View
336
Download
5
Category
Preview:
Citation preview
Introduction to Multi-Org-Access-Control (MOAC) R12
Concepts of MOAC
• MOAC allows users of a single responsibility to perform task in multiple operating units without having to switch responsibilities.
Shared :
Service :
Center :
Supplied to multiple business units
Service of TransactionManagement
From a centralizedOperations
Shared Service Center?
Consolidate IT & business operations
Implement Self-Service Operations
Drive down transaction costs
Goal : Shift from Local to Global Systems
N ew Y orkOperating Unit
F lo rid aOperating Unit
E as t C oas tLegal Entity
R ed w ood S h oresOperating Unit
R ock linOperating Unit
W est C oas tLegal Entity
O rac le U S
Invoice
Receipts
Applications
Shared Service CenterAccess byChangingResponsibility
11i
N ew Y orkOperating Unit
F lo rid aOperating Unit
E as t C oas tLegal Entity
R ed w ood S h oresOperating Unit
R ock linOperating Unit
W est C oas tLegal Entity
O rac le U S
Invoice
Receipts
Applications
Shared Service CenterAccess withoutChangingResponsibility
R12
Key to Shared Service Center efficiency
• Separate data and function security
• Access many operating units to one responsibility
• Operating unit selected or derived for transactions
Demo of MOAC w.r.t Profile Options
Access Control Architecture• Multiple Organization Architecture was first introduced in Release
10.6, for data security by Operating Unit.
• In Release 10.7, a column, ORG_ID was added and tables renamed as _ALL
• (VPD)Virtual Private Database feature - attaches predicates for the security policies to every SQL statement against the database objects where policies are applied. MOAC Utilized this feature for access control in R12
APPS Schema
AP_INVOICES_ALL (synonym to theAP_INVOICES_ALL table)
AP_INVOICES (synonym with thesecurity policy attached that gives
access to ORG_ID 1 and 2)
AP Schema
AP_INVOICES_ALL tableORG_ID INVOICE_ID
1 10001 10011 10022 10032 1004
APPS Schema
AP_INVOICES_ALL (synonym to theAP_INVOICES_ALL table)
AP_INVOICES (synonym with thesecurity policy attached that gives
access to ORG_ID=1)
AP Schema
AP_INVOICES_ALL tableORG_ID INVOICE_ID
1 10001 10011 10022 10032 1004
Access Control Architecture: 11i Vs R12
11i
R12
Some useful Objects / APIs/Tables:New Tables:
MO_GLOB_ORG_ACCESS_TMP - TableFND_MO_PRODUCT_INIT - Table
Security Profile:MO: Security ProfileMO: Default Operating Unit
Multi-Org APIs:MO_GLOBAL.Check_Access MO_GLOBAL.get_ou_name MO_GLOBAL.check_valid_org
Policy Context API:MO_GLOBAL.set_policy_context ProcedureMO_GLOBAL.get_current_org_id FunctionMO_GLOBAL.get_access_mode Function
Org Defaulting APIsMO_UTILS.Get_Default_OU ProcedureMO_UTILS.get_default_org_id Function
Public API Name Feature Areamo_global.init Initialize multiple organizations context.mo_global.jtt_init Initialize multiple organizations for JTT based
application.mo_global.is_multi_org_enabled Check if the Multiple Organizations instance is
enabled.mo_global.check_access Check if the operating unit is accessible.mo_global.get_ou_name Get the operating unit name.mo_global.check_valid_org Check if the organization is valid.mo_global.set_policy_context Set the application policy context.mo_global.get_current_org_id Get the current organization ID in the
application context.mo_global.get_access_mode Get the application context mode.
New APIs:
Public API Name Feature Areamo_global.get_ou_count Get the operating unit count on the access
control list.mo_global.get_valid_org Get the current default/valid organization.mo_global.validate_orgid_pub_api Get the default organization and check if the
organization ID is valid. Used by public APIs only.
mo_global.is_mo_init_done Check if multiple organizations is initialized.mo_utils.get_ledger_name Returns the ledger name.mo_utils.get_ledger_info Returns information about the ledger.mo_utils.get_default_ou Gets the default operating unit from MO:
Default Operating Unit profile or from current organization.
mo_utils.get_default_org_id Returns the organization ID of the default operating unit.
mo_utils.check_org_in_sp Checks if the specified organization is present in the security profile.
mo_utils.check_ledger_in_sp Checks if all operating units of a ledger is included in the security profile.
mo_utils.check_org_name Returns the operating unit name for an organization ID.
mo_utils.get_orgid_fr_ledger Returns the operating unit ID and the number of operating units in the given ledger.
Example 1The view definition of single organization view RA_BATCHES is shown below in the example.
