination database use the alias names of their associated
solutions (applications, questionnaires, and subforms) and fields.

For example, assume that you have an application in the solution with an alias name of AppA. This
application contains an attachment field called AttachIt, a text field called TextIt, and a Values List
field called ValueIt. When DPS runs, 3 tables are created. The first one is the main table and the
table name would be AppA. This table contains columns, such as TextIt. A second table is created
for the attachment information, and it would be called AppA_AttachIt. A third table would also be
created for the Values List field, and it would be called AppA_ValueIt.
Subforms are a little more complex—subforms are contained within an application, but have their
own set of complex fields. For example, assume that you have a subform in AppA called
MySubform. This subform contains an attachment field called SubformAttachIt, and a text field
called SubformTextIt. In this case, two more tables would be created: one called AppA_
MySubform, which contains the text field (and a few other fields), and the second table would be for
the subform attachment content, and it would be called AppA_MySubform_SubformAttachIt.
Cross References have what is called a "join" table or "link" table. This is a table that contains the
content IDs from the two applications that are linked together. The table names of the join tables are
a combination of the two applications.
Note: This table only exists if both applications that are part of the relationship are included in the
solution being published.
Note: Calculated fields publish the current value of the field, not the calculation formula.
Adding Data Publications

From the Frequency list, select the frequency for the data publication from the options in the fol-
lowing table and complete setting up the schedule.
Frequency Description
Daily Select the Start Time and the Start Date for the publication. In the Every field,
select how often the data publication should run. For example, if you select 15, the
data publication executes every 15 days.
Weekly Select the Start Time and the Start Date for the publication. In the Every field,
data publication executes every 5 weeks. From the Weekday list, specify on which
day of the week you want the data publication to execute.
Monthly Select the Start Time and the Start Date for the publication. In the Every field,
data publication executes every 5 months. From the Execute On list, select on
which day of the month you want the data publication to execute. From the
Weekday list, select on which day of the week you want the data publication to
execute.

Add a data publication

1. Go to the Manage Data Publications page.

b. Under Integration, click Data Publications.

l To select new settings for a data publication, select Create a new Data Publication from
scratch.
l To use the settings of an existing data publications as a starting point, select Copy an existing
Data Publication and select the existing data publication from the Existing Data Publications
list.
3. Click OK.
5. From the Solution list, select the solution from which the data is to be published to the external
database.
6. Click the Connection tab.
7. From the Publication Target list, select the database type: SQL Server Database or Oracle
Database.
8. In the Connection String field, enter a connection string.
Example: Connection string
For the data publication to execute successfully, the server responsible for running the data
publication must have the required network access to the database.
The following table describes the connection strings.
Data
Connection String
Base
SQL l Use this syntax to display the password in plain text in the Connection String field:
Server=ServerName;Database=DatabaseName;UID=UserName;Pwd=Pass
word
l Use this syntax to pull the password from the Password field and make it secure:
Server=ServerName;Database=DatabaseName;UID=UserName;Pwd=
{Password}
Oracl Data Source=[name];User Id=[userID];Password={password}

e

The password to the target database can be entered in either the Password field or the
Connection String field as a token as shown in the previous step. When using a token, the
{Password} token in the connection string is replaced by the password entered in this field when
the connection string is submitted.
9. (Optional) In the Password field, enter a password if you have not included it in the connection
string.
10. (Optional) In the Text Connection field, click Test to test the connection to the target database.
Changing the Status of a Data Publication


b. Under Integration, Data Publications.
c. Select the data publication.
2. From the Status field, select Active or Inactive.

Clearing the Data Publication Job History

You can clear the history from jobs in a data publication.
1. Go to the data publication that you want to update.

2. In the Actions column if the publication you want to update, click .

3. Click Clear Job History.


l To delete the history, select the checkbox next to the Started column for the jobs you want to
delete the history, and click OK.
l To clear all history for all jobs, select Clear All History.
5. Click OK when prompted.
Configuring Connection Parameters for Data Publications

Connection parameters specify which database, user, and password, are added to a data publication.
1. Go to the Connection tab of the data publication that you want to update.

d. Click the Connection tab.
2. From the Publication Target list, select the type of database where the information is to be
published.
3. In the Connection String field, enter the connection string to the database. To use the value
entered for the password, you can enter the password token by entering the following syntax:
Example: Connection string

For the data publication to execute successfully, the server responsible for running the data
publication must have the required network access to the database.
The following table describes the connection strings.
Data
Connection String
Base
SQL l Use this syntax to display the password in plain text in the Connection String field:
Server=ServerName;Database=DatabaseName;UID=UserName;Pwd=Pass
word
l Use this syntax to pull the password from the Password field and make it secure:
Server=ServerName;Database=DatabaseName;UID=UserName;Pwd=
{Password}
Oracl Data Source=[name];User Id=[userID];Password={password}

e

The password to the target database can be entered in either the Password field or the
Connection String field as a token as shown in the previous step. When using a token, the
{Password} token in the connection string is replaced by the password entered in this field when
the connection string is submitted.
4. In the Password field, enter the password that the system uses when accessing the database.
5. Click Apply.
6. Click Test in the Test Connection field.
Publishing Data Publications Immediately

You can publish publications immediately instead of waiting for the publishing schedule.
1. Go to the Schedule tab of the data publication that you want to update.

2. In the Publish field from the Immediate Processing section, click Run Update Publication Now.
Setting the Data Publications Schedule

1. Go to the Schedule tab of the data publication that you want to update.

2. From the Frequency list, select the frequency for the data publication from the following options
and complete setting up the schedule.
3. From the Time Zone list, select the current time zone for the data publication.


Viewing the Data Publication Job History

The Run Detail box contains Statistics and Messages tabs. The Statistics tab shows the entity, rows
processed, status, and start date and time. The Messages tab shows the job activity, type, and date
and time of the activity.
1. Go to the Manage Data Publications page.

2. In the Actions column of the data publication that you want to view, click the Execution History
icon.
3. In the Status column, view the status to determine which job ran successfully or failed.
4. In the Actions column of the job that you want to view, click the Run Details icon.
5. When you are finished viewing the history, close the Run Detail dialog box.
6. Close all other open dialog boxes and pages.
API Integration
Web Services are an industry-standard way of integrating web-based or Internet-connected
applications using open standard protocols, such as Extensible Markup Language (XML) and Simple
Object Access Protocol (SOAP).
The RSA Archer Web Services API is a collection of web services that provide a programmatic
interface for interacting with RSA Archer. Each web service supports multiple methods that can be
used together to automate the exchange of information between RSA Archer and an external
application.
The following table describes the classes for the available web services.
Class Description
Access Provides programmatic access to the Access Control feature, such as creating users
Control and managing security parameters.
Access Provides programmatic access to options relating to managing access roles.

Role

Class Description
Field Enables you to manage and configure the values lists used in the applications,
questionnaires, and sub-forms.
General Enables you to create and terminate Web Services API user sessions.
Module Provides programmatic access to module information.
Record Enables you to manipulate content records in content applications.
Search Provides programmatic access to the search features of RSA Archer.
The API Integration Manager in the Integration feature offers links to download Web Services
Description Language (WSDL) files and to the Web Services API code generator to help you more
efficiently format your code to integrate applications with services. From the API Integration page,
you can also download the Web Services API Reference Guide and connect to the Web API
Development discussion forum via the Archer Community.
For more information on the RSA Archer Web Services API, see the RSA Archer Web Services API
Reference Guide, which you can access from the RSA Archer Community on RSA Link, at
https://community.rsa.com/community/products/ArcherGRC. This guide documents each available
web service and provides XML formatting guidelines and samples. If you do not have access to the
RSA Archer Community on RSA Link site, but want to obtain this guide, contact the support team at
archersupport@rsa.com.
Generating API Code
The Web Services API code generator automates the creation of a set of human-readable variables
that facilitate WebAPI development in CSharp (C#). Using the Web Service API Code Generator
page, you can generate source code that contains the Globally Unique Identifier (GUID) for each
supported element in your application.
The following application elements are included in a code generation:
l Application GUID
l Field GUIDs
l Field GUIDs for fields residing in related sub-forms
l Values list value GUIDs for Values List fields residing in the application or the related sub-forms
You can download this source code as a CSharp (.cs) file. You can then import the file into a Visual
Studio project.
Reference Guide on the RSA Archer Community on RSA Link at
https://community.emc.com/community/connect/grc_ecosystem/rsa_archer. This guide documents
each available web service and provides XML formatting guidelines and samples.

Generate API code

1. Go to the API Integration Manager page.

b. Under Integration, click Obtaining API Resources.
2. Click Generate API Code.

3. From the Application list, select the application for which you want to generate the source code.
4. Click Download Source File.
5. When prompted, click Save.
Using the Web Services Description Language File

The Web Services Description Language (WSDL) is an XML language that defines the standard
interface for interacting with the RSA Archer Web Services API (WebAPI). The WSDL file
specifies the location of the web service and the operations the service can perform. The WSDL
files enable you to automate the process of locating and invoking web service functions independent
of language or platform, allowing applications to easily integrate new services with little or no
manual code.
Reference Guide on the RSA Archer Community on RSA Link at
https://community.rsa.com/community/products/archer-grc/archer-customer-partner-community/.
This guide is an HTML .zip file that includes each available web service and provides XML
formatting guidelines and samples. If you do not have access to the RSA Archer Community site, but
want to obtain this guide, contact the support team at archersupport@rsa.com.
Download a Web Services Description Language file

1. Go to the API Integration Manager page.

b. Under Integration, click Obtain API Integration.
2. Click Download WSDL Files.

3. Click the link for the class whose code you need for your project.
4. Copy the entire block of code and paste it into your project.

Chapter 15: Packaging

Packaging provides the means for copying applications and other objects from one RSA Archer
instance to another. Instead of manually recreating objects in a new instance and updating their
elements, Packaging efficiently installs objects and applies the changes in the new instance.
Use Packaging in the following scenarios:
l Supporting IT change control practices by enabling the transfer of large changes from
development to test to production instances. Packaging reduces the risk of deploying changes and
decreases manual configuration tasks, which also decreases the total cost of ownership.
l Sharing applications and solutions on the RSA Archer Community.
l Receiving and installing updates to RSA Archer Solutions.
l Troubleshooting issues with Customer Support. Packaging enables customers to more efficiently
communicate error situations to Customer Support, improving the ability to diagnose and solve
issues.
Packaging terminology
The following table defines key packaging terminology.
Term Definition
Instance A single installation of RSA Archer and associated database.
Source The instance in which the package is created and from which objects are copied.
Instance
Target The instance in which the package is installed and to which objects are copied.
Instance
Module Either an application or questionnaire.
Object Any entity within RSA Archer that Packaging supports, for example, an application, a
sub-form, or field within an application.
Advanced A feature for mapping objects from the source instance to the target instance. By
Package default, this feature is activated during RSA Archer installation. If you are not using
Mapping Advanced Package Mapping, you can deactivate this feature in the General Settings
of the RSA Archer Control Panel.
Packaging process
The following figure shows the complete packaging process, from creating an package on the source
instance to installing it on the target instance.

Package objects
The package is a ZIP file that contains one or more objects. An object is any entity within
RSA Archer that Packaging supports, for example, an application, or a sub-form or field within an
application.

Objects can be root, level 1, or level 2 objects, as listed in the following table.
Root Objects Level 1 Objects Level 2 Objects
Applications Level Fields

Questionnaires Questionnaire Values Lists Layout
Sub-forms Groups Event Rules
Global Values Lists Page Rights Event Actions
Solutions Questionnaire Campaigns
Workspaces Questionnaire Rules
Dashboards Field Filter Properties
iViews Notifications
Letterhead Templates
Folders
Access Roles
Reports
A Level 1 object cannot exist without a root object. Level 2 objects cannot exist without a Level 1
object. Some Level 1 objects have child objects, for example, a values list is a child of the custom
values list field. The values list includes individual values list values. All objects and elements are
transferred within a package.
When you create a package on the source instance, you can select which applications,
questionnaires, workspace, dashboards, and access roles to include. Then, when you install a
package on the target instance, you can select which of these root objects to install. For each
selected root object, you can map all child objects to existing objects in the target instance or have
the system create new objects.
Note: Packaging does not delete objects or permission settings. It only adds new or updates existing
objects and permission settings. Exceptions include layout and workflow, in which packaging
replaces the existing settings.
Supported and unsupported objects
The following objects are supported in Packaging:

l Access Roles
l Applications
l Dashboards

l Folders
l Global values lists
l Groups
Note: Groups are only added when they are used in a configuration for something in a package.
l iViews
l Letterhead templates
l Questionnaires
l Reports
l Solutions
l Sub-forms
l Workspaces
Note: Folders are used to organize certain user-created objects, such as iViews and Mail Merge
templates. iViews must exist in the package from the source instance. Values List values is a
child object of Global Values Lists.
Packaging does not support the following objects:

l Appearance themes
l Data feeds
l Discussion forums
l Personal dashboards
l Personal reports
l Record content
l Training and Awareness Campaign notification templates
l User and group creation
l User-specific preferences and attributes
Note: Email subscription preferences and Discussion Forum preferences are examples of user
specific preferences and attributes.
How objects are identified
Objects are identified by a unique system ID. Nearly every object in RSA Archer has a system ID,
for example, applications, fields, and values lists.

The primary purpose of a system ID is to identify an object in the RSA Archer database. Packaging
uses system IDs to identify objects in the source and target instances. By comparing the system IDs
of objects in the source and target instances, Packaging can determine whether an object already
exists in the target and should be updated, or whether to create a new object.
All objects supported by Packaging use system IDs, with the following exceptions:
l Workflow
l Users
Workflow objects use system IDs, but Packaging does not match Workflow objects. Instead,
Packaging overwrites the workflow configuration.
Packaging Rules
The Packaging process requires numerous rules and logic to determine how the individual elements
in applications and questionnaires are migrated from one instance of RSA Archer to another.
Packaging does not delete objects or permission settings. It only adds new or adds new and updates
existing objects and permission settings. Exceptions include layout and advanced workflow, in which
packaging replaces the existing settings.
The following sections provide additional rules and logic.
Access roles
When you import access roles with groups during the packaging process, the groups are created
without any members in the target instance. After the access roles are transported from the source
instance to the target instance, you must manually add users to each group .
The following table describes the different results when you import access roles that are and are not
linked to groups, depending on your target instance.
Package Contains Access Package Contains Access Role that
Role Not Linked to a Group is Linked to a Group
Target contains Access role is updated, no group Access role is updated, group is added and
access role only changes linked in target
Target contains Access role is created, no group Access role is created, group is linked to
group only changes access role in target
Target contains Access role is updated, no group Access role is updated, group is linked to
unlinked access changes access role in target
role and group

Package Contains Access Package Contains Access Role that

Role Not Linked to a Group is Linked to a Group
Target contains Access role is updated, no group Access role is updated, no group changes
linked access role changes (group remains linked (group remains linked to access role)
and group to access role)
Note: If the package and target linked
groups are not the same, the access role is
linked to both groups.
Advanced workflow
Packaging rules related to advanced workflow include:
l You cannot generate a package that contains an application or questionnaire with an advanced
workflow if the Advanced Workflow Service is not running.
l If you install an application or questionnaire with an advanced workflow and the target
application or questionnaire has active advanced workflow jobs (or active advanced workflow
jobs for the applicable level in a leveled application) that are using a different version of the
workflow, the updated workflow can have unpredictable effects on the active job(s) or might
cause them to fail. RSA recommends that you review the changes in the workflow and consider
the implications those changes can have on active jobs. If you choose to install the updated
workflow, review the active jobs and update them as necessary.
l All advanced workflows are installed as inactive. After installation, review the install logs for
any errors and verify that the advanced workflow is configured correctly. Once you have
validated the advanced workflow, you then activate the workflow.
l If a package includes an advanced workflow, the following scenarios and behaviors apply
The following table describes the scenarios and behaviors.
Target Install Install
Target Result
Application Method Option
No advanced Create Override Advanced workflow is created.

workflow New Layout New layouts are created. Existing layouts (matched by
exists Only system ID) are updated.
New data driven events are created. Existing data
driven events are not updated.


Target Result
Do Not Advanced workflow is created.

Override New layouts are created. Existing layouts (matched by
Layout system ID) are not updated.
Create Override Advanced workflow is created.

New & Layout New layouts are created. Existing layouts (matched by
Update system ID) are updated.
driven events are updated.
Do Not Advanced workflow is created.

Override New layouts are created. Existing layouts (matched by
Layout system ID) are not updated.
If you choose not to override the layout, you may need
to make some manual updates to your existing layout so
that it works with the advanced workflow.
Advanced Create Override Advanced workflow is not installed.

workflow New Layout New layouts are created, but not associated with the
exists Only existing advanced workflow. Existing layouts are
updated, but not removed from any existing workflow
nodes.
Do Not Advanced workflow is not installed.

Override New layouts are created, but not associated with the
Layout existing advanced workflow. Existing layouts are not
updated.


Target Result
Create Override Existing advanced workflow is replaced with the

New & Layout advanced workflow in the package.
Update New layouts are created and associated with the
advanced workflow as applicable. Existing layouts
(matched by system ID) are updated but disassociated
from workflow nodes.
The existing layouts are still available and can be
reapplied to a workflow node, but the workflow may
require manual configuration to work correctly with the
existing layout.
Do Not Existing advanced workflow is replaced with the

Override advanced workflow in the package.
Layout New layouts are created and associated with the
advanced workflow as applicable. Existing layouts
(matched by system ID) are not updated.
Any existing layout that does not exist in the package is
disassociated from the workflow. The layout remains
available and can be reapplied to a workflow node, but
the workflow may require manual configuration to work
correctly with the existing layout.
l If the package does not include an advanced workflow, the package installation does not delete or
modify any existing advanced workflow settings in the target instance.
Audit fields
Packaging rules related to audit fields include:
l The Created By and Last Updated values for all elements created during the package installation
are attributed to the user who installed the package.
l The Last Updated value for all elements that are updated during the package installation are
attributed to the user who installed the package.

