Professional Documents
Culture Documents
Founded in 2002 with >100 % growth every year for last 5 years:
Oracles Pillar Partner for OBI and BI Apps Top 20 in North America
#1 in North East
Agenda
Introduction Guidelines for Forms Based Applications Guidelines for (OA) Framework Pages Based Applications Virtual Private Database Guidelines for Reference Views Guidelines for Workflows Guidelines for Packages Public APIs Other Changes Q&A
Introduction
Multiple Organizations architecture (Multi-Org) includes a
new feature Multiple Organizations Access Control (MOAC) in Release 12 The Access Control feature is backward compatible, which means that there are no code or procedural changes if MOAC is not implemented (i.e. The user is assigned one operating unit for a responsibility) The Access Control feature in Release 12 allows the user to enter or query records in one or more operating units without changing application responsibility Pre-R12: The CLIENT_INFO application context space stores the multiple organizations context value.
the form as the first navigable field. If the user can access one operating unit only, then the operating unit field displays the default value and its dependent attributes User can enter non-multiple organizations stripped data before specifying the operating unit for a record. The operating unit specific data can be entered only after user sets the operating unit context.
executes the AOL initialization (fnd_global.apps_initialize()). You must execute the multiple organizations initialization after this call. If you do not follow this order, then the MO: Operating Unit and MO: Security Profile options are not cached for the right context, which results in incorrect initialization for the session.
Create a query based record group to display the operating units that are included in the security profile for a responsibility The multiple organizations global temporary table is populated with the operating unit information depending on the MO: Security Profile option Use the APIs to obtain the operating unit name from the temporary table instead of accessing the temporary table directly
Every form updated for multiple organizations access control must include a call to the multiple organizations initialization API (MO_GLOBAL.init) in the pre-form trigger. Pass S or M as the input parameter for non-multiple organizations access control enabled and multiple organizations access control enabled applications respectively. Do not set the "current organization" in different triggers for the new forms. Use the _ALL tables and include the form block ORG_ID to restrict data for the operating unit that the user selects and avoid Virtual Private Database context switching. To improve performance in high volume transactional forms, you must avoid policy context.
JTT based user interfaces, similar to the Oracle Forms user interface Fields that depend on the operating unit, are visible after selecting the operating unit or if the profile option defaults the operating unit. Similar to forms, the OA Framework pages allows users to default an operating unit using the profile option: "MO: Default Operating Unit BC4J components are available for initializing multiple organizations access control in OA Framework pages
developers to enforce security by attaching a security policy to database objects such as tables, views and synonyms It attaches a predicate function to every SQL statement to the objects by applying security policies. When a user directly or indirectly accesses the secure objects This indicates that the security is in place irrespective of the tools used to access the data Do not attach the security policy to base tables directly because there is code around the base tables (_ALL, ALL_B, _ALL_TL) that must access the operating Units. Package MO_UTILS contains the utilities for administering policies (add policy, drop policy or check if a policy exists on an object).
Steps And Methodology For Custom Development In R12
10
organization views Replace it with one secured synonym that has the security policy attached. The remaining reference to _ALL tables instead of single organization views This improves performance because the policy is used once for the reference views that join data from multiple single organization views Synonyms replace single organization views that contain the CLIENT_INFO predicate attached to them The secured synonym is a driving table The secured synonym includes small volume of data (typically a setup table and not a transaction table)
Steps And Methodology For Custom Development In R12
11
the workflow using the multiple organizations profile options: MO: Security Profile, MO: Default Operating Unit Pre-R12 Set context manually Set the context in every activity R12 Set context using callback functions Callback functions are executed once per session per item key and are more efficient SET_CTX Establish context information for an item type and item key combination
12
Program Multiple Organizations API and MO_GLOBAL.init('<ACCESS_MODE') ACCESS_MODE is S or M must be executed before executing the program when executing from SQL*Plus or any other tools and when multiple organizations is not initialized. Multiple organizations is initialized when the programs are invoked through the user interface It is better to sort the data by operating unit and then process the data belonging to the same organization and reset the context
13
PO_HEADERS_ALL A table is created in PO Schema, named PO_HEADERS_ALL A synonym named PO_HEADERS_ALL is created in APPS schema, referring to PO.PO_HEADERS_ALL Create a view PO_HEADERS in APPS schema, as "select * from po_headers_all where org_id=client_info
14
PO_HEADERS_ALL A synonym named PO_HEADERS_ALL is created in APPS schema, referring to PO.PO_HEADERS_ALL Another synonym named PO_HEADERS is created in APPS, referring to PO_HEADERS_ALL A Row Level security is applied to PO_HEADERS, using package function MO_GLOBAL.ORG_SECURITY.