•CREATE OR REPLACE VIEW RA_BATCHES AS SELECT "BATCH_ID", “LAST_UPDATE_DATE", • "LAST_UPDATED_BY", • "CREATION_DATE", • ...• "ORG_ID" , • "PURGED_CHILDREN_FLAG" , • "ISSUE_DATE" , • "MATURITY_DATE" , • "SPECIAL_INSTRUCTIONS" , • "BATCH_PROCESS_STATUS" , • "SELECTION_CRITERIA_ID" • FROM RA_BATCHES_ALL • WHERE NVL(ORG_ID,NVL(TO_NUMBER(DECODE(SUBSTRB(USERENV('CLIENT_INFO'),1,1), ' ',NULL,SUBSTRB(USERENV('CLIENT_INFO'),1,10))),-99)) = NVL(TO_NUMBER(DECODE(SUBSTRB(USERENV('CLIENT_INFO'),1,1),' ',NULL, SUBSTRB(USERENV('CLIENT_INFO'),1,10))),-99)
•This single organization view RA_BATCHES must be replaced by a synonym as given below:
•CREATE SYNONYM RA_BATCHES FOR AR.RA_BATCHES_ALL
•The summary of changes that must be done for single organization views joined to single _ALL table are given below:1.Drop the single organization view2.Create a synonym with the same name as the obsolete single organization view3.Attach policy function to the synonym
Attach Security Policy to your Tables
BEGIN FND_ACCESS_CONTROL_UTIL.Add_Policy ( p_object_schema => '&&1', -- Apps user name p_object_name => 'FINANCIALS_SYSTEM_PARAMETERS', p_policy_name => 'ORG_SEC’, p_function_schema => '&&1', -- Apps user name
p_policy_function => 'MO_GLOBAL.ORG_SECURITY', p_statement_types => 'SELECT, INSERT, UPDATE, DELETE', p_update_check => TRUE, p_enable => TRUE, p_static_policy => FALSE); END;
FUNCTION org_security(obj_schema VARCHAR2, obj_name VARCHAR2) RETURN VARCHAR2ISBEGIN -- -- Returns different predicates based on the access_mode -- The codes for access_mode are -- M - Multiple OU Access -- A - All OU Access -- S - Single OU Access -- Null - Backward Compatibility - CLIENT_INFO case IF g_access_mode IS NOT NULL THEN IF g_access_mode = 'M' THEN RETURN 'EXISTS (SELECT 1 FROM mo_glob_org_access_tmp oa WHERE oa.organization_id = org_id)'; ELSIF g_access_mode = 'A' THEN -- for future use RETURN NULL; ELSIF g_access_mode = 'S' THEN RETURN 'org_id = sys_context(''multi_org2'',''current_org_id'')'; END IF; ELSE RETURN 'org_id = substrb(userenv(''CLIENT_INFO''),1,10)'; END IF;END org_security;
MO_GLOBAL.Org_Security function:
Register Multi-Org Access Enabled in MO table
• Product teams must register their product in the Multi-Org table FND_MO_PRODUCT_INIT to indicate that Multi-Org Access Control is enabled
• To enable access: FND_MO_PRODUCT_INIT_PKG.register_application('XXXCHR', ‘SEED’,’Y’);
• To delete your application entry: FND_MO_PRODUCT_INIT_PKG.remove_application('XXXCHR');
Column Name Size
Type Rqd Value
APPLICATION_SHORT_NAME 80 VARCHAR2
Yes XXXCHR
PRODUCT_DEPENDENCY 80 VARCHAR2
Yes MO
Forms Enhancements
• Multi-Org Initialization • include the following code as given below in the PRE-FORM
trigger
BEGIN APP_STANDARD.EVENT(‘PRE-FORM’); MO_GLOBAL.init (‘XXXCHR’);
END;
Multi-Org Initialization
• IMPORTANT: AOL initialization (fnd_global.apps_initialize()) is executed by the app_standard.event() call in the Pre-Form trigger. Multi-Org initialization should be executed after this call.
• Critical setup : – MO: Security Profile – MO: Operating Unit– MO: Default Operating Unit
Exercise:
Step1:
1) select * from MO_GLOB_ORG_ACCESS_TMP;
2) select hr.name operating_unit, hr.organization_id org_id from hr_operating_units hr where mo_global.check_access(hr.organization_id)='Y‘;
3) select * from ar_system_parameters
Step2:
1)begin
FND_GLOBAL.APPS_INITIALIZE(user_id =>1013421 ,resp_id => 20678,resp_appl_id =>222 , security_group_id =>0);end;
2) select * from MO_GLOB_ORG_ACCESS_TMP
3) select hr.name operating_unit, hr.organization_id org_id from hr_operating_units hr where mo_global.check_access(hr.organization_id)='Y'
4) select hr.name operating_unit, hr.organization_id org_id ,mo_global.check_access(hr.organization_id) from hr_operating_units hr
5) select * from ar_system_parameters
Step3:
1)FND_GLOBAL.APPS_INITIALIZE(user_id =>1013421 ,resp_id => 20678,resp_appl_id =>222 , security_group_id =>0); mo_global.init('AR'); --’SQLAP’ for APend;** check table FND_MO_PRODUCT_INIT for init parameter
2) select * from MO_GLOB_ORG_ACCESS_TMP
3) select hr.name operating_unit,hr.organization_id org_id from hr_operating_units hr where mo_global.check_access(hr.organization_id)='Y‘
4) select * from ar_system_parameters
Recommended