Bulk actions
Packaging rules related to bulk actions include:
l All schedules are installed as inactive. After installation, review the install logs for any errors
and verify that the schedule is configured correctly. Once you have validated the configuration,
activate the schedule.
l If the Schedule Owner or Run As user for the schedule in the source instance does not exist in the
target instance, the field is left blank and a warning is logged.
Note: A system administrator or application owner must update these fields in the schedule.
l Linked actions are handled as follows:

o If the Install Method is set to Create New and Update, new actions are created and existing
actions are updated.
o If the Install Method is Create New Only, only new actions are created. Existing actions are
not updated.
l If the package contains an invalid configuration, a warning message is written to the package
installation log and the scheduled is saved as inactive. Validate the configuration, and then
activate it.
Calculations
The calculation order is retained from the source to the target. This rule is also true for calculation
order that can affect data driven events.
Calculated cross-references
Packaging does not allow you to update an existing cross-reference field to a calculated cross-
reference field, and vice versa.
Data driven events

Packaging rules related to data driven events include:
l All rules in the package are installed regardless of association with any actions.
l All actions in the package are installed regardless of association with any rules.
l Existing rules and actions are not deleted by the package installation.
l Rule order is retained from the source to the target. This rule is also true for calculation order that
can affect data driven events.

l If the package disassociates a link between a rule and an action, the association also is removed
in the target instance.
l Rules related to Apply Conditional Layout actions include:
o If you select the Override Layout option when installing a package, and the target instance
includes Apply Conditional Layout actions that have different objects than specified in the
package, the package installation removes the settings for the layout objects that are not
applicable to the Apply Conditional Layout actions.
o If you select the Do not Override Layout option when installing a package, and the package
includes Apply Conditional Layout actions that assume a new layout is applied, the package
installation removes the settings for the layout objects that are no longer applicable.
Default value
Packaging rules for default values abide by the following if a new field is created with a default
value, or if a default value is added to an existing field, the existing content in the target instance is
not updated with the default value.
Documentation attachments
Packaging rules related to documentation attachments include:
l Packaging includes attachment files for objects that include a documentation attachment attribute
in the configuration. These include:
o Solutions documentation
o Applications documentation
o Questionnaires documentation
o Workspaces documentation
o Dashboards documentation
o iViews documentation (for all iView types)
o Mail Merge templates report template
l The user who installed the package is listed as the creator for the attachments.
l Existing file attachments are not deleted during the installation process.
l Attachments in the package are not matched but added to the target instance. If the attachment
already exists in the target instance, a duplicate attachment is created.

Fields
Packaging rules related to fields include:
l All attributes of fields can be updated by the package installation, with the following exceptions:
o Type
o Created By
o Key Field Designation
o Related Module
o Associated Values List
l An existing private field is not changed to a public field.
Filter criteria
Packaging rules for Filter Criteria include the following attributes that are updated during
installation:
l Values. If the system cannot map a Values List Value in the target instance, that item is removed
from the Values field for the condition.
l Field to Evaluate. If the system cannot map the field in the target instance, the condition is
migrated as a null condition.
l Condition Order Number
l Operator
l Relationship
l Advanced Operator Logic
Key fields
Packaging rules for Key Fields abide by the condition if the key field in the package is different from
the key field in the target instance, the target instance retains the same key field attribute as before
the installation.
Layouts
Packaging rules related to layouts include:
l The package installation process attempts to match all layouts in the package by system ID. The
process ignores any layouts that do not match.
l You cannot map the default layout or map custom layouts to the default layout.

l You can map custom layouts to custom layouts (if they are not matched by system ID).
l If a layout is matched by system ID, you can map all layout objects on the matched layout.
Levels in applications
Packaging rules related to levels in applications include:
l Existing levels are not deleted by the package installation.
l The package installation cannot change a leveled application to a flat application.
l If the levels in the target instance are arranged in a different hierarchy than the levels in the
package, the installation fails.
Mobile questionnaires
The mobile-ready flag of a mobile-ready questionnaire is turned off during the package installation
process.
To reset the questionnaire back to mobile ready, select the Mobile Ready option in the questionnaire
properties (Manage Questionnaires > questionnaire > General tab > Options section > Mobile
Ready) in the target instance after the installation is completed.
Personal reports
Packaging rules for Personal Reports do no install personal reports in the package installation. To
include personal reports, promote the report to a global report before creating the package in the
source instance.
Record permissions
Packaging rules related to record permissions include:
l User/Groups field population can be added to Record Permissions fields, but existing ones are not
removed by the package installation.
l New inherited fields can be added, but existing ones are not removed by the package installation.
l If a User/Groups field in the target instance is configured as a Record Permissions field in the
package, the package installation changes the field to the record permissions type.
Status fields
Packaging rules related to status fields include:

l If an existing application or questionnaire is updated, the current status in the target instance is
not changed by the package installation.
l If the package creates a new application or questionnaire and there are not enough licenses, the
new application or questionnaire is set to the Development status and a warning is logged.
Trending charts
You can add trending objects (fields and charts) to packages for migrating them to a target instance.
Certain rules apply when packaging trending objects. The main rule is if the trended field is not
added to the package, the layout object cannot be added to the package.
RSA Archer uses the following rules when mapping trending objects, which are explained in the
following sections.
Trending rules - trending enabled

The following table describes the trending rules when trending is enabled.
Source Target Install Method Layout Target Result
Yes Yes Create New and Update Any Trending enabled.
Yes No Create New and Update Any Trending enabled.
Yes No Create New Only Any Target field is not updated.
No Yes Create New and Update Any Trending enabled.
No Yes Create New Only Any Target field is not updated.
Trending rules - duration period

The following table describes the trending rules related to the duration period.
Install Target
Source Target Layout
Method Result
Same as Same as Create New and Any No change; remains the same.
Target Source Update
Shorter than Longer than Create New and Any Retains the duration period
Target Source Update specified in the Target.
Longer than Shorter than Create New and Any Retains the duration period
Target Source Update specified in the Source.

Trending rules - referenced field

The following table demonstrates what occurs when:
l Trending is enabled or disabled for the field.
l Trended field is deleted.
Install Target
Method Result
Trending Trending Create New Do Not Neither field is updated.

enabled enabled Only Override
Layout
Trending Field different Create New Do Not Target instance is updated to reference the
enabled than the field and Update Override field from the Source instance.
from the Layout
Source
instance.
Trending Field different Create New Do Not Field exists in both places. The chart object
enabled than the field Only Override is updated to reference the field in the Source
from the Layout instance.
Source
instance.
Trending Field different Create New Do Not Field does not exist in the Target instance.
enabled than the field Only Override The field from the Source instance is created
from the Layout in the Target instance, and then referenced
Source by the trending chart object in the Target
instance. instance.
Trending Trending Create New Do Not Target instance is updated with any trending
enabled enabled and Update Override chart properties that exist in the Source
Layout instance. The layout is not affected.
Trending Trending Create New Override Target instance is updated with any trending
enabled enabled and Update Field chart properties that exist in the source. The
position of the trending chart object on the
application layout and the span properties are
affected.

Install Target
Method Result
Trending Trending Create New Override Position of the trending chart object on the
enabled enabled Only Layout application layout is affected. The field and
trending chart object properties are not
updated.
Trending Trending Create New Override The following message displays: Package
enabled disabled Only Layout Install Successful.
The trending chart cannot be created in the
Target instance for the following reasons:
l Referenced field is not trended.
l The packaging operation does not enable
trending in the Target instance when
Create New Only is selected.
Trending Trending Create New Override Trending chart object and referenced field
enabled disabled and Update Layout are created in the Target instance.
Application layout matches the Source
instance.
Field in the Target instance is trending-
enabled, and the associated trending chart is
created in the Target instance.
Trending Field deleted Create New Do Not Trending chart object and referenced field
enabled Only Override are created in the Target instance.
Layout Application layout is not overridden.
Trending Field deleted Create New Do Not Trending chart object and referenced field
enabled and Update Override are created in the target. Application layout
Layout is not overridden.

Trending rules - trending chart objects

The following table demonstrates what occurs when the trending object (field or chart) or place-
holder object is added to the layout.
Install Target
Method Result
Trending Trending Create New Do Not Neither field is updated.

object object on Only Override
on layout Layout
layout
Trending Trending Create New Do Not Target instance is updated to reference the field
object object on and Update Override from the Source instance.
on layout Layout
layout
Trending Trending Create New Do Not Referenced field exists in both places and
object object on Only Override maps. The trending object is updated to
on layout Layout reference the field in the Source instance.
layout
Trending Trending Create New Do Not Referenced field does not exist in the Target
object object on Only Override instance. The field from the Source instance is
on layout Layout created in the Target instance, and then
layout referenced by the trending object in the Target
instance.
Trending Trending Create New Do Not Target instance is updated with any trending
object object on and Update Override chart properties that exist in the Source
on layout Layout instance. The application layout is not changed.
layout
Trending Trending Create New Override Target instance is updated with any trending
object object on and Update Layout chart properties that exist in the Source
on layout instance. The position of the trending object on
layout the application layout and the span properties
are updated to match the Source instance.
Trending Trending Create New Override Position of the trending object on the application
object object on Only Layout layout is updated. The field and trending object
on layout properties are not updated.
layout

Install Target
Method Result
Trending Placeholder Create New Override The following message is displayed: Package
object on layout Only Layout Install Successful.
on The trending chart cannot be created in the
layout Target instance for the following reasons:
l Referenced field is not trended.
l Packaging operation does not enable trending
in the Target instance when Create New
Only is selected.
Trending Placeholder Create New Override Trending object and referenced field are
object on layout and Update Layout created in the Target instance. Application
on layout matches the Source instance.
layout Field in the Target instance is trending-enabled,
and the associated trending chart is created in
the Target instance.
Trending Placeholder Create New Do Not Trending object and referenced field are
object on layout Only Override created in the Target instance. Application
on Layout layout is not overridden.
layout
Trending Placeholder Create New Do Not Trending object and referenced field are
object on layout and Update Override created in the target. Application layout is not
on Layout overridden.
layout
Users and groups

Packaging rules related to users and groups include:
l The package installation process attempts to match all users in the package by user name and
domain. The process ignores any users that do not match.
l The package installation process attempts to match all groups in the package by system ID. If no
matches are found, the process then attempts to match groups by group name and domain. The
process ignores any groups that do not match.
Values lists
Packaging rules related to values lists, which may include global values lists, questionnaire values

lists, or custom values lists, include:

l If a global values list in the package file matches a custom values list in the target instance, the
custom values list is promoted to a global values list during installation. However, the opposite is
not true. A global values list in the target instance is not demoted to a custom values list during
installation.
l The following values list values attributes are not updated if settings already exist in the target
instance:
o Height
o Default text
l In custom ordered values lists, new values are added to the end of the list.
Workflow
Packaging rules related to workflow include:
l If a package includes workflow settings, all workflow settings from the package are installed on
the target instance and the prior workflow settings are overwritten. However, if you select the
Create New Only option when installing a package and at least one stage already exists in the
target instance, the package installation does not make any changes to the existing workflow
settings. If no workflow stages have been defined in the target instance, and you select the Create
New Only option, the package installation updates all workflow settings as specified in the
package.
l If the package does not include any workflow settings, the package installation does not delete or
modify any existing workflow settings in the target instance.
l Any records in a workflow stage that is deleted by the package installation are routed to the start
point of the workflow process.
Workspaces and dashboards

Packaging rules related to workspaces and dashboards include:
If the package creates a new workspace or dashboard and there are not enough licenses, the new
workspace or dashboard is set to the Development status and a warning is logged.
Before You Begin

Packaging is a complex process and makes permanent changes to your system, so you must be
aware of certain factors and considerations before you begin. Review the following sections.

Database back up and recovery

There is no Undo function for a package installation. Because packaging is a powerful feature that
can make significant changes to an instance, RSA strongly recommends backing up the instance
database before installing a package. This process enables a full restoration if necessary.
An alternate method for undoing a package installation is to create a package of the affected objects
in the target instance before installing the new package. This package provides a snapshot of the
instance before the new package is installed, which can be used to help undo the changes made by
the package installation. New objects created by the package installation must be manually deleted.
Packaging impact on system performance

System performance may vary based on the size of package files. A large number of cross-reference
fields and questionnaires can affect system performance.
Advanced Package Mapping requires a considerable amount of memory, which can result in loss of
data input and IE errors when working with large applications.
Package file size
If the modules in a package contain cross-reference fields, the package file includes additional data
to ensure that the cross references are properly maintained. As a result, package files can get very
large. Because a questionnaire contains cross-references to the Findings application, and the
Findings application references other applications, a package file that includes even a single
questionnaire can become very large. Large package files can slow the performance of the
installation process.
To optimize performance for packaging, increase the RAM on the servers.
Virtual memory size
The page file settings on the server running RSA Archer Services can have a significant impact on
performance. If the size of the page file is too small for all current processes, the system generates
an out-of-memory error that can result in a loss of functionality or unexpected results.
Installing a large package file is one scenario that can cause this condition. The resolution is to
modify the virtual memory settings on the operating system to provide more resources to the RSA
Archer Services. RSA recommends configuring the operating system to automatically manage the
paging file size for all drives.
This setting is found in the System Properties > Performance Options > Virtual Memory dialog box.

When you select Automatically manage paging file size for all drives, the operating system
automatically takes steps during resource-intensive activities to protect itself from running out of
memory.
If the server in your organization is configured with a fixed size for the paging file, you can still help
prevent out-of-memory errors by configuring the system to manage paging file sizes on other drives.
Otherwise, if the page file is fixed, the system can incur out-of-memory errors during resource-
intensive activities.
Packaging rules
The Packaging process requires a large amount of rules and logic to determine how the individual
elements in applications and questionnaires are migrated from one instance of RSA Archer to
another. In general, Packaging does not delete objects or permission settings. It only adds new or
updates existing objects and permission settings. Exceptions include layout and workflow, in which
packaging replaces the existing settings.
See Packaging Rules for additional rules and logic.
Installing packages from previous versions

Version 5.2 of RSA Archer added support for additional objects, including workspaces, dashboards,
iViews, notifications, and mail merge templates.

If the package was created on a version prior to 5.2, these objects are not included in the package
file and are not installed.
Installing a translated language to another instance

You must use the package functionality in RSA Archer to install a translated language to another
RSA Archer instance. You can install a translated language for any of the following individual RSA
Archer objects:
l Applications
l Questionnaires
l Workspaces
l Dashboards
The RSA Archer versions of the source instance and the target instance affect the kind of package
installation you will use because of the existence of Global Unique Identifiers (GUIDs) for objects
and any dependencies, for example sub-forms, that are present in the instances. The installation of
the translation language can succeed only when the GUIDs match in both instances.
If you intend to install a translated language from a source instance that has been upgraded from a
previous version to RSA Archer version 5.5 Service Pack 2 into a target instance that as also been
upgraded, then the GUIDs do not match between the instances. To ensure that the installation
succeeds, you must select Full Install as the translation option for the package rather than
Translation-only. A full installation of the package synchronizes the GUIDs for objects and their
dependencies in both instances, whereas Translation-only does not.
Licensing issues
When installing a package with a core module in to a target instance in which it does not exist
currently, that core module must be licensed prior to the package installation in the target instance.
The package installation verifies that core solutions, applications, dashboards, and workpaces are
licensed on the target instance. If the target instance does not have the proper licenses, the objects
are not installed and errors are logged to the Package Log file. In some cases, the package
installation generates errors when installing packages that contain core applications that are properly
licensed but have not yet been installed on the target instance.
The resolution is to reapply the license key after the package installation and then install the package
again.
How system ID mismatches occur

System ID mismatches occur when a user manually creates an object in the source instance and then
manually re-creates the same object in another instance. Because system IDs are assigned randomly

to objects when they are created, the system IDs of each of these objects will be different.
Because system ID mismatches occur when the same object is manually created in multiple
instances, the simplest way to avoid system ID mismatches is to use Packaging to copy all changes
from one instance to another.
Using packaging with recommended development environments

The recommended development environment consists of three instances of RSA Archer:
1. Development
2. Test
3. Production
When making changes to RSA Archer, the typical workflow involves first building the changes in
the development instance, copying them to the test instance for testing and verification, and then
copying them to the production instance.
Instead of manually re-creating the objects in each instance, Packaging can efficiently apply the
changes to each instance.
Ideally, each of these instances would contain the same database. However, in larger organizations
or organizations with strict security policies, the development and test instances have test databases
with a smaller set of example data. As a result, some tests cannot be fully validated until the objects
are moved from the test to the production instances.
Authoritative source and control standard references

Authoritative Source and Control Standard references may be added, but existing ones are not
removed by the package installation.
Creating Packages
This process creates the package and the package description, generates the package file, and
downloads the package file to a location accessible by the target instance.
Task 1: Create the package definition

A package is a collection of settings that define the components that you want to migrate. Once the
package is defined, it can be generated into a package file.
Note: To create a copy of an application in the same instance of RSA Archer, create a new
application and select the option to create a copy of an existing application.

1. Go to the Manage Packages page.

b. Under Application Builder, click Packages.

l To create a new package, click Create a new Package from scratch.
l To create a package from an existing package, click Copy an existing Package, and select the
package you want to copy.
3. Click OK.
4. In the General Information section, enter the name and description of the package.
Task 2: Add components to the package definition
1. Go to the package you want to update.

c. Select the package you want to update.
2. In the Components section, review the list of applications, questionnaires, dashboards,

workspaces, reports, or access roles currently included in the package.
3. To add a new component, click Lookup.
4. Use the drop-down to select Applications, Questionnaires, Workspaces, Dashboards, and
Access Roles.
Note: You cannot package unlicensed objects. You can view your licensed objects and any
unlicensed dependencies on the Licensing Information page. For more information see, "Viewing
Licensing Information" in the Online Documentation.
5. For each drop-down option, select the items that you want to include in the package.
Note: Selecting a Workspace does not automatically add the associated dashboards.
6. To select all dashboards associated with the selected workspaces, on the Dashboards page, click
Select Related Dashboards.

7. Click OK.
Task 3: Generate the package file

When you generate a package, RSA Archer creates a package file using the most current
information in the instance of RSA Archer

2. Select the package that you want to generate and review the date listed in the Last Updated
column.
Read more
The Last Updated column indicates when the package was last modified. Any changes that were
made to the source instance of RSA Archer after this date are not reflected in the package.
3. Review the date listed in the Last Generated column.
Read more
The date in the Last Generated column indicates when the package file was generated. If the
field is blank, the package has not been generated and a package file has not been created. If a
date is listed, but does not match the date in the Last Updated column, the package file may be
out of date. You may need to generate the package again to ensure that any recent changes to the
package are reflected in the package file.
4. To generate the package and a new package file, click Generate.
Read more
The Generate Package File process is queued into the asynchronous job engine. The job may or
may not run immediately, depending on the jobs currently queued in the job engine. By default,
the generated package file is stored in the file repository.
Note: After a package file is generated, it is not automatically updated. If any changes are
subsequently made to the source instance, you will need to generate a new package file to ensure
that the information in the package file is current.

5. To view detailed package generation progress, click Run History.

6. If you receive the status Failed or Partially Successful, review the Package Generation Log.
Task 4: Download the package file

To download a package that was imported on a target instance, click Packages and click Download
for the package.
1. Go to the package that you want to download.

2. In the Last Updated column, review the date listed.

3. In the Last Generated column, review the date listed.
4. Click Download.
5. In the Download dialog box, click click here, and select Open or Save.
6. To save the file, click the arrow next to Save, select Save as, and set the file location.
Note: Save the file in a location that is accessible to the RSA Archer administrator of the
instance who plans to import the package file.
Reviewing the Package Generation Log

If you receive a status of Failed or Partially Successful after attempting to generate a package, you
can review the Package Generation Log to identify the cause and resolution of failures that occurred
during package generation.
Review the package generation log


2. Locate the package that did not successfully generate.
3. In the Status column, click the status of the package to open the Package Generation Log page.
4. Review the error message and make any necessary updates to the package components.

