Sunteți pe pagina 1din 9

MultiOrganizationsAccessControl(MOAC)

ThenewfeatureinR12enablescompanieswantingtoimplementasharedservicesoperating
modeltoefficientlyprocessbusinesstransactionsbyallowingthemtoaccess,processand
reportondataforanunlimitednumberofoperatingunitswithinasingleapplications
responsibility.

WithMOAC,userscan:
PerformmultipletasksacrossOperatingUnitswithoutchangingresponsibilitiessuchas
invoiceentry,orderprocessing,bankpaymentsetc.thusimprovingtheefficiencyoftransactions
forcompaniesthathavecentralizedbusinessfunctionsoroperateSharedServiceCenters
Obtainbetterinformationfordecisionmakingsuchas,accessingsupplierandcustomersite
levelsdetailsacrossmultipleOUs
Speedupdataentry
Reducesetupandmaintenanceofmanyresponsibilities

HowMOACworkstechnically:
MOACisinitializedwhenyouopenaForm,OracleEBSpageoraReportorsubmitthe
concurrentprogram.ThefirstMOACcallchecksiftheprofileMO:SecurityProfilehasavalue.If
Yes,thenthelistofoperatingunitstowhichaccessisallowedisfetchedandthelistofvalues
(LOV)ispopulated.ThislistofvaluesisnothingbutlistofOUsassociatedwiththeSecurity
ProfileattachedtoMO:SecurityProfile.SecurityprofilesaredefinedwiththehelpoftheHR
responsibility.Then,defaultvalueoftheLOVissettotheoperatingunitspecifiedinMO:Default
OperatingUnit.

WhentheprofileMO:SecurityProfiledoesnothaveavalue,MOACswitchestothe11isingle
organizationmode.Asin11i,theprofileMO:OperatingUnitischeckedandtheoperatingunitis
initializedtotheonedefinedinit.

TheimportantpointtonotehereisthattheprofileMO:OperatingUnitisignoredwhenthe
profileMO:SecurityProfileisset.

MOACsetups:
FollowingarethebasicstepstobeperformedinordertoenableMOACfeature:

1. DefineSecurityProfiles(usingformfunctionDefineGlobalSecurityProfile)
Enterauniquenameforthesecurityprofile.
Torestrictaccessbydiscretelistoforganizations,selectSecureorganizationsby
organizationhierarchyand/ororganizationlistfortheSecurityType.
ChecktheExcludeBusinessGroupcheckboxtoremovethebusinessgroupinthelistof
organizations.
UsetheClassificationfieldtolimitthelistofvalues(LOV)intheOrganizationNamefield.
Forexample,ifyouselecttheclassificationtoOperatingUnit,onlyoperatingunitswill
displayintheLOV.
Intheorganizationnamefield,selecttheOperatingUnitforwhichyouwantaccess.

Repeatuntilyouhaveincludedallorganizationstowhichyouneedaccess.
2. RuntheconcurrentprogramSecurityListMaintenanceProgramfromthestandard
requestsubmissionform.TheSecurityListMaintenanceProgramcanberunforasingle
namedsecurityprofiletopreventimpacttoothersecurityprofiles.
3. AssignappropriatesecuritytotheprofileoptionMO:SecurityProfileforyourusersand
responsibilities
NavigatetotheSystemAdministratorresponsibility>SystemProfileOptions
AssignthesecurityprofilestoMO:SecurityProfileforyourresponsibilitiesand/orusers.


4. AssignavalueforprofileoptionMO:DefaultOperatingUnit(Optional)
NavigatetoSystemAdministratorResponsibility>SystemProfileOptions
AssignadefaultoperatingunittoMO:DefaultOperatingUnitprofileoptionforyour
responsibilitiesand/oruser.
5. AssignMO:OperatingUnit(MandatoryforonlySingleOrgorifMO:SecurityProfileisnot
defined)
NavigatetoSystemAdministratorResponsibility>SystemProfileOptions
AssigntheOperatingunittoMO:OperatingUnitprofileoptionforyourresponsibilityor
user.
NoteFromtheabovescreenshotswecanconcludethatuserwithpurchasingresponsibilitywillbeable
toaccessdatafromtwoOperatingUnitsVisionOperationsandVisionServices.

DevelopersInsight:
Toincreasetheflexibilityandperformanceinamultipleorganizationsenvironmentand
providethesamelevelofdatasecurity,theDBMSVirtualPrivateDatabase(VPD)featurereplaces
theCLIENT_INFOfunction.

TheVirtualPrivateDatabase(VPD)featureallowsdeveloperstoenforcesecuritybyattachinga
securitypolicytodatabaseobjectssuchastables,viewsandsynonyms.Itattachesapredicate
functiontoeverySQLstatementtotheobjectsbyapplyingsecuritypolicies.Whenauserdirectly
orindirectlyaccessesthesecureobjects,thedatabaserewritestheusersSQLstatementto
includeconditionssetbysecuritypolicythatarevisibletotheuser.

