Scribd Logo
Upload

Welcome to Scribd!

  • 672 views

    R12 - MOAC Environment Setup

    Uploaded by

    satyapadhy
    Oracle uses row-level security (RLS) to implement multi-organization access control (MOAC) in Release 12 of Oracle Applications. All multi-organization tables now have synonyms in the APPS schema with a security policy defined. To set the multi-organization context programmatically, call FND_GLOBAL.APPS_INITIALIZE and MO_GLOBAL.INIT, which populate a temporary table used by the RLS policy to restrict data access based on the user's organization access.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as DOC, PDF, TXT or read online from Scribd

    R12 - MOAC Environment Setup

    Uploaded by

    satyapadhy
    672 views3 pages
    Oracle uses row-level security (RLS) to implement multi-organization access control (MOAC) in Release 12 of Oracle Applications. All multi-organization tables now have synonyms in the APPS schema with a security policy defined. To set the multi-organization context programmatically, call FND_GLOBAL.APPS_INITIALIZE and MO_GLOBAL.INIT, which populate a temporary table used by the RLS policy to restrict data access based on the user's organization access.

    Original Title

    R12_MOAC environment setup

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Available Formats

    DOC, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Oracle uses row-level security (RLS) to implement multi-organization access control (MOAC) in Release 12 of Oracle Applications. All multi-organization tables now have synonyms in the APPS schema with a security policy defined. To set the multi-organization context programmatically, call FND_GLOBAL.APPS_INITIALIZE and MO_GLOBAL.INIT, which populate a temporary table used by the RLS policy to restrict data access based on the user's organization access.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as DOC, PDF, TXT or read online from Scribd
    Download as doc, pdf, or txt
    672 views3 pages

    R12 - MOAC Environment Setup

    Uploaded by

    satyapadhy
    Oracle uses row-level security (RLS) to implement multi-organization access control (MOAC) in Release 12 of Oracle Applications. All multi-organization tables now have synonyms in the APPS schema with a security policy defined. To set the multi-organization context programmatically, call FND_GLOBAL.APPS_INITIALIZE and MO_GLOBAL.INIT, which populate a temporary table used by the RLS policy to restrict data access based on the user's organization access.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as DOC, PDF, TXT or read online from Scribd
    Download as doc, pdf, or txt
    of 3

    R12: How MOAC environment is setup programmatically

    Pre-requisites for understanding how MOAC works in R12 are (Although these are not mandatory but knowledge of these would definitely help),

    1. Setting ORG context prior to R12 version


    Prior to R12, if you want to set ORG context in Oracle apps on any multi org table then following need to be done,

    a. Create the table


    b. Create a view on the table with following condition

    WHERE NVL (org_id,


    NVL (TO_NUMBER (DECODE (SUBSTRB (USERENV ('CLIENT_INFO'), 1, 1),
    ' ', NULL,
    SUBSTRB (USERENV ('CLIENT_INFO'), 1,
    10)
    )
    ),
    -99
    )
    ) =
    NVL (TO_NUMBER (DECODE (SUBSTRB (USERENV ('CLIENT_INFO'), 1, 1),
    ' ', NULL,
    SUBSTRB (USERENV ('CLIENT_INFO'), 1, 10)
    )
    ),
    -99
    );

    As an example, let us consider the PO_HEADERS_ALL table. This is owned by PO schema having records for every operating unit. To implement Org
    security, a view has been created on top of it i.e. PO_HEADERS and is being owned by APPS schema.

    If you see the content of this view, you would see the view has been created by accessing the value of CLIENT_INFO session field value which is being set by
    respective applications like PO, AP using DBMS_APPLICATION_INFO.SET_CLIENT_INFO API.

    So, if you want to give the access only for US operating unit (lets assume the ORG_ID to be 100) then you set

    begin
    dbms_application_info.set_client_info(100);
    end;

    If you query PO_HEADERS after the above statement is executed in your session then you would see all the POs only for operating unit 100. This
    is to secure the data as per the user access,

    You can also use FND_CLIENT_INFO.SET_ORG_CONTEXT API to set the ORG context which ultimately uses the above to set the ORG context.

    begin
    fnd_client_info.set_org_context(100);
    end;

    This is how all the applications (PO, AP etc) set the CLIENT_INFO field and set the ORG_CONTEXT prior to R12.

    2. RLS (Row level security)

    RLS feature was introduced in Oracle since Oracle 8i. The prime feature of RLS is implementing row level security while reading / inserting /
    deleting the data from the Database. In brief, you can use RLS to restrict data based on user permissions / privileges.