Warning messages
The following table describes warning messages.
Message Description
The scheduler field {0} is missing module When packaging an application that contains a
(s) {1} from the package, this may cause scheduler field, you must also package any
errors during install. applications related to the field. If the referenced
application does not exist in the target environment,
the system generates an error during package
installation.
The {0}, {1}, references a file, {2}, that A repository file that is attached to either an
cannot be found. Please make sure this file application, questionnaire, sub-form, global values
exists in your configured repository files list, workspace, or dashboard cannot be found in the
directory, or remove and re-add the file repository. The file will not be installed during
attachment. This reference has been package installation.
excluded from the package.
A {0} with the name {1} contains a filter Filters that reference specific content are unlikely to
that references content. This may cause translate to another environment. RSA recommends
issues on package install. evaluating these filters prior to package generation
to reduce the cleanup effort after installation.
The Advanced Workflow for level {0} with The application referenced in the error message has
process ID {1} has an empty configuration. an advanced workflow configuration that is empty.
Inactivate the advanced workflow and generate the
package again.
The CAST field {0} has a reference that is When packaging an application that contains a
not included in the package. This may CAST field, RSA recommends that you also
cause an issue on installation. package any applications related to the field. If the
referenced application does not exist on the target
environment, the system generates a warning when
the package is installed.
{0} references only specific users. You cannot package specific users. Notifications,
DDEs, and other items listed may not install in the
target environment if they reference only specific
users. Verify that specific users are not referenced
in the package file.

Failure messages
The following table describes failure messages.
Message Resolution
The Workflow Service is currently Verify that the Advanced Workflow service is
unavailable. running. If it is not running, start the service.
A {0} that ties to {1} contains an invalid The referenced field contains an invalid value.
value. Delete the field and generate the package again.
The {0}, {1}, that ties to {2} is invalid. The values list value is invalid. Delete the value
from the values list.
Unable to retrieve Level Layout information The layout for the reference application is invalid.
for the given Level {0}. Delete the layout from the application.
The report {0} was unable to be packaged. The report listed has an error. Fix the report and
The following error has been thrown {1}. generate the package again.
Levels could not be found. Listed levels could not be included in the package.
Installing Packages
Package installation includes importing the package, mapping objects, and installing the package.
During this process, mapping and installation logs are created.
Note: When installing a package with a core module into a target instance in which it does not exist
1. On the destination instance of RSA Archer, back up the instance database.

2. Import the package file. Once imported, the package file is available for installation.
3. Map the objects in the package file.
4. Install the package file. All objects in the package or only the ones selected during the package
installation can be installed on the target instance. The elements of the objects being installed
can be created only, or created and updated on the target instance. Additionally, existing layout
settings can be overridden in the target instance. When you install the package, the objects in the
package file are migrated to the current instance. The system generates the Package Installation
Log.
5. Review the Package Installation Log.

Task 1: Backing Up Your Database

There is no Undo function for a package installation. Because packaging is a powerful feature that
can make significant changes to an instance, RSA strongly recommends backing up the instance
database before installing a package. This process enables a full restoration if necessary.
An alternate method for undoing a package installation is to create a package of the affected objects
in the target instance before installing the new package. This package provides a snapshot of the
instance before the new package is installed, which can be used to help undo the changes made by
the package installation. New objects created by the package installation must be manually deleted.
Task 2: Importing Packages

Before you can install a package file, you must import it to your instance of RSA Archer. You
create the package file on the source instance of RSA Archer using the Manage Packages feature.
1. Go to the Install Packages page.

b. Under Application Builder, click Install Packages.
2. In the Available Packages section, click Import.

3. Click Add New, then locate and select the package file that you want to import.
4. Click OK.
The package file is displayed in the Available Packages section and is ready for installation.
Note: Only the package file has been imported; you must install the package file to migrate the
components to your instance of RSA Archer.
Task 3: Mapping Objects

Advanced Package Mapping enables you to review and modify how individual objects are mapped
from the source instance to the target instance.
During the package installation, if the system ID of an object in the source package does not match
any system IDs in the target instance, the process creates a new object. However, in some cases,
the object may already exist in the target instance, but with a different system ID. In this case, the
package installation creates a new object, and if the object name is the same in the source as it is in
the target instance, a number will be appended to the new object in the target. For example, if a field
called "First Name" exists in both the source and target instances and the system IDs do not match,
the process creates a new field called "First Name (1)" in the target instance with all of the
attributes of the field in the source instance. In this case, you do not want the package installation to
create a new object.

Using Advanced Package Mapping, you can change the system ID of an object in the target instance
so that it matches the system ID of an object in the source package. When the system IDs match,
packaging updates the intended objects instead of creating new, duplicate objects.
Mapping object process
Mapping objects does not change the target instance. Elements of objects can only be updated
through the package installation. Objects in the source instance are merged with objects in the target
instance. Elements of objects in the target instance can be created, or created and updated, and
layouts can be overridden during the installation process.
Note: An exception is with data driven event (DDE) notifications. Recipients in source instance
replace the recipients in the target instance.

Mapping objects is extremely important to ensure that duplicate objects are not created in the target
instance and that all objects in the target instance match the intended objects from the source
instance. If objects are not mapped properly unintended consequences will occur in the target
instance. For example, changing the system ID of a field can adversely affect any data feeds or
calculations that use this field. These issues can be difficult to identify and remedy later. Always
back up the instance database before importing and installing a package.
When a root object includes level 1 and level 2 objects, it is vital that the object is mapped to its
lowest level. Some level 1 and level 2 objects also have child elements and dependencies. These
elements must also be mapped. Map the child elements before mapping the parent object.
Mapping process rules

When mapping objects, the Advanced Package Mapping process follows these rules:
l Does not change the system ID of objects that were mapped by the system.
l Does not change the system ID of system-protected objects.
l Does not change the system ID of objects in which Do Not Map was selected by the user.
l Only maps to objects of the same type. For example, you cannot map a Text field to a Date field
or a custom Values List to a Global Values List.
Important considerations
l Advanced Package Mapping requires a considerable amount of memory, which can result in loss
of data input and IE errors when working with large applications. System performance may vary
based on the size of package files. To optimize your system for packaging, RSA recommends
upgrading to Silverlight 5.06 for those users who perform the role of packaging administrator.
l Advanced Package Mapping can create unintended consequences on the instance. For example,
changing the system ID of a field can adversely affect any data feeds or calculations that use the
field, and these issues can be difficult to identify and remedy later. Before executing the mapping
process, back up your database.
l Advanced Package Mapping does not update data feeds and Web APIs. Modifying the system ID
of an object used by a data feed or Web API will break the relationship with the object. The data
feed or Web Service API will no longer function properly. The resolution is to update the data
feeds and Web Service APIs to reference the new system IDs of those objects.
l During the mapping process, you may discover discrepancies in the data, such as unwanted
objects in the source or target instance. Before installing the package, RSA recommends fixing
any discrepancies in the source or target instances, then re-creating the package. Otherwise, any
data discrepancies will be retained after the package installation.
l When mapping larger packages, RSA recommends dividing the mapping process into multiple,
smaller portions, rather than mapping and executing all of the changes at one time. You can use
the Export Mapping Settings and Import Mapping Settings features to save and load mapping

settings if needed. However, do not install the package until you have completed the entire
mapping process.
l Once a values list contains more than 1,000 values in a package, the link to display the mapping
page for that list is disabled. This allows the package mapper to continue operating successfully
without becoming over-stressed with excessive requests.
Map objects
1. Go to the Available Packages tab of the Install Packages page.

c. Click the Available Packages tab.
2. In the Available Packages section, select the package you want to map.
3. In the Actions column, click for that package.

The analyzer runs and examines the information in the package. The analyzer automatically
matches the system IDs of the objects in the package with the objects in the target instances and
identifies objects from the package that are successfully mapped to objects in the target instance,
objects that are new or exist but are not mapped, and objects that do not exist (the object is in the
target but not in the source).
Note: This process can take several minutes or more, especially if the package is large, and may
time out after 60 minutes. This time-out setting temporarily overrides any IIS time-out settings
set to less than 60 minutes.
When the analyzer is complete, the Advanced Package Mapping page lists the objects in the
package file and corresponding objects in the target instance. The objects are divided into tabs,
depending on whether they are found within Applications, Solutions, Access Roles, Groups, Sub-
forms, or Questionnaires.
4. On each tab of the Advanced Mapping Page, review the icons that are displayed next to each
object name to determine which objects require you to map them manually.

The following table describes the icons.

Icon Name Description
Awaiting Indicates that the system could not automatically match the object or
Mapping children of the object to a corresponding object in the target instance.
Review Objects marked with this symbol must be mapped manually through the
mapping process.
New objects should not be mapped. This icon should remain visible. The
mapping process can proceed without mapping all the objects.
Mapping Indicates that the object and all child objects are mapped to an object in
Completed the target instance. Nothing more needs to be done with these objects in
Advanced Package Mapping.
Do Not Indicates that the object does not exist in the target instance or the object
Map was not mapped through the Do Not Map option. These objects will not be
mapped through Advanced Package Mapping, and must be remedied
manually.
Undo Indicates that a mapped object can be unmapped. This icon is displayed in
the Actions column of a mapped object or object flagged as Do Not Map.
Note: You can execute the mapping process without mapping all the objects. The icon is
for informational purposes only
5. For each object that requires remediation, do one of the following:

l To map each item individually, on the Target column, select the object in the target instance
to which you want to map the source object. If an object is new or if you do not want to map
an object, select Do Not Map from the drop-down list.
Important: Ensure that you map all objects to their lowest level. When objects have child or
related objects, a drill-down link is provided on the parent object. Child objects must be
mapped before parent objects are mapped. For more details, see Parent/Child Object
Mapping.
l To automatically map all objects in a tab that have different system IDs but the same object
name as an object in the target instance, do the following:

a. In the toolbar, click Auto Map.

b. Select an option for mapping objects by name.
Option Description
Ignore Select this option to match objects with similar names regardless of the case
case of the characters in the object names.
Ignore Select this option to match objects with similar names regardless of whether
spaces spaces exist in the object names.
c. Click OK.
The Confirmation dialog box opens with the total number of mappings performed. These
mappings have not been committed to the database yet and can be modified in the
Advanced Package Mapping page.
d. Click OK.
l To set all objects in the tab to Do Not Map, in the toolbar, click Do Not Map.
Note: To undo the mapping settings for any individual object, click in the Actions column.
When all objects are mapped, the icon is displayed in the tab title. The icon is displayed
next to the object to indicate that the object will not be mapped.
6. Verify that all other objects are mapped correctly.
7. (Optional) To save your mapping settings so that you can resume working later, see Exporting
and Importing Mapping Settings.
8. Once you have reviewed and mapped all objects, click .

9. Select I understand the implications of performing this operation, and click OK.
The Advanced Package Mapping process updates the system IDs of the objects in the target
instance as defined on the Advanced Package Mapping page. When the mapping is complete, the
Import and Install Packages page is displayed.
Important: Advanced Package Mapping modifies the system IDs in the target instance. Any
Data Feeds and Web Service APIs that use these objects will need to be updated with the new
system IDs.
Parent and Child Object Mapping
When mapping objects in a package, it is very important to map every object to its lowest level. On
the Advanced Package Mapping page for a package, when objects have child or related objects, a
drill-down link is provided on the parent object. Child objects must be mapped before parent objects
are mapped.

The following icons, located in the Actions column of a child object, identify whether these child
objects are mapped correctly.
The following table describes the icons.
Button Description
Indicates that the object and all child objects are mapped to an object in the target
instance. Nothing more needs to be done with these objects in Advanced Package
Mapping.
Indicates that the system could not automatically match the object or children of the
object to a corresponding object in the target instance.
Objects marked with this symbol must be mapped manually through the mapping
process.
New objects should not be mapped. This icon should remain visible. The mapping
process can proceed without mapping all the objects.
Child elements and dependencies for each root object

The following figures show the child elements and dependencies that might need to be mapped for
each type of root object.

Applications

Questionnaires


Sub-forms

Other root objects
Note: Global Values List is used by applications, questionnaires, and sub-forms.

Mapping child objects in fields

The following table describes how to ensure that all of the child elements are mapped correctly in
the following field types.
Field
Remediation
Type
Global Verify that the Global Values Lists (GVLs) match across the source and target
Values instances. If the package changes or removes existing values in a GVL, verify that
Lists these changes do not adversely impact other objects or features that use the same
GVL. Note that this is not a concern when values are added to a GVL.
Cross- Verify that the relationships match between the source and target instances for cross-
Reference reference fields. It is possible to map a cross-reference field to a different module,
thus creating error situations after package install.
Sub-form Verify that the sub-form fields map to the same sub-form in both the source and target
instances.
Matrix Verify that the values lists referenced by the matrix field match in both the source and
target instances.
CAST Verify that the child objects match in both the source and target instances. This
mapping includes the associated application, application level, and values list fields.
Mapping values lists

Values Lists can be confusing to map. The differences between the three components are:
l Values List field. The field in the application that contains the values list.
l Values List. A field-specific, or custom values list, a global values list, or a questionnaire values
list.
l Values List values. The items within the values list.
Consider the following points when you map these components:

l When mapping values lists, be sure to map the values list field, the values list, and the values list
values. If you do not map all three components, you may have unexpected results that can be
difficult to remedy.
If you map only a values list field and not the associated values list and values list values,
Packaging does not create a new values list for that field and a warning message is logged.
Anything associated with that values list, such as calculations or data driven events, may not
function properly until the values list values are added.

If you map a values list field and its associated values list, but none of the values list values,
Packaging either updates the existing or creates new values list values under that values list. This
process can potentially create duplicate values. Anything already associated with the values list,
such as calculations or data driven events, are changed to point to the new, duplicate values.
l You cannot map to different types of values list components. For example, you cannot map a
custom values list to a global values list. In the rare instance in which you may want to map to a
different type, RSA recommends that you update the object in either the source or target instance
so that the objects match. After making the updates, regenerate the package.
Note: These recommendations also apply to the values lists in matrix fields.
Exporting and Importing Mapping Settings
Mapping objects can be an involved process that takes time to complete. To ensure mappings are not
lost prior to completing the process, Advanced Package Mapping includes Export and Import
functions.
The Export function saves the current mappings to a .csv file. When exporting and naming this file, it
is important to use a detailed, logical filename. This .csv file is exported to a designated location.
The Import function imports the saved mapping file so that the mappings can be completed.
Export mapping settings

Complete this task to export mapping settings to a .csv file for the purpose of saving them. You can
then import the file at a later time to resume working.
Note: To export mapping settings you must have update rights to the Install Packages page.
1. Go to the Available Packages tab of the Install Packages page.

2. In the Available Packages section, select the package.

4. Map the objects as needed.
5. To export the settings, click in the title bar.

6. Enter a file name and location, and click Save.

Important: Use a descriptive file name to ensure that you do not make any mistakes later when
importing the file.
Import mapping settings

Complete this task to import mapping settings that were previously exported to a file.
Note: To import mapping settings, you must be a user with update rights to the Install Packages
page.
1. Go to the Available Packages tab of the Advanced Package Mapping page.

2. Locate the package that you want to map.
4. Click in the title bar.

5. Select one of the following options.
Option Description
Override All Replaces all current mapping settings with the settings in the file
Add New Retains the current settings and adds only the new settings from the file
Add New/Override Adds new settings, retains current settings, and overrrides any current
Existing settings with the settings in the file
6. Click OK.
7. Select the file to import, and click Open.
The mapping settings are imported and displayed on the Advanced Package Mapping page.
Undoing Package Mapping
Advanced Package Mapping includes an Undo feature for rolling back the mapping of objects. This
option is available from the Package Mapping Log. The Undo Mapping Changes feature only reverts
the mapping of the object. It does not undo the package installation. To undo a package installation,
restore the backup of the database.

Complete this task to undo changes made to system IDs during the Package Mapping process. The
following objects are not affected:
l System mapped objects.
l Objects where no Target selections exist.
Before you begin

Back up your instance database.
Undo package mapping

1. Select the Package that contains changes that you want to undo.

c. Click the Package Mapping Log tab.
d. Select the package.
2. On the Package Mapping Log page, click Undo Mapping Changes.

3. Select the objects that you want to undo. To select all mappings, click Undo All Mappings.
4. Click OK.
5. In the warning dialog, click OK.
When the mapping is complete, the Import and Install Packages page is displayed. A new entry
is displayed in the Package Mapping Log section with Undo in the Type column.
Exporting a Package Mapping Log for Review
The package mapping process creates a log describing the changes made to the objects in the target
instance. Complete this task to view the Package Mapping log on the Package Mapping Log page or
export a .csv file for review.
Package mapping log messages
The following table describes log messages.

Log Message Description
The update failed due The mapping process attempted to change a system ID to one that is
to a unique constraint already in use by another object. Two objects of the same type cannot
violation. have the same system ID.
The target object was The object mapped from the source instance to the target instance was
updated successfully. successfully updated in the target instance.

Log Message Description
The object you The object no longer exists. It may have been inadvertently deleted in the
attempted to update time between mapping the object and executing the mapping changes.
does not exist.
The event rule order The sequential order of the DDE rule was changed in the target instance.
was changed for this
level.
The field calculation The sequential order of the field calculation was changed in the target
order was changed for instance.
this level.
Review the package mapping log

1. Go to the Import and Install Packages page.

2. In the Package Mapping Log section, click the package that you want to view.
3. To export the report to a .csv file, click in the Action toolbar.
Task 4: Installing Packages

Complete this task to install a package after you have imported the package file. You can queue
multiple packages, however RSA Archer only installs one package at a time.
When installing a package with a core module in to a target instance in which it does not exist
Important: Ensure that you have backed up your database before beginning this procedure. The
package installation cannot be reversed. The only way to reverse a package installation is to restore
the RSA Archer database backup.
The Install Package process is queued into the asynchronous job engine. This jobs may or may not
run immediately, depending on the jobs currently queued in the job engine. The Install Package
process impersonates the user who runs the install, so any objects modified or created during the
package installation will be associated with that user.
Objects are installed in the following order:
1. Applications (and levels of the application)

2. Questionnaires
3. Sub-forms
4. Folders
5. Questionnaire values lists
6. Question filter properties
7. Fields
8. Reports
9. Layout
10. Workpoint Action (Advanced Workflow)
11. Navigation Menu items
12. Calculation formulas
13. Letterhead templates
14. Notifications
15. Workflows
16. Data Driven Event actions
17. Data Driven Event rules
18. Questionnaire campaigns
19. Questionnaire show/hide rules
20. Mail Merge Templates
21. Repository Install
22. Access Roles
23. iViews
24. Dashboards
25. Workspaces
All objects from the source instance are installed in the target instance unless the object cannot be
found or is flagged to not be installed in the target instance. A list of conditions that can cause
objects not to be installed is provided in the Log Messages section. A log entry displays in the
Package Installation Log section.
Install a package
If installing a package that contains Record Permissions fields, verify that users and groups already
exist in the target instance. If they do not, these fields might not install properly. If necessary, create
the users and groups in the target instance before installing the package.