MOACChangestoCustomCodewhileupgradingtoR12from11i-DuringR12upgradethemajor
taskistoenabletheMOACfeaturetocustomcode.Followingistherecommendedapproachto
achieveMOACimplementedinrealaspecttocustomcode:

1) MultipleOrganizationsViews/TablesChangesSingleOrganizationView
Dropthesingleorganizationview
Createasynonymwiththesamenameastheobsoletesingleorganizationview
Attachapolicyfunctiontothesynonym

ReferenceViews
AddtheORG_IDcolumnifitdoesnotexist
Replacesingleorganizationviewswith_ALLtablesforallexceptone,whichmustbea
securedsynonym
IncludetheORG_IDfilterinthewhereclauseoftheviewtoavoidthecartesianproduct,if
theORG_IDisthedrivingkeyorpartofthecompositekey
IncludetheORG_IDparameterinthecolumnsbasedonfunctions,ifnecessary

2) EnhancementstoFormsThemultipleorganizationssetupandtransactionformsmust
displaytheOperatingUnitfield.Thisallowsuserstoselecttheoperatingunitandenter
thesetuportransactionfortheoperatingunit.Oraclerecommendsderivingtheoperating
unitsfromthetransactionattributes.

1. EnhancementstoReportsandConcurrentPrograms
YoumustremovereferencesofCLIENT_INFOandNVLfunctiontotheORG_IDcolumnin
thereports.
SingleOrganizationReportsTheoperatingunitmodeforsingleorganizationreportsare
flaggedasSINGLEintheDefineConcurrentProgramspage.
CrossOrganizationReportsTheOperatingUnitmodeforcrossorganizationreportsare
flaggedasMULTIPLEintheDefineConcurrentProgramspage.
2. EnhancementstoPublicAPIs
DonotusethemultipleorganizationstemporarytabledirectlyintheSQLquery.
RewritetheSQLjoinswithtwoormoreviewstousejustonesecuredsynonymdepending
onthedrivingtableforthequeryandreplacetheremainingviewsby_ALLtables.
AddtheORG_IDtotheWHEREclauseoftheSQLtoavoidcartesianjoinsfortablesthat
includeORG_IDthecompositeordrivingkey.
UseMO_GLOBAL.Set_Policy_Context.
ThisAPIhas2parameters1.Operatingunit2.Context
Contexthas2values1.M2.S
WhenpolicycontextissettoM,datafromallaccessibleOperatingUnitswillbereturned.
WhenpolicycontextissettoS,thenonlydatafromthespecifiedOrg_Idwillbereturned.
ProductsmustcalltheMO_GLOBAL.init()APItoexecutethemultipleorganizations
initialization.
3. EnhancementstoWorkflows
Withmultipleorganizationsaccesscontrol,youmustsetthecurrentorganizationIDand
nottheCLIENT_INFOorgcontext.YoumustderivethecurrentorganizationIDfromitem
keys.DonotrelyonMO:SecurityProfile,MO:DefaultOperatingUnit,andMO:Operating
Unitprofileoptionswhensettingtheorganizationcontextbecausetheoperatingunit
mustbevalidatedbeforeinitiatingtheworkflow.

R12 Multi-Org Access Control (MOAC)


oracleapps88.blogspot.in/2011/08/r12-multi-org-access-control-moac.html

'Multi-Org Access Control' popularly known as 'MOAC' in short form is a enhanced feature in Release 12. MOAC will
enable users to access secured data in one or more Operating Units from a single responsibility.

End-Users can access/transact data within several operating units based on Security Profile attached to a responsibility.
i.e. End-Users can access/transact data on multiple Operating units by accessing one operating unit at a time without
changing a responsibility. This Provides flexibility for end-users to work conveniently with multiple Operating Units in
shared service Environments with single responsibility.

Profile Options which take major Role in MOAC


MO: Security Profile
MO: Default Operating Unit(Optional)
MO: Operating Unit(Mandatory for only Single Org or if MO: Security Profile is not defined)

MOAC Configuration
1. Define Operating Units
Navigation Path:

2.Define Security Profile


Navigation Path: HRMS Management responsibility->Security
Security Profile: Allows you to assign multiple operating units for the same business group.
Global Security Profile: Allows you to assign multiple operating units across business groups.

Choose a Security Profile menu item.

1/3
1.Enter a unique name for the security profile.
2.There are 4 security types:

View all organizations generally the application will not let you save a new security profile with this setting
because it automatically seeds one and there is no point to create another.
Secure organizations by organization hierarchy and/or organization list This lets you define a hierarchy to be
accessed and to exclude operating units from that hierarchy or include them from outside the hierarchy. You can
also just list operating units without designating a hierarchy.
Secure organizations by single operating unit In this case the operating unit will be determined using the
operating unit specified in the MO:Operating Unit profile option.
Secure organizations by operating unit and inventory organizations Here the operating unit will also be
determined using the operating unit specified in the MO:Operating Unit profile option.