15
PO_HEADERS, Oracle will dynamically append WHERE CLAUSE similar to below SELECT * FROM PO_HEADERS WHERE EXISTS (SELECT 1 FROM mo_glob_org_access_tmp oa WHERE oa.organization_id = org_id) Multi Org Row Level security can be applied against the table, synonym or the view. In practice, you will apply VPD against Objects(Synonyms) in APPS Schema No code change is required where the pre-R12 MultiOrg secured view was being accessed
Steps And Methodology For Custom Development In R12
16
What is MO_GLOBAL.INIT
If the new MO security profile is set, then mo_global.init
inserts one record, for each Organization in Org Hierarchy, in table mo_glob_org_access_tmp This package procedure will be called as soon as you login or as soon as you switch responsibility. Just like FND_GLOBAL.INITIALIZE is called. Call MO_GLOBAL.INIT after FND_GLOBAL.INITIALIZE mo_glob_org_access_tmp table is a global temporary table Hence after Multi Org is initialised for your session, your session will have X number of records in table mo_glob_org_access_tmp. X is the number of organizations assigned to MO Security profile
Steps And Methodology For Custom Development In R12
17
Access Control
Single Operating Unit Access mode is S One Operating Unit assigned to the MO: Security
Profile MO: Security Profile is not set and the user access depends on MO: Operating Unit Example: SELECT trx_number from ra_customer_trx ORG_ID = sys_context('multi_org2','current_org_id')
18
Access Control
Multiple Operating Units The security profile provides access to multiple
operating units The access mode is set to 'M' for this case The Statement is dynamically modified to use the policy predicate The profile option MO: Security Profile takes precedence over MO: Operating Unit Example: SELECT trx_number from ra_customer_trx WHERE (EXISTS (SELECT 1 FROM mo_glob_org_access_tmp oa WHERE oa.organization_id = org_id))
Steps And Methodology For Custom Development In R12
19
What is MO_GLOBAL.SET_POLICY_CONTEXT
This procedure has two parameters p_access_mode Pass a value "S" in case you want your current session
to work against Single ORG_ID Pass a value of "M" in case you want your current session to work against multiple ORG_ID's p_org_id (Only applicable if p_access_mode is passed value of "S)
20
21
available to define the defaulting operating unit The default operating unit is visible in the Operating Unit field when the form is opened The user can overwrite the default value with another operating unit which the user can access
22
Concurrent Programs in the OA Framework pages. The user can query the program or report based on an operating unit by updating the Operating Unit Mode field with one of the following values:
initialized by the concurrent program if the Operating Unit Mode is set to either single or multiple There is no need to change the code for single org reports. Pass the current organizations to populate fnd_requests.submit_request() API for single organization concurrent programs
Steps And Methodology For Custom Development In R12
23
Public APIs
MO_GLOBAL
JTT_INIT Active Initialize multiple organizations for JTT based application is_multi_org_enabled check_access get_ou_name check_valid_org set_policy_context get_current_org_id get_access_mode get_ou_count Get_Ledger_Name get_orgid_fr_ledger
Steps And Methodology For Custom Development In R12
MO_UTILS
24
Public APIs
MO_UTILS
25
Forms Personalization
Existed in 11.5.10 What? s new in R12
Support for the creation of record group from query . Done to change the underlying WHERE clause for the query for an LOV
26
Other Changes
Sub-Ledger to General Ledger Reconciliation has been
made easy with the SLA data structure and would help with the reporting requirements and the link between the Subledger and General Ledger The backward compatible views that existed in 11i after TCA was introduced have been removed for Receivables More reports are XML based in R12
27
28