2. In the Available Packages section, locate the package file that you want to install, and click
Install.
3. In the Configuration section, select the components of the package that you want to install.
l To select all components, select the top-level checkbox.
l To install only specific global reports in an already installed application, select the checkbox
associated with each report that you want to install.
Note: Items in the package that do not match an existing item in the target instance are selected
by default.
4. In the Configuration section, under Install Method, select an option for each selected
component. To use the same Install Method for all selected components, select a method from
the top-level drop-down list.
Option Description
Create Only creates new fields and other elements in the applications, questionnaires,
New workspaces, and dashboards specified in the package file. This option does not
Only modify any existing elements on your instance of RSA Archer. This is useful when
you want to add functionality to an existing application, questionnaire, workspace,
dashboard, or access role, but you do not want to risk making any unwanted changes
to the existing elements of the applications, questionnaires, workspaces, or
dashboards. iViews that are not currently on the dashboards that are selected for the
package install are created.
Note: The Create New Only option does not apply to access roles or languages.
Create Updates all elements in the applications, questionnaires, workspaces, and

New dashboards as specified in the package file. This includes adding new elements and
and updating existing elements. Existing iViews on the dashboards that are selected for
Update the package install are updated, and iViews that are not currently on the dashboards
that are selected for the package install are created.
Note: The Create New and Update option does not apply to access roles or
languages.
5. In the Configuration section, under Install Option, select an option for each selected component.
To use the same Install Option for all selected components, select an option from the top-level

drop-down list.
Option Description
Do not Installs the component, but does not change the existing layout. This is useful if
Override you have a lot of custom fields and formatting in your layout that you do not want
Layout to risk losing.
You may have to modify the layout after installing the package to use the changes
made by the package.
Note: The Do not Override Layout option does not apply to access roles or
languages.
Override Updates the layout as specified in the package file, overwriting the existing layout.
Layout
Note: The Override Layout option does not apply to access roles or languages.
6. To deactivate target fields and data-driven events that are not in the package, in the Post-
Install Actions section, select the Deactivate target fields and data-driven events that are not in
the package checkbox. To rename the deactivated target fields and data-driven events with a
user-defined prefix, select the Apply a prefix to all deactivated objects checkbox, and enter a
prefix. This can help you identify any fields or data-driven events that you may want to review
for cleanup post-install.
7. Click Install.
8. Click OK.
Task 5: Reviewing the Package Installation Log

When a package is installed, RSA Archer saves a log file documenting the installation. A log file is
generated for all installations, both successful and unsuccessful. By default, this log file is located in
the Logs folder designated during the RSA Archer installation, for example, C:\Program Files\RSA
Archer\Logs.
1. Go to the Package Installation Log tab of the Install Packages page.

c. Click the Package Installation Log tab.
2. Click the package that you want to view.

3. In the Package Installation Log page, in the Object Details section, click View All Warnings.
The types of messages are:
l Failures cause the installation to quit.
o Failure. A global failure that stopped the installation and rolled back all updates.
o Minor failure. A particular object failed to install.
Failure messages
The following table lists failure messages.
Message
Description
Type
Failure Package installation failed. Unable to save <application or questionnaire name>

<level name>.
Failure Package installation failed. Unable to save <application or questionnaire

name>. No solutions available for the questionnaire.
Failure Package installation failed. Target level for Questionnaire <questionnaire

name> was not found.
Failure Package installation failed. Unable to save <application or questionnaire name>

due to mismatching application levels.
Failure Package installation failed. Critical object failed to save due to validation. The
error Log Reference ID is: <log ID>.
Failure Package installation failed. Critical object failed to save due to an exception.
The error Log Reference ID is: <log ID>.
Minor Object Installation Failed. Unable to save layout object <layout object name>.
Failure
Minor The level for Field Filter Property <field filter property name> was not found.
Failure The property was not installed.
Minor The module for Field Filter Property <field filter property name> was not found.
Failure The property was not installed.
Minor Unable to update <values list name>. Cannot change a Global Values List to a
Failure Custom Values List.
Minor Unable to update Navigation Menu <application or questionnaire name>. Field

Failure <field name> not found.

Message
Description
Type
Minor The module for Questionnaire Campaign <questionnaire campaign name> was
Failure not found. The campaign was not installed.
Minor The level for Questionnaire Rule <questionnaire rule name> was not found.
Failure The rule was not installed.
Minor Advanced workflow HTTP request error: 404 not found.

Failure
Minor Advanced workflow import: Cannot install the new advanced workflow
Failure because the target component has active jobs that are using a different version
of the workflow.
Minor Advanced workflow import: Cannot find process reference in the configuration
Failure file.
Minor Advanced workflow import: Failed to upload the archive configuration file.
Failure
Minor Advanced workflow import: Cannot get the archive tree with key {0}. ({0} is
Failure the key generated by the Advanced Workflow during workflow import.)
Minor Advanced workflow import: Cannot find process object in the archive tree with
Failure key {0}. ({0} is the key generated by the Advanced Workflow during workflow
import.)
Minor Advanced workflow import: Cannot start the import request for the process {0}
Failure with key {1} and importOption {2}. ({0} is the process id generated by the
Advanced Workflow, {1} is the key generated by the Advanced Workflow.
during workflow import, {2} is the importOption parameter. Currently
importOption is set to 1, which is “Always Replace”)
Minor The matching filters for the calculated cross reference field {0} in module {1}
Failure failed to install correctly. The field was installed, but needs to be reviewed.
l Warnings allow the installation to continue with items that you should manually remediate. An
attribute of an object could not be updated or otherwise needs to be reviewed.

Warning messages
The following table describes warning messages.
Message
The following access role referenced on the Access tab could not be resolved: <access role
name>.
Cannot change the status of Application <application name>. Updating the status of an
application via package installation is not allowed.
Cannot change Values List Type of <values list type name> from Questionnaire.
Attempted to change system field type for field <field name>. Field install was skipped.
The calculated field <field name> in the application <application name> cannot be verified.
<application or questionnaire name> Apply Conditional Layout Actions <action name> were
updated due to page layout discrepancies.
Content <content ID> was not found in the target instance.
Content not found.
The following application or questionnaire referenced on the Access tab could not be
resolved: <application or questionnaire name>.
Field Filter Property Value <field filter property name> was not found and removed from a
collection.
Field <field name> was not found and removed from a collection.
Sort field : <field name> was not found in the target instance and was removed from report :
<report name>.
Display field : <field name> was not found in the target instance and was removed from
report : <report name>.
Field : <field name> used for grouping, was not found in the target instance and was
removed from report : <report name>.
Contained Display field : <field name> was not found in the target instance and was
Field : <field name> used for calendars, was not found in the target instance and was

Message
Field : <field name> used for map pins was not found in the target instance and was
Field : <field name> used for map addresses was not found in the target instance and was
Field : <field name> referenced by a statistic step was not found in the target instance and
was removed from report : <report name>.
Field : <field name> referenced by a subform statistic step was not found in the target
instance and was removed from report : <report name>.
Field : <field name> used for charting was not found in the target instance and was removed
from report : <report name>.
Field : <field name> used for display widths was not found in the target instance and was
Questionnaire Reviewer field : <field name> was not found in the target instance and was
removed from campaign : <report name>.
Questionnaire Submitter field : <field name> was not found in the target instance and was
removed from campaign : <report name>.
Field : <field name> was not found in the target instance and the condition was removed
from the filter.
Subform Field : <field name> was not found in the target instance and the condition was
removed from the filter.
Field : <field name> referenced for value matching was not found in the target instance and
the condition was removed from the filter.
Field : <field name> used for a placeholder was not found in the target instance and was
removed from notification : <notification name>.
Event Action Authorization field : <field name> was not found in the target instance and
was removed from event action : <event action>.
Score Card Related field : <field name> was not found in the target instance and was
removed from Cast Score Card field : <field name>.
Cast Related field : <field name> was not found in the target instance and was removed
from Cast Score Card field : <field name>.

Message
Subform Display field : <field name> was not found in the target instance and was removed
from subform : <subform name>.
Subform Sort field : <field name> was not found in the target instance and was removed
from subform : <subform name>.
Inherited User/Group field : <field name> was not found in the target instance and was
removed from field : <field name>.
Inherited Related Level field : <field name> was not found in the target instance and was
Cross Reference View/Edit Display field : <field name> was not found in the target
instance and was removed from field : <field name>.
Cross Reference View/Edit Sort field : <field name> was not found in the target instance
and was removed from field : <field name>.
Related Record View/Edit Display field : <field name> was not found in the target instance
and was removed from field : <field name>.
Related Record View/Edit Sort field : <field name> was not found in the target instance and
was removed from field : <field name>.
History Log Field Selection field : <field name> was not found in the target instance and
was removed from history log field : <field name>.
Contained Reference field : <field name> was not found in the target instance and was
removed from multi-reference field : <field name>.
Questionnaire Reference field : <field name> was not found in the target instance and was
The following notification referenced in a Generate Notification DDE action cannot be

resolved: <notification name>.
Group <group name> was removed from <module authorization>. The group could not be
found.
Level <level name> was not found and removed from a collection.
The following dashboard referenced in a link cannot be resolved: <dashboard name>.

Message
The following application or questionnaire referenced in a Quick Search iView could not be
resolved: <application or questionnaire name>.
The following report referenced in a link cannot be resolved: <report name>.
The following solution referenced in a link cannot be resolved: <solution name>.
Access rights to the following page could not be configured due to missing module: <page
name>.
The level for Navigation Menu <application or questionnaire name> was not found.
The following module referenced in the Navigation Menu could not be resolved:
<application or questionnaire name>.
The following solution referenced in a workspace cannot be resolved: <solution name>.
There are no Solutions associated with <application or questionnaire name>.
<report name> report could not be created. There are no display fields for this report.
The following field referenced in a notification cannot be resolved: <field name>.
The following report referenced in a notification cannot be resolved: <report name>.
Numeric Range Value <numeric range value> was not found and removed from a
collection.
<object name> Alias was changed from <old alias name> to <new alias name>.
Object was not saved due to an exception. The error Log Reference ID is: <log ID>.
Object was not saved due to failing validation. The error Log Reference ID is: <log ID>.
<field name> in the application <application or questionnaire name> cannot be changed

from a private field to a public field.
The Notifications Enabled option for the <questionnaire name> Questionnaire was changed.
Cannot change the status of Questionnaire <questionnaire name>. Updating the status of a
questionnaire via package installation is not allowed.
Read Receipt disabled for <application name> application <DDE action name> action.

Message
Unable to update workflow. Content records are tied to the following workflow stages:
<workflow stage names>.
Unable to update the solution attribute for <application or questionnaire name>.
User <user name> was removed from <module authorization>. The user could not be found.
Values List Value <values list value name> was not found and removed from a collection.
Map Pin Value List Value : <values list value name> was not found in the target instance
and was removed from report: <report name>.
Questionnaire Quarter Value List Value : <values list value name> was not found in the
target instance and was removed from campaign: <campaign name>.
Questionnaire Year Value List Value : <values list value name> was not found in the target
instance and was removed from campaign: <campaign name>.
Matrix Column Values List Value : <values list value name> was not found in the target
instance and the condition was removed from the filter.
Matrix Row Values List Value : <values list value name> was not found in the target
Values List Value : <values list value name> was not found in the target instance and the
condition was removed from the filter.
Cast Score Card Values List Value : <values list value name> was not found in the target
Calculation Formula Values List Value : <values list value name> was not found in the
target instance.
The following notification referenced in a Workflow stage cannot be resolved: <notification

name>.
Notifications Enabled option for <application name> Application was changed.
Mobile Ready status was removed from Questionnaire.
The advanced workflow was installed, but is inactive. Please review and activate.
Module <module name> was not found. The relationship and associated display fields were
removed from the search report.

Message
<Schedule Name> references only specific users. This can potentially cause an issue on
package install.
Once the cross-reference/related record has been saved, the reference field {0} in the
module {1} cannot change from calculated to non-calculated or vice versa.
4. Click Close.
Deleting Packages
Complete this task to delete a package that is no longer needed. Package files that were generated
from the package may still be available. Deleting a package does not delete any log files that were
generated during package installation.
1. Go to the Manage Packages pages page.

2. Click in the row of the package that you want to delete.

3. Click OK to delete the package.

Chapter 16: Search and Reporting for

Administrators
Note: This section covers administrative options for search and reporting. For more detailed
information about using the features, see the Using Search and Reporting topic in the RSA Archer
Reports are saved search criteria that you can run again at a later time. The Management Reporting
feature enables you to create and manage custom reports in any application. RSA Archer also offers
out-of-the-box system reports for various features, such as application or access control reports.
There are two types of reports:
l Personal reports are only accessible by the person who created the report and the system
administrator.
l Global reports are accessible to all users in an application or to selected users and user groups.
Use the Management Reporting feature to do the following:

l Create and manage custom reports in an application or questionnaire.
l View all system, global, and personal reports from the Master Reports Listing page.
l Define templates for exporting reports to external data files, such as Microsoft Word or Excel
files.
l Define Mail Merge templates for exporting reports with mail merge fields to Microsoft Word
documents.
Multi-lingual searches
Filtered searches that look for matches in selected fields can find and display matched content in any
language in which users enter content. Keyword searches can be set up by an administrator to find
content in only the design language of an RSA Archer component, or in the design language and all
other languages in which users enter content. To enable multi-lingual keyword searches, an
administrator must adjust the setting for search index contents in the RSA Archer Control Panel to
include all languages.
System Reports
RSA Archer has default system reports for the following features.

Access control reports

Access Control includes predefined reports.
Access these reports by selecting View Access Control Reports from the Access Control menu.
Click Export Account Data to export read-only account data to a series of .CSV files, which are
then compressed into a single .ZIP file.
The following table describes the Access Control reports.
Report Description
Access Provides a summary of the access control rights associated with a given access role.
Control A role is defined as a collection of access control rights that can be assigned to a
Rights by unique group of users. You can filter this report by role, application, and page type.
Role
Access Provides a summary of the access control rights currently assigned to a given user.
Control For each page in RSA Archer, you can view the create, read, update, and delete
Rights by privileges of a user. You can filter this report by user, application, and page type.
User
Application Lists the users and groups who have been assigned ownership rights over individual
Owners applications. You can filter the list by application, questionnaire, and owner.
Failed Lists all failed login attempts within the past twenty-four hours.
Login
Attempts
Locked Lists all user accounts that are currently locked. The report also includes the time
Accounts and date that each user account was locked.
Members Lists users by the user group to which the users belong. You can filter the list by
by Group user group.
Roles by Lists all groups with a corresponding description and the roles associated with each
Groups user group. You can filter this report by user group or role.
Roles by Provides a summary of the access control rights assigned to the applications in a
Solution solution. For each application, you can view all of the associated roles and the
respective content access. You can view all roles associated with the create, read,
update, or delete rights of a user for each application in RSA Archer. You can filter
this report by solution, application, or role.

Report Description
Security Lists events related to access control, PIN requests, and global report permissions
Events for monitoring the security of RSA Archer. You can filter the report by event type or
by date range.
If the reports exceeds 10,000 records, a warning message is displayed. Do one of the
following:
l To modify the search parameters, click OK.
l To include all records in a .csv file, click Download the entire report data in
CSV.
Security Lists the properties of all security parameters that have been defined within the
Parameter system. A security parameter specifies rules for password creation, password
Properties change enforcement, account-lockout duration, and session time-out behavior.
Subform Lists the users and groups who have been assigned ownership rights to individual
Owners sub-forms. You can filter the list by sub-form.
User Provides an inventory of all existing user accounts. This report displays the last
Accounts name, first name, user name, and account status for each user in RSA Archer. You
All can filter the report by access role and account status.
If the report exceeds 10,000 records, a warning message is displayed. Do one of the
following:
l To modify the search parameters, click OK.
l To include all records in a .csv file, click Download the entire report data in
CSV.
To determine the number of user accounts in RSA Archer, export the User Accounts
All report to a .csv file and note the number of line items in the spreadsheet.
User Lists the users whose accounts have remained inactive for a specific period. You
Inactivity can filter the report by inactive date and last accessed date range.
Log
Application reports
Access these reports by clicking on the Manage Applications page.

The following table describes the reports available for each application in RSA Archer.

The following table describes the Application reports.

Report Description
Application Shows the configuration, including the formula, for each calculated field in the
Calculation application.
Summary
Application Lists the custom objects and their associated content in the application.
Custom
Object
Summary
Application Lists the data driven events in the application, including the description, action type,
Data- and status.
Driven
Events
Summary
Application Provides detailed information about each field in the application, including field ID,
Detail description, Help text, field help options, field type, control type, selected
configuration options, access, and so on. It also contains notification and content
review information.
Application Shows the configuration of each field within the application.

Field Detail
Application Shows the notification templates associated with the application and the
Notification configuration for each, including the assigned users and groups.
Detail
Application Provides a summary of the access control rights for private fields in the application.
Private It contains all private fields that give a user or group full access, cascade, or read-
Fields only privileges.
Application Shows the record permissions configurations in the application for manual selection
Record (including rule name and description, if applicable), inherited permissions, and
Permissions automatic selection.
Summary
Application Lists all field types in the application. It includes a count of each field type and the
Summary total number of standard and calculated fields.
by Field
Type

Report Description
Application Lists the values and configuration for each Values List field in the application.
Values List
Summary
Page Hits Provides information about the number of times application pages have been
accessed by different users during a given time frame. Pages are grouped in this
report by application. The report shows the number of times each page has been
accessed, and it also contains the total percentage of all page hits in the system and
each application portion of that total.
Record Provides details of the date and time users accessed a particular application record.
View
Detail
Record Provides a summary of the content records that have been accessed by all users
View during a given time frame. It also shows the number of content records in each
Summary application and the number of times a record has been accessed in each application.
In addition, the report contains the total percentage of all content hits in the system
and each application portion of that total.
Discussion forum reports

The following table describes the discussion forum reports.
Report Description
Discussion Provides a list of each discussion forum, including the name, the community it resides
Forums in, the number of topics in the forum, the total number of posts in each forum, and the
Summary date and time of the last post to the forum.
My Provides a list of discussion forums for which you are a member. It shows the name
Discussion of each forum, the community it resides in, the topics included in it, the number of
Forums posts in each forum that you have or have not read, the total number of posts in each
forum, and the date and time of your last visit to each forum.
Notification reports
To access these from the menu bar, click . Under Notifications, click View Notification
Reports.

The following table describes the notification reports.