To restrict access by discrete list of organizations, select 'Secure organizations by organization hierarchy and/or
organization list for the Security Type'.
3.Check the Exclude Business Group check box to remove the business group in the list of organizations.
4.Use the Classification field to limit the LOV in the Organization Name field. For example, if you select the Classification
to Operating Unit, only Operating Units would display for the LOV in the 'Organization Name' field.
5.In the organization name field, select the Operating Unit for which you want access. Repeat this step until you have
included all organizations that you need access.

Seeded Security Profiles

1. One for each business group that allows access to each org in the business group. This has the same name as the
business group. Since this allows access within a business group, it is in the security profile form.
2. One that allows access to all orgs. This is named like Global Vision. Since it allows access across business groups,
it is in the global security profile form.

So if you want to allow access to all organizations or all organizations in one business group, you can use one of the
seeded security profiles.

3.Run concurrent program "Security List Maintenance Program" from the standard request submission form. The
"Security List Maintenance Program" could be preferably run for one named security profile to prevent disturbing other
security profile setup.

4.Assign MO: Security Profile


Navigate to System Administrator Responsibility->System Profile OptionsAssign the security profile to MO: Security
2/3
Profile profile option for your responsibility or user.

5.Assign MO: Default Operating Unit(Optional)


Navigate to System Administrator Responsibility->System Profile Options
Assign the default Operating unit to MO: Default Operating Unit profile option for your responsibility or user.

6.Assign MO: Operating Unit(Mandatory for only Single Org or if MO: Security Profile is not defined)
Navigate to System Administrator Responsibility->System Profile OptionsAssign the Operating unit to MO: Operating Unit
profile option for your responsibility or user.

If both 'MO: Security Profile' and 'MO: Operating Unit' are defined at a responsibility level then 'MO: Operating Unit' will be
ignored and 'MO: Security Profile' will be effective.

Now you can see multiple operating units in below MOAC enabled form

3/3
Mandatory profiles for Multi Org
govoracleapps.wordpress.com/2013/07/20/mandatory-profiles-for-multi-org/

HR:User Type

It limits field access on windows shared between Oracle Human Resources and Oracle Payroll. Its set at
responsibility level.Below values can be assigned

HR User
HR with Payroll User
Payroll User

If you do not use Oracle Payroll, it must be set to HR User.

HR: Security Profile

It restricts access to the organization, positions and payrolls defined in the security profile. This option is
predefined at Site Level with the view-all security profile created for the Setup Business Group.

If you use Standard HRMS security you must set up the HR: Security Profile profile option for each responsibility.

If you use Security Groups Enabled security, you must not set up the HR: Security Profile profile option. This is
set up automatically when you assign security profiles using the Assign Security Profile window.

HR:Business Group

This profile option determines the business group linked to a responsibility. The Setup Business Group is
defaulted at Site level.

If you use Standard HRMS security this option is automatically set up when you enter the HR: Security Profile
profile option, except in cases where you are using a global security profile (that is, a security profile that does
not specify a business group). In this case, you must specifically set up this option for each responsibility.

MO: Security Profile

Assign this profile option to a responsibility,so that a user with this responsibility can access multiple operating
units.

After you define your security profiles and run the Security List Maintenance program, you can assign them to
responsibilities or users using the MO: Security Profile profile option. If you set the MO: Security Profile profile
option, you can also set the MO: Default Operating Unit profile option to specify a default operating unit.

If the MO: Security Profile is set, then the MO: Operating Unit profile is ignored.

MO: Operating Unit

Assign this profile option to an application responsibility, so that user with this responsibility can access one
operating unit.

MO: Default Operating Unit

Use this profile option to specify a default operating unit from the list of operating units assigned to your
responsibility through the MO: Operating Unit or MO: Security Profile.

Note: If the MO: Operating Unit is set or you have assigned only one operating unit in the MO: Security Profile
profile option, then that single operating unit will be your default operating unit.

1/2
GL: Data Access Set

Oracle General Ledger uses the GL: Data Access Set profile option to determine the ledgers you have access to.
If you want users to access different ledgers for different operating units from the same responsibility, you should
define a data access set and then assign it to the GL: Data Access Set profile option for each General Ledger
responsibility. You can group multiple ledgers that share the same chart of accounts, calendar, and period type
in a data access set or a ledger set

GL Ledger Name & GL Ledger ID

This profile is for assigning the Ledger to a responsibility. This profile option controls the ledger that each
subledger will use for transaction processing.The ledger assigned to the GL Ledger Name profile option will
automatically be assigned to the GL: Data Access Set profile option.

GL Set of Books Name & GL Set of Books ID

This profile is for assigning the set of books to a responsibility

2/2

S-ar putea să vă placă și