Report Description
Notification Provides the number of successful and failed notification email deliveries within
Engine the last 24 hours.
Recent
Activity -
Last 24
Hours
Notification Provides the notification templates to which users have subscribed. The report
Subscriptions displays the template, user name, recipient email address, notification type, and
application for each notification.
Notifications Provides a list of notification emails that failed delivery. It lists the users whose
Failed Email mailbox the email attempted to reach, the email address of the recipient, the date
Attempts and time of the last email attempt, and the total number of delivery failures.
Notification Provides the status of emails triggered by notification templates that are configured
Return to request read receipts. The report shows when each email was sent, whether the
Receipts user who received each email responded to the read-receipt request, and the date
and time of each response.
Notifications Provides a list of all notification emails that have been sent. It lists the email ID,
Sent the user who received the email, the email address of the recipient, and the From
address for the email. The report also shows the notification template that triggered
each email, the subject line of each email, and the date and time each email was
sent.
Questionnaire reports
To access these reports click for the questionnaire on the Manage Questionnaires page.
The following table describes the questionnaire reports.
Report Description
Question This report lists each question within a questionnaire, along with their attributes.
Detail For Values List questions, the report also shows each answer and its attributes.
Questionnaire This report presents a bar chart indicating the answers for each Values List
Answer question and the distribution across all responses. You can filter the report by
Distribution questionnaire, category, or question. You also can click the question to view the
by Question Questionnaire Results By Question Detail report, which contains information
about each question.

Report Description
Questionnaire This report shows the configuration, including the formula, for each calculated
Calculation field within a questionnaire.
Summary
Questionnaire This report presents a bar chart of the compliance percentage for each
Compliance authoritative source within one questionnaire or across questionnaires. You can
by filter the report by questionnaire. You also can click the category to view the
Authoritative Questionnaire Results by Authoritative Source report.
Source Chart
Questionnaire This report presents a bar chart of the compliance percentage for each category
Compliance within a questionnaire. You can filter the report by questionnaire. You can click
by Category the category to view the Questionnaire Results by Category report.
Chart
Questionnaire This report presents a bar chart of the compliance percentage for each question
Compliance within a questionnaire. You can filter the report by questionnaire or category. You
by Question also can click the category to view the Questionnaire Results by Question report.
Chart
Questionnaire This report lists the custom objects and their associated content within a
Custom questionnaire.
Object
Summary
Questionnaire This report lists the data driven events within a questionnaire, including the
Data Driven description, action types, and status.
Events
Summary
Questionnaire This report provides detailed information about each field within a questionnaire.
Detail
Questionnaire This report shows the configuration of each field within a questionnaire.
Field Detail
Questionnaire This report shows the notification templates associated with a questionnaire and
Notification the configuration for each, including the assigned users and groups.
Detail

Report Description
Questionnaire This report provides a summary of the access control rights for private fields
Private Fields within a questionnaire. It lists all private fields that give a user or group full
access, cascade, or read-only privileges.
Questionnaire This report shows the record permissions configurations within a questionnaire for
Record manual selection, inherited permissions, and automatic selection Record
Permissions Permissions fields.
Summary
Questionnaire This report lists the results associated with each authoritative source attributed to
Results by one questionnaire or across questionnaires. You can filter the report by
Authoritative questionnaire, category, or authoritative source. You also can click the key field to
Source view general and reference content information about the field.
Questionnaire This report lists the results associated with each category within a questionnaire.
Results by You can filter the report by questionnaire or category. You also can click the
Category category to view the Questionnaire Results by Question report.
Questionnaire This report lists the results associated with each question within a questionnaire.
Results by You can filter the report by questionnaire, category, or question. You also can
Question click the question name to view the Questionnaire Results by Question Detail
report, which contains more information about the question.
Questionnaire This report presents a bar chart of the score for each authoritative source within
Score by one questionnaire or across questionnaires. You can click the authoritative source
Authoritative to view the Questionnaire Results by Authoritative Source report.
Source Chart
Questionnaire This report presents a bar chart of the score for each category within a
Score by questionnaire. You can filter the report by questionnaire. You also can click the
Category category view the Questionnaire Results by Category report.
Chart
Questionnaire This report lists all field types within a questionnaire. It includes a count of each
Summary by field type and the calculated fields as well as the total number of standard and
Field Type calculated fields.
Questionnaire This report lists the values and configuration for each Values List field within a
Values List questionnaire.
Summary
Solution reports
To access these reports click

on the Manage Solutions page.
Important: To view the Solution Diagram reports, you must have a copy of Microsoft Office Visio
installed on your computer.
The following table describes the solution reports.

Report or
Description
Diagram
Roles by Provides a summary of the access control rights assigned to the applications in
Solution the solution. For each application, you can view all of the associated roles and
their respective content access. You can filter this report by solution,
application or role.
Solution Produces a Visio diagram that contains the applications in a solution with all the
Diagram - All fields listed. Arrows in the diagram represent cross-reference relationships
Fields among applications and fields, along with the following information for each
application:
l Application name
l Application ID and GUID
l Application status (Production, Development, and so on)
l Number of records by data level
l Names of the key fields
l Names of all fields with their field type to understand the abbreviations used
in the solution diagram.)
l Names of all global Values List fields with the name of the global values list
Arrows in the diagram represent relationships among applications and

questionnaires across solutions.
Solution Shows the solutions contained in the system with their IDs and GUIDs, and a
Diagram - All listing of all applications contained in each solution. Arrows in the diagram
Solutions represent relationships among applications and questionnaires across solutions.
Solution Shows the solutions contained in the system with their IDs and GUIDs, and a
Diagram - listing of all applications contained in each solution. Arrows in the diagram
Application represent cross-reference relationships among applications and questionnaires
Relationships by contained in the solutions.
Solution

Report or
Description
Diagram
Solution Produces a Visio diagram that shows the solution name, instance name, and
Diagram - Platform version number, along with the following information for each
Application application:
Summary l Application name
Arrows in the diagram represent cross-reference relationships among

applications.
Solution Produces a Visio diagram that shows the solution name and Platform version
Diagram - Field number, along with the following information for each application:
Statistics l Application name
l Total number of fields
l Number of fields by type (Date: 2, Numeric 3, and so on)

applications.

Report or
Description
Diagram
Solution Produces a Visio diagram that shows the solution name, instance name, and
Diagram - RSA Archer version number, along with the following information for each
Relationship application:
Fields l Application name
l Names of the key fields
l Names of all relationship fields (Cross-Reference, Related Records, and
Cross-Application Status Tracking) with their field type to understand the
abbreviations used in the solution diagram.)
l Names of all global Values List fields with the name of the global values list

applications.
Solution Shows the solutions contained in the system with the solution IDs and GUIDs.
Diagram - Arrows in the diagram show the relationships among applications and
System Solution questionnaires across solutions.
Summary
Solution Provides a listing of applications and questionnaires in the solution and their
Summary descriptions. For leveled applications, the level names and descriptions also are
listed.
Sub-Form reports
A Sub-Form Detail Report is available for each sub-form in RSA Archer. To access these reports
click on the Manage Sub-Forms page.
For each field within the sub-form, the following general information is provided:
l Field Name
l Field ID
l Field Type
l Status

l Description
l Display Control
l Field Permissions
Training and Awareness reports

The following table describes the training and awareness reports.
Report Description
Campaign Provides a detailed list of Training and Awareness events. For each event, the report
Events provides a summary of event properties by event. You can filter this report by
campaign and event.
Campaign Allows you to view individual user responses to Training and Awareness events. You
Response can view the name of each user who participated in an event, the event name, the
Detail response type, the response date, and any comments the user included in the response.
You can filter this report by campaign, event, and response type.
Campaign Provides a summary of responses for individual events within Training and Awareness
Response campaigns. For each event, you can view the event name, status and type. You can
Summary also view the number of users who responded to the event, broken down by response
type. You can filter this report by campaign.
Campaign Lists all events within individual Training and Awareness campaigns and provides the
Status current status of each event. You can filter this report by campaign.
Details
Campaign Provides a summary of all Training and Awareness campaign statuses, including the
Status number of completed, empty, in progress, and queued campaigns.
Summary
Quiz Provides the question details for Training and Awareness quizzes. For each quiz
Event question, you can view the percentage of users who selected each answer. You can
Question filter this report by campaign, quiz, and question.
Detail
Quiz Provides the results for Training and Awareness quizzes. For each quiz, you can view
Event results for individual participants, including the percentage of questions each user
Results answered correctly and the number of times each user retook the quiz. You can filter
Detail this report by campaign and by quiz.

Report Description
Quiz Provides the results for Training and Awareness quizzes. For each quiz, you can view
Event the number of users who passed or failed the quiz and the number of users who
Results skipped the quiz or never responded. You can filter this report by campaign and by
Summary quiz.
Quiz Provides the user details for Training and Awareness quizzes. For each quiz question,
Event you can view the user entry, the correct answer and the status (correct or incorrect) of
User the user entry. You can filter this report by campaign, quiz, and user.
Detail
Using the Master Report Listing

The Master Report Listing page displays global and personal reports. You can filter the reports
displayed on the Master Report Listing page by name, solution. application, or type.
Note: Only users who have global report administration rights can add, edit, and delete global
reports from the Master Report Listing. To access the User Accounts All report from the Master
Report Listing, a user must have at least read permission to the Manage Users page. For more
information, see Adding User Accounts.
Add a report
1. Go to the Master Report Listing page.

b. Under Management Reporting, click Master Report Listing.
2. Click Add New.

3. Select an application.
4. Click OK.
5. Run a search.
6. Save the search results as a report.
Run a report


2. (Optional) Use the Grouping and Filter toolbars to filter and sort the list.
3. Select the report.
Update a report

2. Select a report you want to update.

3. Click .
4. Enter search criteria of the report, and click Search.
l To save the report, click Save.
l To save a separate report with your changes, select Save as New Report from the list
displayed.
l To save the changes to the existing report, select Save Report Changes from the list
displayed.
6. Complete the Report Information section.
7. In the Report Type section, select the report type: Personal or Global.
If you selected Global Report, assign user and groups access rights for the report.
Note: The report cannot be saved if the default language of the global report does not match the
default language of the user.
8. Complete the iView Caching section.

9. In the Refresh Rate list, select how often you want the report to refresh.
If a refresh rate is set, iView caching is disabled.
Note: If you change the cache duration from one time range to another, open and refresh the
Report iView to complete the change.
10. Click Save.

Print a list of reports

2. Click Print.
3. In the Print dialog box, click Print.
Delete a report

2. From the menu bar, click the User menu and select Reports.
3. In the row of the report that you want to delete, click .

4. Click OK.
Defining Report Export Templates

Define templates for reports that you want to export to external data files by uploading Microsoft
Word and Excel templates. Microsoft Word templates are used for data exports in Word or
PDF format. Microsoft Excel templates are used for Excel exports. You can also create a custom
header and footer for HTML exports.
Add a template for record exports
1. Go to the Manage Global Print and Export Settings page.

b. Under Management Reporting, click Global Print and Export Settings.
2. To add an RTF template, do the following:

a. In the RTF Configuration section, click Add New.
b. In the File Upload dialog box, click Add New.

c. Browse and select the .doc or .docx file you want to upload.
d. Click OK.
3. To add an Excel template, do the following:
a. In the Excel Configuration section, click Add New.
b. In the File Upload dialog box, click Add New.
c. Browse to and select the file.
d. Click OK.
4. (Optional) To specify the template as the default, select the Default option.
Create a custom header and footer for HTML exports

b. Under Management Reporting, click Manage Global Print and Export Settings.
2. In the HTML Configuration section, enter the text in the Header and Footer fields.
Note: You can use the Rich Text Editor toolbar to format the text.

Delete a template for record exports

b. Under Management Reporting, click Manage Global Print and Export Settings.
2. In the row of the template that you want to delete, click .




Chapter 17: Dashboards, iViews, and Workspaces

Note: This topic is intended for administrators. For an overview for users, see Workspaces,
Dashboards, and iViews topic in the RSA Archer Online Documentation.
The Workspaces and Dashboards feature is designed to allow organizations to promote security
awareness and efficient, effective communication by providing users with quick access to
information and tools related to their job functions.
Through Workspaces and Dashboards, administrators create dashboards and iViews to display
reports, links, embedded web pages, RSS feeds, and other custom content. Administrators can
display these iViews to end users through workspaces, which are pages of related content.
Example: Workspace, dashboard, and iViews
The following table lists UI features.

Number UI Feature
1 iViews
2 Workspace
3 Dashboard

By grouping iViews with related content into dashboards and applying those dashboards to
workspaces, you can create custom views for specific user audiences. For example, a Workspaces
and Dashboards administrator could create an Incident Management workspace for personnel
involved in investigating and resolving security incidents. This workspace could contain iViews that
display investigation assignments in each user’s queue, which show the status of all unresolved
investigations and provide links to internal and external resources.
iViews can provide users at all levels in your organization hierarchy with the information they need
to make decisions, complete tasks, and stay up to date. Examples of content that may be displayed
through iViews include content review queues, links to security policies, links to industry or
regulatory sites, embedded web pages, recent vulnerability alerts, company financial information,
technology-related links and news, logon information, and security questions and answers. All of this
information can be displayed on a dashboard, allowing users to click between the iViews or view
them all at once.
Users access a workspace by clicking the workspace tab at the top of the page. As an administrator,
you can customize each workspace and the Navigation Menu to display only solutions with related
content, allowing users to access the information and tools they need without having to sort through a
lengthy menu of solutions and applications.
If you have access to at least one page in RSA Archer features, you can view the Administration
workspace that provides access to an administrative dashboard that has links and reports displayed
through iViews. In addition, you can access RSA Archer features such as Access Control,
Workspaces and Dashboards, and Application Builder from this workspace.
Caching search results

To improve performance, Report iViews can display cached search results. When caching is
enabled, cached Report iViews include a Cached Report message. Caching requires configuration of
a caching provider before it can be enabled.
You can enable and disable the global caching behavior for Report iViews in the RSA Archer
Control Panel. Users can adjust caching behavior for individual Report iViews on the Save Report
page. Users can also manually refresh a cached Report iView to display updated results.
Users can click a Report iView window to open the list of records found by its associated search.
Selecting a record from the list opens the record for viewing or editing based on the permissions of
the user. Changes made to a record are reflected in the iView immediately after the changes are
saved.
Building Workspaces
Workspaces are tabbed groupings of dashboards and iViews with related content. Click the
Workspace tab at the top of any page to access a workspace.

Note: When there are more tabs than can fit across the top of the page, a More tab displays to the
right of the workspace tab strip to allow you to select from a list of workspaces.
Each time an Application Builder administrator creates a new solution, a workspace is automatically
created for that solution. The workspace shares the solution name, and access to the workspace is
granted to the administrator who created the solution. Once a solution-based workspace is created,
Workspace and Dashboard administrators can configure the workspace properties, including its
content, Navigation Menu settings, and access rights.
Create a workspace
1. Go to the Manage Workspaces page.

b. Under Workspaces and Dashboards, click Workspaces.

l To create a new workspace, click Create a new Workspace from scratch.
l To create a workspace from an existing workspace, do the following:
a. Select Copy an existing Workspace.
b. Select the workspace that you want to copy from the Workspaces list.
3. Click OK.
5. In the Options section, select the behavior.
6. (Optional) Click Enable to allow users to create personal dashboards in the workspace.
7. (Optional) Attach documentation to your workspace.
Customize the workspace menu
1. Go to the Workspace Menu tab of the workspace that you want to modify.


c. Select the workspace.

d. Click the Workspace Menu tab.
2. In the Workspace Menu section, click Choose Icon.

3. Select an icon.
4. In the Solution Content section, select the display options.
Add quick reference links to a workspace

Quick Links are useful for providing fast access to frequently viewed features.
1. Go to the Quick Reference tab of the workspace that you want to modify.

d. Click the Quick Reference tab.
2. Click Add New Link in the Quick References Links list.

3. From the Type list, click the quick reference type you want.
Option Action
Internal Allows the user to link to internal pages and functions.

Page
Report Allows the user to link to personal and global reports.
Dashboard Allows the user to link to personal and global dashboards.
External Allows the user to create links to external sites. When a user clicks the link, the
Link external site is displayed in the workspace section.
Content Allows the user to link to personal and global records.

Record
4. Define the properties of the quick reference link.
Add an internal page

a. In the Link To field, select the target page from the Available list.
b. Click OK.
c. Enter the name of the link in the Display Name field and a description in the Description
field.
Add a report
a. In the Link To field, select the target report from the Available list.
b. Click OK.
field.
Add a dashboard
a. In the Link To field, select the target dashboard from the Available list.
b. Click OK.
field.

Add an external link

a. In the Link To field, supply a URL.
b. In the Action field, select either Embed in existing window, or Open in new window to
determine how your link will open.
field.
Add a content record
a. Click to make a selection from the Record Lookup list.

b. Select the target record and click OK.
field.

Add or remove workspaces to display

You can customize your workspace tab strip to show only the workspaces that you use.
1. Click your UserName menu on the workspace menu bar.
2. Click Workspace Display.
3. In the Select Workspaces section do either of the following:
l Select the checkbox beside each workspace that you want to display.
l Deselect the checkbox beside each workspace that you want to remove from the display.
4. Click Save.
Delete a workspace
Deleting a workspace permanently removes the workspace and any personal associated dashboards
from the database. Deleting a workspace does not delete any global dashboards associated with the
workspace.

.
2. Click in the Actions column.

3. Click OK.
Building Dashboards
Dashboards are groupings of global iViews with related content.
Use the Dashboard list in the page toolbar to select a dashboard within a workspace.
Administrators group multiple iViews into a single dashboard to allow user to access multiple
iViews from one workspace. Administrators can build global dashboards and enable users to build
personal dashboards.
l Global dashboards. Can be viewed by all users assigned global access by administrators on the
Access tab of the Manage Dashboards page. Only administrators can edit global dashboards.
Users can rearrange global dashboards. Any modifications to the layout or size of the iViews are
saved only to the users current session.
l Personal dashboards. Can be created and viewed by all users assigned access by group, user,
role, or solution on the Access tab of the Manage Dashboards page. Personal dashboards are
specific to the user and are not confined to the user's current session only. Users can modify the
layout and size of the iViews, and the changes are saved in real time.
Before you begin

l Build a workspace.
Build a dashboard
1. Go to the Manage Dashboards page.

b. Under Workspaces and Dashboards, click Dashboards.


l To create a new dashboard, Click Create a new Dashboard from scratch.
l To create a dashboard from an existing dashboard, do the following:
a. Click Copy an existing Dashboard.
b. Select a dashboard to copy from the Dashboards list.
3. Click OK.
5. In Layout design, in the Column Layout section, select the column layout for the dashboard.
6. (Optional) Attach documentation to your dashboard.
8. Click Select iViews and do one of the following.
l Build a new Global iView from scratch.
a. Select the type of iView you want to create.
b. Build a Global iView.
c. Click OK.
l Select from Global iView Library.
a. Check the iViews for the dashboard.
b. Click OK.
9. Click the Access tab, and select either Public or Private.
Update a dashboard display
Important: You can configure personal dashboards only if you have been granted access by your
RSA Archer administrator.
1. From the menu bar, click the workspace to which you want to add a dashboard.
2. From the Options list, do one of the following:
l To add a new dashboard to the workspace, select Add New Global Dashboard or Add New
Personal Dashboard.

l To edit an existing dashboard, select Edit Global Dashboard Properties or Edit Personal
Dashboard.
3. On the Manage Dashboards page, enter the name of the dashboard and a description that you
want in the General section.
4. Chose your column layout in the Layout section.
5. (Optional) Add documentation to your dashboard.
6. Click OK.
7. If you are adding a new dashboard to the workspace and want to update the iView content, do
the following:
a. From the Options list, select Add iView Content.
b. On the iView Type Selection page, click Select from Global iView Library.
c. From the Name list, select the iViews that you want to display in your dashboard.
d. Click OK.
8. If you are editing an existing dashboard and want to update the iView content, do the following:
a. From the Options list in the page toolbar, select Add iView Content.
b. On the iView Type Selection page, click Select from Global iView Library.
c. From the Name list, select the iViews that you want to display in your dashboard.
d. Click OK.
9. If you are editing an existing dashboard and want to add new iView content, do the following:
a. From the Options list in the page toolbar, select Add iView Content.
b. On the iView Type Selection page, click Create a new Global iView from scratch.
c. Select the iView type.
d. Build a global iView.
e. Click OK.
Delete a dashboard
1. Go to the Manage Dashboards page.

b. Under Workspaces and Dashboards, click Dashboards.
2. In the Actions column of the dashboard you want to delete, click .

3. Click OK.

Delete a dashboard from a workspace

Deleting a dashboard removes the dashboard from the workspace, but does not delete it from the
dashboard database. Global iViews associated with the dashboard are not deleted. You can only
permanently delete dashboards if you have been granted administrative permission.
1. From the menu bar, click the workspace that contains the dashboard that you want to delete.
2. From the Options menu, select Edit Workspace Properties.
3. On the Manage Workspaces page, click the Dashboards tab.
4. Click to delete the dashboard.
5. Click Save.
Building Global iViews

iViews are configurable according to the specific iView type.
For example, for a Report iView, you can include one or many reports, determine the selection order
of the reports in the iView and identify the report that is initially displayed to the user. Additionally,
you can allow horizontal scrolling for any of the selected reports to extend the report contents
beyond the width of the iView.
iView types
The following table describes the types of iViews.
iView
Description
Type
Canvas Displays predefined templates with various presentations for content and graphics.
Custom Displays custom text, HTML, or Flash presentations or to execute custom scripts,
such as JavaScript.
RSA recommends that only trusted Administrators have permission to create and edit
custom iViews.
Embedded Embeds entire web pages directly in an iView.

URL
Global Displays search criteria options in an iView for the user to search records across
Search applications.
Links List Displays links to websites, intranet sites, and frequently used internal application
pages in a single iView.

iView
Description
Type
Report Displays global reports in a single iView. In addition, you can display charts
generated through a statistics search.
RSS Feed Displays data from an RSS feed. RSS feeds contain headlines and summary
information from articles on websites supporting RSS.
Video Embeds video directly in an iView using HTML.
Before you begin

1. Build a workspace.
2. Build a dashboard.
Build a global iView
1. Go to the Manage Global iViews page.

b. Under Workspaces and Dashboards, click Global iViews.

l To create a new iView, select Create a new Global iView from scratch.
a. Select the type of global iView you wish to create.
b. Click OK.
l To create a global iView from an existing iView, click Copy an existing Global iView, and
then select the Global iView you want to copy.
3. Click OK.
4. Complete the setup for your iView.
Build a canvas iView

a. In the General Information section, enter the name and a description.
b. In the Folder field, select or create a folder.
c. In the Options section, in the Canvas Style field, click to select a layout in the Selected
Layout Template dialog box.
d. Select the layout you want, and click OK.
e. Enter a name in the Title field.

f. Enter the content in the Content field.

g. (Optional) In the Documentation section, click Add New to add documentation to your
iView.
Build a custom iView

c. In the Options section, in the Custom Content field, enter the content.
d. (Optional) In the Documentation section, click Add New to add documentation to your
iView.
Build an embedded URL

c. In the Options section, in the URL filed, enter the URL you wish to embed.
d. (Optional) Select an option from the Refresh Rate list.
e. (Optional) In the Documentation section, click Add New to add documentation to your
iView.
Build a global search iView

c. In the Options section, in the column Display field, chose One Column or Two Columns.
d. (Optional) In the Description field, select Embed the iView description in the iView to
display the description in the iView.
e. (Optional)In the Search Button field click Add to add a search button.
i. In the Files to Upload section, Click Add New.
ii. Select the file you wish to add and click OK.
iii. In the Available Graphics section, Click Add New.
iv. Click OK again.
f. (Optional) In the Applications section. click Add New to define the applications for the
search.

i. From the Application Name list, select the application that you want to associate the
iView to.
ii. Make selections from the Visibility field and Defaulted Behavior field.
g. (Optional) In the Documentation section, click Add New to add documentation to your
iView.
Build a links list iView

c. In the Options section, in the Layout field, select one of the following:
l Simple List: In the Configuration section that appears, do one of the following.
o Select a link from the Available Links field by double clicking it.
o Type in your own link and click Add.
l Descriptive list: In the Configuration section that appears, do the following:
i. In the General Information section, enter the name and a description.
ii. Insert a link in one of two ways:
o Select a link from the Available Links field by double clicking a link.
o Type in your own link and click Add.
iii. (Optional) In the Primary Graphic field, Add a graphic:
1. Click Add.
2. In the Available Graphics section, Click Add New.
3. In the Files to Upload section, Click Add New.
4. Select the file you wish to add and click OK.
5. Click OK again.
iv. Click OK.
d. In the Options section, in the Column Display field, select One Column or Two Columns.
e. (Optional) In the Documentation section, click Add New to add documentation to your
iView.
Build a report iView


c. In the Options section, in the Reports field, select the report or reports that you want
displayed in the iView from the Available Reports list.
d. To determine the selection order of the reports in the iView, highlight the report title and use
to arrange the reports in the preferred order.
Note: The first report listed is the report that is initially displayed to the user.
e. Select Enable Scrolling for each report that you want to allow horizontal scrolling.
f. (Optional) In the Documentation section, click Add New to add documentation to your
iView.
Build an RSS feed iView

c. In the Options section, in the URL field, select an address from the URL list and enter the
URL address.
d. In the Feed Elements field, select the display options that you want.
e. In the Articles Displayed field, select the number of articles that you want displayed.
f. In the Refresh Rate field, select how often you want the feed refreshed.
g. In the Authentication field, select your authentication preferences.
h. In the Days Displayed field, select the number of days to display the feed.
i. (Optional) In the Documentation section, click Add New to add documentation to your
iView.
Build a video iView

c. In the Embedded Video HTML field, enter the embedded HTML or the URL.
Important: For proper formatting guidelines, see Formatting iView Videos.
d. (Optional) In the Documentation section, click Add New to add documentation to your
iView.


Create a new folder for a Global iView
1. Go to the General Tab of the iView that you want to modify.

c. Select the global iView.
2. In the General Information Section, in the Folder field, click Edit.

3. In the Manage Folders window, click Add New.
4. Enter the name of the folder, and click OK.
5. In the Folder list, ensure the correct folder is selected.
Update an iView display
1. In the iView title bar, click and select Edit Properties.

2. In the Options section, edit the iView display as needed, and click OK.
Note: The list of available menu options depends on the type of iView that you are viewing and
the access rights assigned to you by your administrator.
3. (Optional) To resize the iView, click, hold and drag the arrow in the bottom right corner of the
iView, and click Save Changes.
4. (Optional) To move the iView, click and hold the title bar of the iView and drag and drop the
iView to the new location, and click Save Changes.
Delete a global iView

This permanently purges the dashboard from the database. Only administrators can delete global
iViews.
Important: If you delete an iView, it cannot be recovered.
1. Go to the Manage Global iViews page.


.
2. In the Actions column of the iView you want to delete, click .

3. Click OK.
Formatting iView Videos

You can embed videos into an RSA Archer iView from both external or internal sources.
Embedding From an External Source

If you are embedding a video from an external source, such as YouTube, you must take the embed
code provided by YouTube and add ?wmode=transparent to the end of the URL. For example:
Sample YouTube source embed code:

<iframe width="560" height="315" src="https://www.youtube.com/embed/xyz" frameborder="0"
allowfullscreen></iframe>
Add ?wmode=transparent to the end of the URL:
<iframe width="560" height="315" src="https://www.youtube.com/embed/xyz?wmode=transparent"
frameborder="0" allowfullscreen></iframe>
Important: If you do not add ?mode=transparent to the end of the URL, the video displays
improperly.
Embedding From an Internal Source

If you are embedding a video that is being hosted locally, use the <video> tag to ensure proper
functionality. For example:
Sample internal source embed code:

<video width=”320” height=”240” controls>
<source src=”/ACME_Company/video.mp4” type=”video/mp4”>
</video>

Assigning Access Rights to iViews, Dashboards, and Workspaces

Access rights make iViews, dashboards, and workspaces either public to all users, or private so that
only a few users can view or use them.
1. Go to the Access tab of the global iView, dashboard, or workspace that you want to modify.

b. Under Workspaces and Dashboards, click Global iView, Dashboard, or Workspace.
c. Select the global iView, dashboard, or workspace.
d. Click the Access tab.
2. Select whether the global iView, dashboard, or workspace is public or private:

l Public: Allow all users in the system access to this iView, dashboard, or workspace.
l Private: Allow only specific users and groups access to this iView, dashboard, or workspace.
3. If you selected Private, select whether to assign or revoke access rights for the iView,
dashboard, or workspace from the Available list according to the following options:
a. In the Available list, expand the Group, User, Role, and Solution nodes.
b. Select the groups, users, roles, and solutions you wish to have access to the global iView,
dashboard, or workspace.
4. (Optional) To revoke access rights from a group, solution, role, or user, click in the Selected
list.
Attaching Documentation to iViews, Dashboards, and Workspaces

You can attach documentation to an iView, dashboard, or workspace.
1. Select the global iView, dashboard, or workspace that you want to update.

b. Under Workspaces and Dashboards, click Global iView, Dashboard, or Workspace.
c. Select the global iView, dashboard, or workspace.

3. Select the file that you want to upload, and click OK.
4. To download attached documentation to the global iView, dashboard, or workspace:
a. Click the file name in the Name column.
b. Click Save in the File Download dialog box.
c. Select the location where you want to save the document and click Save.
Configuring Workspaces
Configure workspaces to display specific content.
Configure dashboards for a workspace
1. Go to the Dashboards tab of the workspace that you want to modify.

d. Click the Dashboards tab.
2. Click Select Dashboards.

3. Select the dashboards, and click OK.
Configure the display order for dashboards within a workspace
Note: Completing this procedure only sets the default workspace display order. Changing the default
does not affect any display orders that users have already customized using the Reorder button (see
Reorder workspaces on the menu bar in "Personalizing Your User Interface" in the RSA Archer
Online Documentation).

1. Go to the Dashboards tab of the workspace that you want to modify

d. Click the Dashboards tab.
2. Click Configure Display Order.

3. In the Dashboard Display Order dialog box, drag and drop the dashboards in the sequence that
you want them presented for the user, and click OK.
4. (Optional) To remove a dashboard from the workspace, click in the Actions column.
Configure the display order for workspaces

2. In the Workspaces toolbar, click Configure Display Order.

3. Drag and drop the workspaces into the sequence that you want them displayed as for the user.
4. (Optional) Click OK to return to the Manage Workspaces page.
Exporting Dashboards
You can export a dashboard to an external file.
1. Display the dashboard that you want to export.
a. From the menu bar, click the workspace that contains the dashboard.
b. Click the Dashboard drop-down, and then select the dashboard.

2. Click Options, and then do one of the following:

l Click Export to PDF to export the dashboard in Portable Document Format.
l Click Export to PPTX to export the dashboard as a Microsoft PowerPoint presentation.
3. In the Export Complete dialog, click here to access the exported file.
4. Open or save the exported file using the tools available in your browser.
The following table indicates how the dashboard elements appear in each of the available
presentation formats.
Format Description
Portable Document Format (PDF) l The title page displays the name of the
dashboard.
l Each chart type report appears on a single
page.
l iViews appear in the order in which they are
laid out on the dashboard (left to right followed
by top to bottom).
l The time and date stamp appears at the bottom
of the PDF window to indicate when the
dashboard was exported according to locale.
PowerPoint presentation (PPTX) l The title of the presentation is the same as the
name of the dashboard.
l The slide title matches the name of the report.
l The process exports only the first report of a
multi-report iView.
l Each chart-type report appears as a single
slide.
l A hierarchical report displays only the first
level without expanding the tree.
l iViews appear in the order in which they are
laid out in the dashboard (left to right and then
top to bottom).
l The table of contents contains references to all
the slides created during the export.
l The title slide displays a time and date stamp
to indicate when the dashboard was exported
according to locale.

Admin Dashboard
The Admin Dashboard displays information about the health of the system, which enables system
administrators to easily identify areas that need to be addressed. The Admin Dashboard is installed
with the main platform installation and is only available to the System Administrator and users in the
System: Admin Dashboard group.
When first added, the Admin Dashboard automatically loads data from the previous eight days at an
hourly interval. System administrators can customize which metrics are reported by adding and
editing which fields are included in Admin Dashboard.
In the Archer Control Panel, system administrators can edit the run frequency and data retention
period. The Admin Dashboard job status can be managed and the job removed from and re-added to
the Job Engine.
The Admin Dashboard also provides detailed dashboards for the following areas:
l Advanced Workflow
l Content
l Data Feeds
l Job Engine
l LDAP Sync
l Licensable Objects
l Notifications
l Search Index
l User Activity
Note: To enable all features and iViews of the Admin Dashboard, map and install the Admin
Dashboard package. For more information, see "Install the Admin Dashboard Package" in the
RSA Archer Online Documentation.
Install the Admin Dashboard Package

When upgrading, it is necessary to install the Admin Dashboard Package. For more information, see
"Admin Dashboard" in the RSA Archer Online Documentation.
To enable all features and iViews of the Admin Dashboard, you must import and install the Admin
Dashboard package.
Import and map the Admin Dashboard package

1. On RSA Link, download the Admin Dashboard package file.


3. In the Available Packages section, click Import.

4. Click Add New, then locate and select the Admin Dashboard package file.
5. Click OK.
The package file is displayed in the Available Packages section and is ready for installation.
Note: Only the package file has been imported; you must map and install the package file to
migrate the components to your instance of RSA Archer.
6. Map objects from the package.
Install the Admin Dashboard package

2. In the Available Packages section, select the Admin Dashboard package, and click Install.
3. In the Configuration section, select the components of the package that you want to install.
l To select all components, select the top-level checkbox.
l To install only specific global reports in an already installed application, select the checkbox
associated with each report that you want to install.
Note: Items in the package that do not match an existing item in the target instance are selected
by default.
4. In the Configuration section, in the Install Method and Install Option fields, select one of the
following options for each selected component.
l Create New and Update
l Override Layout(s)
l Full Install
l Override Permission(s)
5. Click Install.
6. Click OK.

7. Review the Package Installation Log.
Add the Admin Dashboard

The Admin Dashboard is only available to the System Administrator and users in the System: Admin
Dashboard group. When users are assigned to the group, they are automatically added to the System:
Admin Dashboard access role.
Assign a user to the Admin Dashboard group
1. Go to the user account that you want to assign to the group.

c. Select the user account that you want to update.
2. Click the Groups tab.

3. Click Lookup.
4. In the Available list, in the Groups section, select System: Admin Dashboard.
5. Click OK.
Add the Admin Dashboard to the menu bar

1. From the menu bar, click the User menu and select Workspaces Display.
2. Select the checkbox next to Admin Dashboard.
3. Click Save.
4. In the menu bar, click Show All.
5. Click .
6. Select the Admin Dashboard workspace and move it vertically up or down to a new location.
7. When you have finished making your changes, click again.

Add Metrics to the Admin Dashboard

You can add metrics to display in the Admin Dashboard. Core metrics cannot be deleted.
1. Go to the Fields tab of the Admin Dashboard.

c. Select Admin Dashboard.
2. Click Add New.

3. Select Create a new Field from scratch and select the field type.
4. Click OK.
5. Complete the field information.
7. On the Manage Admin Dashboard page, click Save.

Chapter 18: Customizing RSA Archer

You can customize RSA Archer as follows:
l Branding. Use the Appearance menu to customize colors and logos across the user interface to
match your brand.
l System Language. Use the Globalization features to adapt the user interface to appear in
languages and formats that meet the needs of different geographical and cultural regions.
Branding Your System

You can customize colors and logos in the user interface to match your brand using the Manage
Appearance page.
Note: If you are upgrading from an earlier version of RSA Archer, you must set your appearance.
Themes from earlier versions are not converted.
Configurable options
The following table shows the configurable options for the user interface.
Option Description
Instance Sets a custom name for the instance.

Name
Primary Sets the main color in the user interface, such as the menu bar, menus, and page
color headers.
Note: If the color of the menu bar is too similar to the color of the font, the menu
bar is rendered unreadable.
Secondary Sets contrasting features, such as links and buttons.

color RSA recommends using darker colors because lighter colors make some text
difficult to read.
Advanced Sets additional colors for menus, pages, headers, field borders, and footers.
Options
Logo Sets the logo that appears in the lower left corner of the user interface.
Secondary Sets the image that appears next to the logo, such as a tag line.
graphic

Option Description
Field Name Sets field name alignment for record pages, questionnaires, save reports, and Add
Alignment and Display forum pages.
Field Name Sets bold field names for record pages and questionnaires. Bold field names
Contrast improve contrast and readability in record pages and questionnaires.
Note: This option is enabled by default.
Set the instance name
1. Go to the Manage Appearance page.

b. Under Appearance, click Appearance.
2. In the Instance Name section, enter a name for the instance.

3. Click Save.
Set the colors

b. Click Appearance.
2. In the Color section, select the primary and secondary colors, and click OK.
Note: The default Secondary Color causes some items to display with less than the minimum
required contrast ratio defined by the Web Content Accessibility Guidelines. To remediate this,
set a darker Secondary Color.
3. To set Advanced color options, click the Advanced checkbox.

4. Choose the advanced colors and click OK.
5. Click Save.
Note: If an administrator changes the color scheme while you are working, the colors update when
you go to a different page.

Select your logos

2. In the Graphics section, do one or both of the following:

l In the Logo field, click Edit.
l In the Secondary Graphic field, click Edit.
l Select an existing graphic.
a. From the displayed list, select a graphic.
b. Click Choose Selected.
l Add your own image.

a. Click Add New.
b. Click Select Image.
c. Select an image from your computer.
d. Click Open.
e. Click Upload.
4. Confirm that the image appears in the preview.

5. Click Submit.
Delete logos

2. Choose one of the following:

l To change the logo, under the Logo, click Edit.
l To change the secondary graphic, under the Secondary Graphic, click Edit.
3. Select graphic to delete.

4. Click Delete Selected.

5. Confirm your selection.
Set the field name alignment
1. Go to the Text section of the Manage Appearance page.

c. Go to the Text section.
2. In the Field Name Alignment field, choose one of the following field name alignments:
l Right
l Center
l Left
A preview of the alignment displays in the Preview field.
3. Click Save.
Update field name contrast

Contrast in records and questionnaires is improved with bold field names. Field name contrast is
enabled by default.
1. Go to the Text section of the Manage Appearance page.

c. Go to the Text section.
2. In the Field Name Contrast field, clear or select Bold Field Names.
3. Click Save.
Reset the appearance

2. Click Reset to Default.
Setting a System Language - Globalization

In RSA Archer, globalization involves languages, locales, and translation. RSA Archer globalization
features enable administrators and users to set their preferred language, locale, and timezone to
meet their language and cultural needs.
Languages
Multiple language translations of RSA Archer navigation, solution content, and documentation are
available for licensing. A language must be licensed and activated in an instance to make its
RSA Archer navigation translations available. At least one language license is included with the
original product license and is set as the default language during installation. You can add language
licenses to provide more translations to users.
RSA Archer navigation is displayed to users in the language associated with their locale. If the
language associated with their locale is not active, the default language is displayed instead.
Administrators associate locales with a language to display formats used for dates and currency, and
localized RSA Archer functions such as calculations, time-based filtering, and reporting.
The following languages are supported for RSA Archer:
l Chinese (Simplified)
l English
l French
l German
l Italian
l Japanese
l Portuguese
l Spanish
Locales
Locales are defined by language and country to enable users to see RSA Archer content in the
format applicable to their culture. A locale can only be associated with one language and multiple
locales can be associated with the same language. A locale cannot be removed from a language if
the locale has associated users.

Administrators can set a default locale for users and user groups, however, the locale assignment is
associated only with individual users and not with groups. The assignment of a user group to a locale
assigns the locale to the current set of users in the group. Future user additions to the group do not
get the locale assignment, and future user removals from the group do not remove the user locale
setting. Users with update permissions for their accounts can set their locale to a non-default locale.
A complete list of supported locales is available on the Manage Locales page.
Translations
A translation refers to a natural-language translation of objects that you have created in RSA
Archer. The language used to create an object is its design language. The default instance language
is specified during installation. All descending RSA Archer objects, such as Module Level and
Fields, inherit the default language from the root object.
Important: When exporting a language, the content a user enters is excluded from the translation,
even when the objects are translated.
The following table shows the root objects and the descending level 1 and 2 objects that inherit the
default language:
Root Objects Level 1 Objects Level 2 Objects
Applications Module Level Fields

Questionnaires Reports Layout
Sub-forms Questionnaire Values Lists Event Rules
Global Values Lists Event Actions
Solutions Questionnaire Campaigns
Workspaces Questionnaire Rules
Dashboards Field Filter Properties
iViews Notifications
Letterhead Templates
Folders
You can move translations for packaged items from one instance to another, which enables testing a
translation before users have access. When importing RSA Archer core solutions, you must install a
valid license on the importing instance before installing the translation.
For more information, see "Globalization" in the RSA Archer Online Documentation.
Adding Licensed Languages
To obtain a license for a language that you want to add, contact your RSA sales representative.
When you receive the new license key that includes the new language license, add the language to
the instance.

Add a licensed language to the instance

1. In the RSA Archer Control Panel, update the license key for the instance. See "Update the
License Key" in the RSA Archer Control Panel Help.
2. In the instance, activate a language to make it available to administrators and users.
a. In the RSA Archer Platform, go to the Manage Languages page.

b. Under Globalization, click Languages.
b. Click Add New.

c. In the General Information section, enter a name and a description for the new language.
d. In the Options section, do the following:
a. In the Status field, select Active.
b. In the Locale(s) section, select the locales that you want to assign to the language.
e. Click Save.
Adding New Language Translations
You can create your own translation if you need to provide users with a language that is not one of
supported languages.
The content translation occurs outside the RSA Archer application, so the translator does not need to
be an RSA Archer user. After the translation is complete, the translator returns the language file to
the same access location so you can import it into RSA Archer.
You can export and import translation strings in both CSV and ResX formats.
The following table describes each format and its recommended use.
Format Description Recommended Use
ResX ResX export includes resources from the database in Use ResX for full translations
the industry standard ResX format used by sent to professional translators.
professional translators. This format is difficult for
manual translations.
ResX import does not include an indication of which
values were translated.

Format Description Recommended Use
CSV CSV export includes resources from the database in Use CSV for partial translations
an easy to use table format. or translations not sent to
CSV import includes a column for the design value professional translators.
and a column for the translated value to show which This format enables the
values were translated. translator to choose from a
variety of software tools to
complete the translation.
Task 1: Add a new language
1. Go to the Manage Languages page.

2. Click Add New.

3. In the General Information section, enter a name and a description for the new language.
4. In the Options section, do the following:
a. In the Status field, select Active.
b. In the Locale(s) section, select the locales that you want to assign to the language.
5. Click Save.
Task 2: Export the language file for translation

Depending on the size of the export file and the attributes of your computer system, the export
process may take several minutes to complete.
l On the Manage Languages page, during installation, the language has a Pending status.
l If the export fails, on the Manage Languages page, the language has a Failed link. Click the link
to display information about the failed export.
l When the export process is complete, an email notification is sent.


2. Click for the language you want to export.

3. Select the appropriate option to include either all objects or only untranslated objects and their
associated meta-data.
4. Select the export format.
5. Click Generate.
6. Click to download the exported language file.

7. Select Click Here to download the file to your default Web browser.
8. Use the Web browser to save the downloaded file in a specific location.
Task 3: Translate objects into the new language

1. Move the downloaded language file to a location that the translator can access.
2. For every property name in every CSV file that you exported, have the translator provide a
Translation Value. For a completed example, see"Translated File Example" in the RSA Archer
3. Using the default Windows file compression utility, zip all the translated CSV files and the
original manifest into a zip file.
Task 4: Encode the translation in UTF-8
Note: This step is only required if the files that you receive from the translator are not already
encoded in UTF-8.
1. Extract the translated .csv files from the ZIP file you received from the translator.
2. Open a CSV file in the Windows Notepad text editor application.
3. In the File menu, click Save As.
4. From the Save as type list, select All Files.
5. In the File name box, ensure that the file name extension is .csv.
6. From the Encoding list, select UTF-8.
7. Click Save.
8. Compress all encoded UTF-8 CSV files in a .zip file in the same folder in which you extracted
them. Be sure to include the same manifest file that was created in the original language export.
Task 5: Import the translation

Translated characters in the returned CSV files must be encoded using the UTF-8 character set. If
the returned CSV files do not use UTF-8 characters, the import may not work or result in some

unintelligible characters appearing after the import process completes. UTF-8 is a comprehensive
character set that accommodates most languages, whereas many characters are not found in ASCII
or ANSI.
Consider the following before importing translated languages:
l You must import the translated language files into the same instance of RSA Archer platform
from which the language was exported for translation.
l You must use the default Windows file compression utility to create the ZIP file that contains the
translated language files to import.
l The translated language ZIP file that you import must contain all the files that you originally
exported. These files include the CSV files that were updated with the translations of the
translatable properties, as well as the manifest file.
o The CSV files and the manifest file must reside in the same folder into which they were
extracted from the original exported file.
o All files must be correctly formatted.
l Translator responsibility
o The translator should have updated only the Translated Value column in the CSV file.
o The translator must ensure that property names with associated translated text appear in the
Translation Value column of the CSV file.For information, see "Translated File Example" in
the RSA Archer Online Documentation.
l Depending on the size of the ZIP file and the attributes of your RSA Archer environment, the
import process may take several minutes to complete.
o On the Manage Languages page, during installation, the language has a Pending status.
o If the import fails, on the Manage Languages page, the language has a Failed link. Click the
link to display information about the failed import.
o When the import process is complete, an email notification is sent.
Note: You must import the translated language files into the same instance of RSA Archer from
which the language was exported for translation.
Procedure


2. Click for the language that you want to import the translated language file.
3. Click Browse.
4. Click Add New, and navigate to the translated language ZIP file that you want to import.
5. Select the file, and click Open.
6. Click Import.
7. Activate the language.
Translated File Example
The following example shows a correct entry in a CSV file for a specific property that has been
translated from the source language, English, to the target language, French. The shaded area in the
call-out shows the property name, ARA-00221, which is a simple character string instead of a
translatable word. The string is not translatable into French, so the Translated Value is the same as
the Design Value. If the Name (ARA-00221) is missing from the Translation Value column, the
French translation of Advanced Display Text does not replace the English text in the user interface.
Activating and Deactivating Languages
You must activate a language to use it in RSA Archer. When the language is no longer used, you
can deactivate it.
Activate a language


2. Select the language you want to activate.

3. In the Options section, set the status to Active.
4. Click Save.
Deactivate a language
Important: Deactivating a language prevents the rendering of any translations tied to it. Instead, the
system renders the design language. You cannot deactivate a language if it functions as a design
language anywhere in RSA Archer.

2. Select the language you want to deactivate.

3. In the Options section, set the status to Inactive.
4. Click Save.
Associating Users and Groups with a Language Through Locales
Languages are assigned to locales. Locales are associated to users and groups in the user account
and group in Access Control.
Assign locales to a language

A locale can only be assigned to one language. Multiple locales can be assigned to the same
language.

2. Select the language to which you want to assign locales.

3. In the Options section, select the locales to assign to the language.
4. Click Save.

Set the locale for users and groups
Note: Assigning a user group to a locale assigns the locale to the current set of users in the group.
Future user additions to the group do not get the locale assignment, and future user removals from
the group do not remove the user locale setting.
1. Go to the Manage Locales page.

b. Under Globalization, click Locales.
2. Click for the locale to which you want to assign users.

3. In the Options section, select the groups and users to assign to the locale.
4. Click Save.
Remove locales from a language
Important: A locale cannot be removed from a language if the locale has associated users.

2. Select the language from which you want to remove locales.

3. In the Options section, click next to each locale you want to remove from the language.
4. Click Save.
Changing the Default Language
You can set a default language for an entire instance or change the default language of individual
objects that you have created in RSA Archer.
Requirements for changing the default language of an object

The target language must contain a matching translatable property for every translatable property in
the source language. This requirement applies to installing a package whose default language is not
the same as the Platform default language. This requirement is especially important for changing a
language back to the original language.
For example, when you change the language from English to German, English is the source, and

German is the target. If the utility finds an exact match in the German translation for every English
translatable property, the change succeeds. If the German translation contains additional properties
not present in English, the utility ignores these and the change from English to German still
succeeds.
However, if you want to reverse the process and change the language from German back to the
original English, then German is the source and English is the target. The process fails because
English does not contain a match for the additional translatable properties in German.
Change the default language of an object
1. Go to the object you want to update.

b. Do one of the following:
l Under Application Builder, click Solutions, Applications, Questionnaires, Sub-Forms, or
Global Values Lists.
l Under Workspaces and Dashboards, click Workspaces, Dashboards, or Global iViews.
c. Select the object for which you want to change the default language.
d. Click the General tab, if applicable.

l For solutions, global values lists, workspaces, dashboards, and global iViews, click Change in
the General Information section.
l For applications, questionnaires, and sub-forms, click Change in the Options section.
3. In the Default Language Change dialog box, select the new default language.
4. Click OK.
Set the default language for an instance

2. Select the language you want to set as the default instance language.
3. In the Options section, select Make this the default language.
4. Click Save.

Deleting Languages
You cannot delete a language that meets any of the following criteria:
l The language is the default language for the instance.
l The language is defined as the design language for RSA Archer component.
l The language has associated locales that include users.
l The language is defined by users as their override language in user preferences.
Delete a language

2. Select the language you want to delete.

3. Click Delete.
4. Click OK.
Displaying Licensed Languages
Display licensed languages


2. In the toolbar, click Licensing Information.

3. Scroll to view the list of Platform languages.
Moving Translated Solutions Between Instances
You can package and move a translated solution from one instance to another.
Move translated solutions between instances

1. Log on to the instance that contains the solution translation you want to move.
2. Create a package to define a package that includes the solution translation. You can select only
solution translations to include in the package, or you can select translations and other
components. Generate and download this package to a network location that is accessible from
the instance to which you want to move the solution translation.

3. Log on to the instance to which you want to move the solution translation.
4. Import a package to move the package into the instance.
5. Map objects to preview the automated mapping between source and target objects and resolve
any problems with the mappings.
6. Install a package to install the package with the solution translation in the instance.
7. View the package installation log to check for and resolve warnings generated by the package
installation.

Chapter 19: Configuring the Hardware Security

Module
The following section describes the required configuration settings when the preferred keystore is a
hardware security module (HSM). Multi-node setup is supported when the HSM is a network HSM.
In a network HSM the following three actors participate in the Encryption and Key Management
process:
l Client Machines. The RSA Archer components that run on client machines.
l RFS Server. Acts as a key repository. In some configurations, the client machine may also act as
the RFS Server.
l HSM Devices. Encryption and decryption can be performed only inside the HSM device.
Task 1: Install and test Thales nFast

RSA currently supports only the Thales N-Shield line of HSMs. Before using an HSM, you must
install the Thales nFast client software on the RSA Archer server and configure the client to
synchronize files with the RFS server.
Important: The Thales N-Shield line of HSMs provides three types of key protection schemes.
However, RSA only supports key protection using OCS-protected keys.
1. Install Thales nFast on the RSA Archer server.

Important: If this step is not completed, the configuration will not work.
2. After installing Thales nFast, test the OCS settings based on the test instructions provided by
Thales.
Task 2: Update IIS App Pool Settings

When you create a key using the Key Management Screen in RSA Archer, the system internally
creates a X509Certificate2 and stores it in the database. The X509Certificate2 is generated using
CertEnrollLib. To enable the web application to create a certificate, you must set Load User Profile
to True.
1. On the Windows server running the RSA Archer Platform, open Internet Information Services
(IIS) Manager.
2. In the Connections column, click Application Pools.
3. On the Application Pools page, right click on the application you want to update, and select

Advanced Settings.
4. In the Process Model section, ensure that the Load User Profile is set to True.
5. Click OK.
Task 3: Configure a Multi-Node HSM Key Store

1. Generate the key using RSA Archer.

b. Under Encryption, select Field Encryption.
c. In the Key Management section, click Generate Key.
Once a key is generated, it appears in the Manage Keys grid.
2. In a multi-node setup where the Web Application and Windows Services (Job Service and
Queuing Service) run on different Windows servers, or in a load-balanced environment where
more than one web server is available, the key generated using the Key Management screen
must be synchronized to all Windows servers hosting RSA Archer components. Synchronize the
key by doing one of the following:

l Synchronize the keys outside RSA Archer.
Note: In Thales nShield Connect HSM, a key generated by a client machine must be
synchronized with the RFS machine by running the command, rfs-sync.exe --commit, using
the rfs-sync.exe utility provided by Thales. (The utility is located in the following
directory: C:\Program Files (x86)\nCipher\nfast\bin) Once the key is available in the RFS
machine, other clients can obtain the key by running the following command: rfs-sync.exe --
update.
l Option 1: Set the environment variable, %NFAST_KMDATA% , to a shared directory

accessible to all the clients and the RFS server. In this case the Key Management Data
folder is shared between the client and the RFS server, thus execution of rfs-sync.exe
utility is not required.
l Option 2: Synchronize the keys between clients and the RFS server by periodically running
Windows Task Schedulers (or by any other means) and executing rfs-sync.exe.
l Synchronize the keys using the Archer Control Panel.
Note: The following is not a secure option as it involves execution of a different process (rfs-
sync.exe) from RSA Archer.

b. Go to Installation Settings.
c. Click the General tab, and go to the Hardware Security Module section.
d. From the Select Module drop-down, select N-Shield.
e. In the Module Token field, enter the key you generated in step 1 of this task.
f. In the Security Pin field, enter the HSM pin for authentication purposes.
Note: If you change the PIN in the HSM, you need to update it in the Archer Control
Panel as well.
g. Select Enable RFS Synchronization.

h. On the toolbar, click Save.
RSA Archer executes the rfs-sync.exe utility while creating and reading keys.
Note: If your organization is already using an HSM device, you may have an established
process similar to the one described in "Synchronize the keys outside RSA Archer". You
should also establish a key synchronization process for RSA Archer prior storing
encryption keys from RSA Archer in the HSM.

Chapter 20: Managing Field Encryption

Use this page to add a Key Encryption Key (KEK) in conjunction with encrypting the following
RSA Archer field types:
l Attachment
l Date
l IP address
l Image
l Numeric
l Text
Note: This feature is available only if you have selected Hardware Security Module as the key
store.
You can either upload a key that you have previously obtained, or you can generate the key within
RSA Archer.
Add a Key Encryption Key

1. Go to the Field Encryption page.

b. Under Field Encryption, click Key Management.
2. Click the KEK Expiration Date Calendar icon, and then select an expiration date from the
calendar.
l Click Generate KEK to generate the key within RSA Archer.
l Click Upload KEK, and then navigate to the key file for uploading.
4. After you have generated or uploaded the key, it appears in the Manage Keys grid.
Note: Only one key is valid at a time. If you create another key, RSA Archer disables the
previous valid one.
Chapter 20: Managing Field Encryption 1223

Chapter 21: Secure Deployment and Usage Settings

It is important to secure the deployment and usage settings in RSA Archer. Doing this helps protect
the RSA Archer environment.
Protect all physical, local, and remote access to the servers hosting RSA Archer. Restrict all access
methods to the absolute minimum required to maintain RSA Archer.
RSA recommends that you do not set up RSA Archer test environments to contain exact copies of
the full production environment's data or to use the same system or authentication secrets. If the test
environment contains any sensitive information from the production environment, take the same
precautions to protect the test environment as you do in the production environment.
Security Controls Map

An RSA Archer deployment consists of three physical tiers: a web tier, a services tier, and a
database tier. An organization can deploy RSA Archer in a single host configuration or a multi-host
configuration. For more information, see the RSA Archer Platform Installation and Upgrade Guide.
When deploying RSA Archer on-premise within a corporate network, RSA recommends that you do
the following:
l Deploy RSA Archer hosts within the corporate network. The DMZ-to-Corporate-Network
Firewall intercepts all communication between the single host and the other components in the
network.
l Ensure that users are accessing RSA Archer from within the corporate network. If users must
access RSA Archer from the internet, RSA recommends that they connect to the corporate
network through a secure VPN connection.
l Allow only remote access to RSA Archer hosts for secure maintenance using the Remote
Desktop Protocol (RDP) through a secure VPN connection.
l Configure firewall rules to ensure secure communication between RSA Archer and other
components in the network.
Important: RSA recommends that you deploy RSA Archer services in a secure location, where
physical access to the servers is restricted to the personnel who manage the servers.

The following figure shows an example of a multi-host configuration.

For multi-host configurations, RSA Archer recommends that you do the following:
l Deploy RSA Archer web, services, and database servers in the corporate network.
l Deploy data feed servers in the corporate network, except those that provide information using
HTTPS, such as, RSS and Threat Intelligence services.
l Ensure that all RSA Archer servers in a site are connected to the same sub-network.
l Deploy firewalls at each site to ensure secure transfer of data from an instance of RSA Archer at
one site to another instance of the RSA Archer located at a different site.
l Configure firewall rules to intercept all communication between RSA Archer components in the
network, as shown in the preceding figure. For more information, see Firewall Rules.
While the previous figure shows multiple types of data feeds, the following figure expands on the
Archer-to-Archer data feed type using the example of one geographic site to another.
When deploying RSA Archer in multiple geographically dispersed sites and configuring one instance
of RSA Archer at one site to feed data to another instance of RSA Archer at another site, RSA
recommends that you do the following:
l Configure firewall rules to intercept all communication between the RSA Archer components in
the network and between different sites, as depicted by the firewalls in the preceding figure. For
more information, see Firewall Rules.
l Implement data transfer between sites using a secure tunnel as shown in the preceding figure.
Firewall Rules
Use firewalls to restrict network traffic between RSA Archer and external systems. For graphical
depictions of restricting network traffic, see Security Controls Map.

RSA strongly recommends that you configure firewall rules as described in the following sections.
These recommendations are based on the following assumptions:
l You have a stateful firewall, indicating that only the establishment of TCP ports is considered.
l You specify the direction of communication for the UDP ports because the connections are
sessionless.
l The firewall processes the rules top to bottom, finishing with a generic drop of all packets.
l You deploy RSA Archer as shown in one of the figures in Security Controls Map.
RSA recommends that you configure firewall rules to ensure secure communication for the
following connections:
l DMZ to Corporate Network
l Corporate Network to Site Sub-Network
l Archer-to-Archer Data Feeds
DMZ to Corporate Network

RSA recommends that you do the following:
l Configure whitelist communication from the VPN server in the DMZ to the client machines on
which the RSA Archer web user interface runs.
l Create firewall rules for all machines from which you intend to remotely access the corporate
network through RDP.
Corporate Network to Site Sub-Network

For corporate network to site sub-network configurations, RSA recommends the following:
l Allow firewall access at each site only from designated RSA Archer client machines through a
whitelisted IP address and port.
l Set firewall rules to drop all unless explicitly allowed.
Single-Host Configuration
RSA recommends that you secure the following default ports to ensure a secure communication
between client machines running the RSA Archer web user interface and the RSA Archer web
server:
l TCP 80
l TCP 443

The following table shows the firewall rules for a single host configuration.
RULE | Source IP Address –>
Purpose Protocol Port
DIRECTION Destination IP Address
Client Web ALLOW | ArcherWebUI_IPAddr –> TCP 443

Connectivity INBOUND ArcherWebServer_IPaddr
ALLOW | ArcherWebServer_IPaddr –> TCP 443

OUTBOUND ArcherWebUI_IPAddr
<Default> BLOCK | All_* –> All_* * *

INBOUND
BLOCK | All_* –> All_* * *

OUTBOUND
Multi-Host Configuration
RSA recommends that you secure the following default ports to ensure a secure communication
between client machines running the RSA Archer web user interface and the RSA Archer web
server:
l TCP 80
l TCP 443
The following table shows the firewall rules for a multi-host configuration that includes a reverse
proxy/load balancer.
Client Web ALLOW | ArcherWebUI_IPAddr –> TCP 443

Connectivity INBOUND ArcherWebServer_IPaddr
ALLOW | ArcherWebServer_IPaddr TCP 443

OUTBOUND –> ArcherWebUI_IPAddr
RSS Feeds ALLOW | RSSServer_IPAddr –> TCP 443

INBOUND ArcherWebServer_IPaddr

OUTBOUND –> RSSServer_IPAddr


Threat ALLOW | ThreatFeedServer_IPAddr TCP 443

Feeds INBOUND –> ArcherWebServer_IPaddr

OUTBOUND –> ThreatFeedServer_IPAddr
<Default> BLOCK All_* –> All_* * *

| INBOUND
BLOCK | All_* –> All_* * *

OUTBOUND
Archer-to-Archer Data Feeds

RSA Archer might run in multiple sub-networks within your corporate network, where each sub-
network is called a site. You can configure RSA Archer to allow the RSA Archer located in one site
to feed data to the RSA Archer in another site. For more information, see Archer-to-Archer Data
Feeds.
For this scenario, RSA recommends that you do the following:
l Ensure that the firewall at each end of the data transfer allows communication only through a
whitelisted IP address and port.
l Secure the following default ports to ensure a secure communication between two RSA Archer
instances located in different sites:
o TCP 80
o TCP 443
The following table shows you how to configure the site's firewall rules.
Source IP Address –>
Purpose RULE | DIRECTION Protocol Port
Destination IP Address
Archer Data Feed ALLOW | INBOUND ArcherDataFeed_IPAddr –> TCP 443

ArcherWebServer_IPaddr
<Default> BLOCK | INBOUND All_* –> All_* * *
BLOCK | OUTBOUND All_* –> All_* * *

Secure Deployment Settings

The following table shows the security controls that RSA recommends to be in place for securing the
deployment of RSA Archer.
Instructions
Cons of on How to
Secure Pros of Secure
Deployment Secure Configure
Deployment Deployment
Settings Deployment Secure
Setting Setting
Setting Deployment
Setting
HTTPS is enabled For best possible Provides a high Could impact See "Web Server
on a new 6.x security between level of protection performance. Communication"
installation, by client and server, for the in the RSA
default, between enable HTTPS and communication Archer Online
client and server. disable HTTP in between client and Documentation.
Remove any Microsoft IIS. server by avoiding
existing HTTP tampering,
bindings (port 80) spoofing, and man-
via IIS Manager. in-the-middle type
of attacks.
Database Encrypting the Provides increased Could impact See "Maintaining

Encrypted communication security by performance. Security" in the
Communication between the RSA implementing RSA
Archer Web secure Archer Online
Server and the communication Documentation.
Instance Database between the Web
increases security. Server and
Instance Database.
Persistent Session Deleting the cookie Provides increased User has to See "Enabling
Cookie holding the session security by reauthenticate. Storing the
Configuration token when the requiring Session Token in
client is closed reauthentication a Persistent
increases security. after logout or Cookie" in the
browser close. RSA Archer
Control Panel
Help.

Instructions
Cons of on How to
Secure Pros of Secure
Deployment Secure Configure
Deployment Deployment
Settings Deployment Secure
Setting Setting
Setting Deployment
Setting
Windows Server Hardening the web Provides improved Could cause Follow Microsoft
Security server based on security and some security
Configuration industry best reduced risk for the unsecured configuration
practices reduces servers deployed Windows recommendations
the likelihood of for RSA Archer. Server for the applicable
vulnerabilities. features to IIS version.
become
unavailable.
SQL Server Hardening the SQL Provides improved Could cause Follow Microsoft
Security Server installation security and some security
Configuration hosted on the reduced risk for the unsecured configuration
database server database server SQL Server recommendations
based on industry deployed for the features to for the applicable
best practices Platform become SQL server
reduces the installation. unavailable. version.
likelihood of
vulnerabilities on
the servers.
Web Server Security Configuration

For recommendations on IIS security configuration, see the Microsoft Knowledge Base.
In addition to Microsoft's recommendation, RSA recommends that you configure Microsoft IIS to do
the following:
l Enable SSL communications. See See "Web Server Communication" in the RSA Archer Online
Documentation.
l Disallow arbitrary file extensions.
l Remove IIS and ASP.NET Version Information from HTTP Headers.

Disallow IIS Arbitrary File Extensions

Request Filtering is a built-in security feature in Internet Information Services (IIS). The settings for
this feature are located within the <requestFiltering> element and contains a child element for
<fileExtensions>. This element can contain a collection of file name extensions that IIS either denies
or allows. For example, you can block all requests for Web.config files.
For more information, visit the Microsoft Web pages File Name Extensions at
https://docs.microsoft.com/en-
us/iis/configuration/system.webServer/security/requestFiltering/fileextensions/index and Request
Filtering at https://docs.microsoft.com/en-
us/iis/configuration/system.webServer/security/requestFiltering/.
When using the IIS <fileExtensions> element, do not prevent the uploading of files with the
following IIS file extensions, as this will cause RSA Archer to malfunction.
l .ASAX l .CAB l .HTC l .SETTINGS
l .ASCX l .CONFIG l .HTM l .SVC
l .ASHX l .CSHTML l .HTML l .TDF
l .ASMX l .CSS l .ICO l .TXT
l .ASP l .DAT l .JPG l .XAP
l .ASPX l .DLL l .JS l .XML
l .AXD l .EJS l .MCWEBHELP l .ZIP
l .BAT l .FPJ l .MASTER
l .BMP l .GIF l .PNG
Disallow Arbitrary File Uploads

RSA Archer allows users to upload files with any type of extension. RSA recommends training your
users on good security practices including not uploading any file from sources other than themselves
to prevent introducing potentially malicious files to the RSA Archer Platform. To tighten security,
you can prevent users from uploading files with specific extensions. For more information, see "File
Creation Restriction" in the RSA Archer Online Documentation.
Prevent certain file types, depending on what your users do with RSA Archer, For example, prevent
the upload of executable .exe files to RSA Archer. However, if your users investigate security
incidents, you want to allow the upload of executable files containing viruses and other potential
malware for use in investigations.

The following table provides a list of file extensions used by normal RSA Archer operations. Do not
prevent uploads of files with these extensions.
l .AI l .GIF l .PPS l .WMF
l .BMP l .ICO l .PPSM l .XLA

l .CSS l .JPEG l .PPSX l .XLAM
l .CSV l .JPG l .PPT l .XLS
l .DOC l .PDF l .PPTM l .XLSB
l .DOCM l .PNG l .PPTX l .XLSM
l .DOCX l .POT l .PS l .XLSX
l .DOT l .POTM l .RTF l .XLT
l .DOTM l .POTX l .TIF l .XLTM
l .EMF l .PPA l .TIFF l .XLTX
l .EPS l .PPAM l .TXT l .XML
l .EXIF
Remove IIS and ASP.NET Version Information from HTTP Headers

To make it more difficult for attackers to identify vulnerabilities in the software that is powering the
Web Server, do not disclose the types of applications and their respective version numbers in HTTP
headers. While certain HTTP headers are necessary, the HTTP headers that identify the Web
Server are not necessary, including the following:
l Server: Microsoft-IIS/<version_ number>
l X-Powered-By: ASP.NET
l X-AspNet-Version: <version_ number>

AspNet-Version HTTP Header

RSA recommends that you do the following:
l Remove the HTTP headers that identify the web server.
l Ensure that <httpRuntime enableVersionHeader="false"/> is set in the RSA Archer web.config
file, located at:
o IIS\DefaultWebSite\RSAArcher\web.config
o IIS\DefaultWebSite\RSAArcher\api\web.config
Remove X-Powered-By HTTP Header

1. Launch the Microsoft IIS Manager.
2. Expand the Sites folder.
3. In the IIS grouping, select the website that you want to modify, and double-click the HTTP
Response Headers section.
4. If "X-Powered-By: ASP.NET" is displayed in the Custom Header listbox, click the Remove link
in the right-hand column.
Note: To ensure that the server header is not automatically added to the outgoing HTTP response by
Microsoft IIS, use Microsoft's free UrlScan utility.
IP Whitelist
The IP Whitelist allows for the ability to define a range of IP addresses that can access RSA
Archer. The IP Whitelist restricts incoming connections only, and should include the following
items:
l Web Application servers
l Services servers
l Client machines accessing the Web Application
Optionally, the following items can also be included:

l Data Feed source servers
l LDAP servers
RSA recommends implementing the IP Whitelist to limit the availability of the Platform as a
potential attack vector.

Host Hardening
To ensure secure operation of RSA Archer, the underlying components of the host must be hardened
so that the server will function properly and opportunities for vulnerabilities are removed.
RSA Archer recommends hardening the host system under it to only allow TLS 1.2 on all
RSA Archer supported clients and servers.
l Make sure that SQL servers, Web, Services and clients have the latest service packs using TLS
1.2.
l Make sure that all security updates are applied before additional hardening is performed on all
underlying components, including, but not limited to, the Operating System, SQL, and IIS.
Recommendations for TLS/SSL cipher hardening

Once all underlying components are up-to-date, TLS/SSL cipher hardening can be applied. A cipher
suite is a set of algorithms that help secure a network connection using Transport Layer Security
(TLS). Cipher hardening will prevent known cipher attacks in TLS/SSL (for example, Sweet32,
BEAST, POODLE).
Disabling SSL 2.0 and SSL 3.0
Due to the issues presented in SSL 2.0, the protocol is deemed unsafe to use and should be
completely disabled. Similarly, the POODLE (Padding Oracle On Downgraded Legacy Encryption)
vulnerability causes SSL 3.0 to be unsafe for use and should be disabled.
Disabling TLS 1.0 and 1.1
Unless there is a need to support legacy browsers, TLS 1.0 and 1.1 should also be disabled.
Disabling weak ciphers
Web server communication over HTTP relies on the SSL/TLS ciphers and key lengths provided by
the version of IIS on which RSA Archer is installed. Ensure that IIS is configured for cryptographic
support, which cannot be easily defeated. RSA recommends that you configure Microsoft IIS to only
allow ciphers with key lengths of 128 bits or greater.
Weak ciphers, such as DES and RC4, should be disabled.
Cipher configuration
A chosen Cipher Suite is unique to the security guidelines set forth by a user's organization. It is
usually based on the level of restrictions required in the server environment, as well as the age of the
software and devices connecting to the servers (for example, the need to support legacy browsers
and regulatory requirements).

Users should implement a Security Best Practices cipher suite with Triple DES168 Cipher excluded
(from SChannel) on RSA Archer Servers including the web. This can be done via the IIS Crypto tool
available from Nartac Software. RSA recommends that you place the most secure cipher suites first
because servers often select the first supported suite from the client's list.
As guidance, RSA Archer has been tested with, as limited as, the following list of Cipher Suites and
the product remains functional:
Cipher Suite
Cipher Suite Name
Hexcode Name KeyExchange Encryption Bits
(RFC)
(OpenSSL)
xc028 ECDHE-RSA- ECDH 521 AES 256 TLS_ECDHE_RSA_

AES256-SHA384 WITH_AES_256_
CBC_SHA384

AES256-SHA WITH_AES_256_
CBC_SHA
x9d AES256-GCM- RSA AESGCM 256 TLS_RSA_WITH_

SHA384 AES_256_GCM_
SHA384
x3d AES256-SHA256 RSA AES 256 TLS_RSA_WITH_

AES_256_CBC_
SHA256
x35 AES256-SHA RSA AES 256 TLS_RSA_WITH_

AES_256_CBC_SHA

AES128-SHA256 WITH_AES_128_
CBC_SHA256

AES128-SHA WITH_AES_128_
CBC_SHA
x9c AES128-GCM- RSA AESGCM 128 TLS_RSA_WITH_

SHA256 AES_128_GCM_
SHA256

Cipher Suite
Cipher Suite Name
Hexcode Name KeyExchange Encryption Bits
(RFC)
(OpenSSL)
x3c AES128-SHA256 RSA AES 128 TLS_RSA_WITH_

AES_128_CBC_
SHA256
x2f AES128-SHA RSA AES 128 TLS_RSA_WITH_

AES_128_CBC_SHA
Verify cipher configuration

Tools, like TestSSL, can be used to verify the Cipher Suite hardening. Go to
https://github.com/drwetter/testssl.sh to verify the hardening you have enabled.
Cipher Suite hardening may lead to limited connectivity; old clients cannot connect to servers with
strong security requirements. The tool output will provide the details on those limitations.
Special cipher vulnerability cases

l BREACH (CVE-2013-3587) - This cipher vulnerability is related to web server HTTPS
Compression and can be handled via Web Server / Load Balancer Configuration.
l LUCKY13 (CVE-2013-0169) - This cipher vulnerability is a timing attack used against
implementations of the TLS protocol using the Cipher Block Chaining (CBC) Ciphers. To prevent
this vulnerability, make sure that you do not use cipher suites in the CBC mode.

Chapter 22: Physical Security Controls

Recommendations
Physical security controls are designed to protect resources against unauthorized physical access and
physical tampering. RSA recommends that the physical servers for RSA Archer be deployed in a
secure data center leveraging the organization’s best practices for physically securing a data center,
server rack, and server.
Chapter 22: Physical Security Controls Recommendations 1238

RSA Archer 6.5 Platform Administrator's Guide

Uploaded by

Document Informationclick to expand document information

Document Informationclick to expand document information

Copyright:

Available Formats

RSA Archer 6.5 Platform Administrator's Guide

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

RSA Archer 6.5 Platform Administrator's Guide

Uploaded by

Copyright:

Available Formats

Platform Administrator's Guide

Copyright © 2010-2018 Dell Inc. or its subsidiaries. All Rights Reserved.

Chapter 1: Setting Up and Maintaining the Platform 17

Chapter 2: Application Builder 22

Adding Questions and Fields to a Questionnaire 56

Adding Attachment Questions 60

Adding Cross-Reference Questions 65

Adding Date Questions 73

Adding Numeric Questions 78

Adding Text Questions 84

Adding Values List Questions 89

Creating Questionnaire Values Lists 98

Customizing the Layout of a Questionnaire 103

Chapter 4: Solutions 134

Chapter 5: Fields 137

Adding Attachment Fields 146

Functions and Operators for Calculated Field Formulas 247

Chapter 6: Sub-Forms 509

Adding and Removing Documentation from Sub-Forms 511

Chapter 7: Data Driven Events 515

Chapter 8: Layouts 563

Chapter 9: Advanced Workflow 588

Chapter 10: Workflow 632

Adding Workflows to Applications or Questionnaires 634

Chapter 11: Offline Access 646

Chapter 12: User Access Control 660

Access Roles 685

Chapter 13: Communication Tools 722

Troubleshooting Notifications 772

Chapter 14: Data Integration 810

Archer-to-Archer Data Feeds 862

File Transporter 912

FTP Data Feeds 940

FTP Transporter 940

HTTP Data Feeds 968

HTTP Transporter 968

Weak ciphers disabled 968

JavaScript Data Feeds 993

JavaScript Transporter 993

Mail Monitor Data Feeds 1016

Chapter 15: Packaging 1108

Task 1: Backing Up Your Database 1135

Chapter 16: Search and Reporting for Administrators 1163

Chapter 17: Dashboards, iViews, and Workspaces 1180

Chapter 18: Customizing RSA Archer 1204

Translated File Example 1214

Chapter 19: Configuring the Hardware Security Module 1220

Chapter 20: Managing Field Encryption 1223

Chapter 21: Secure Deployment and Usage Settings 1224

Disallow Arbitrary File Uploads 1232

Chapter 22: Physical Security Controls Recommendations 1238

About This Guide 14

Support and Service 14

RSA Archer Documentation 15

About This Guide

Support and Service

Customer Support Information https://community.rsa.com/community/rsa-customer-support

Customer Support E-mail archersupport@rsa.com