    How MOAC works in R12


    In R12, Oracle applications use RLS feature to implement MOAC.

    Now going back to our same example- PO_HEADERS_ALL table.


    In R12 these tables are still owned by PO schema but what changed is the view now no longer exist in R12. In R12, the multi org based views
    have been replaced with SYNONYMS in APPS.
    So, for PO_HEADERS_ALL you now would see PO_HEADERS synonym in APPS schema pointing to APPS.PO_HEADERS_ALL table.

    Now if you query the following in R12 APPS DB,

    SELECT * FROM DBA_POLICIES WHERE OBJECT_NAME='PO_HEADERS'

    You would see the following,


    As seen in the picture above, whenever you query PO_HEADERS in R12, the DB is going to apply the policy defined on this synonym which in turn
    would call MO_GLOBAL.ORG_SECURITY API. This API returns the predicates which would be automatically applied to the query by Oracle DB.
    If you check the content of this API, you would see that it basically prepares the where condition for the ORG_ID to which user has access to,
    which is being read from the TEMP table MO_GLOB_ORG_ACCESS_TMP.
    MO_GLOBAL.INIT API is there in "prior to R12" releases but it was not being used in the RLS and there is no policy defined on the multi-org
    enabled tables / views.

    The temp table is populated when you set user / org context.

    Prior to R12, FND_CLIENT_INFO.SET_ORG_CONTEXT is used to set the ORG context


    This would set the ORG Context and then the multi org related views can be accessed which would return records only for that operating unit.

    But from R12, following is used to set the org context

    --Use FND_GLOBAL.APPS_INITIALIZE API to set the user environment


    --Use MO_GLOBAL.INIT to populate the temp table MO_GLOB_ORG_ACCESS_TMP based on the responsibilities to which the user has access to and which
    would then be used by the RLS security policy.

    After you set these up, if you query PO_HEADERS synonym then Oracle DB would automatically add the predicate (the list of operating units to
    which user has access to) to the query and would only return rows for the operating units to which user has access to.

    For e.g. run the following in R12,


    (Refer my earlier post on "how to setup MOAC in R12" to see the operating units that OPERATIONS user has access to)

    begin

    FND_GLOBAL.APPS_INITIALIZE(1318 ---user 'OPERATIONS'


    ,20639 ---responsibility "Payables Manager"
    ,200 ---Application "Oracle Payable"
    );

    MO_GLOBAL.INIT('SQLAP');

    end;

    Then query the temp table,


    select * from MO_GLOB_ORG_ACCESS_TMP

    Now the query returns the list of operating units to which OPERATIONS user has access to. And if you query from PO_HEADERS, you would see
    result from these operating units.

    Summary:
    A. Oracle uses RLS to implement MOAC in R12
    B. All multi-org tables now have synonym in APPS
    C. The synonyms now have a policy defined which can be found in DBA_POLICIES
    D. To setup multi-org context in R12 from the back end programmatically,
    1. Call FND_GLOBAL.APPS_INITIALIZE
    2. Call MO_GLOBAL.INIT
    How is CLIENT_INFO being replaced in R12?
    Let’s take an example.
    In pre Release 12, you would have had following methodology for PO_HEADERS_ALL
    a. A table is created in PO Schema, named PO_HEADERS_ALL
    b. A synonym named PO_HEADERS_ALL is created in APPS schema, referring to PO.PO_HEADERS_ALL
    c. Create a view PO_HEADERS in APPS schema, as "select * from po_headers_all where org_id=client_info"

    But now in R12, following will happen


    a. A table is created in PO Schema, named PO_HEADERS_ALL
    b. A synonym named PO_HEADERS_ALL is created in APPS schema, referring to PO.PO_HEADERS_ALL
    c. Another synonym named PO_HEADERS is created in APPS, referring to PO_HEADERS_ALL
    d. A Row Level security is applied to PO_HEADERS, using package function MO_GLOBAL.ORG_SECURITY.
    This can be double-checked by running SQL select * from all_policies where object_name='PO_HEADERS'
    e. The effect of this policy is that,whenever you access PO_HEADERS, Oracle RLS will dynamically append WHERE CLAUSE similar to below
    SELECT * FROM PO_HEADERS WHERE EXISTS (SELECT 1 FROM mo_glob_org_access_tmp oa WHERE oa.organization_id = org_id)
    Also see **** below, latter

    Does this mean, if I create a new custom table, I will have to apply RLS [ Row Level Security ] against Custom table too?
    Yes indeed, if it contains data partitioned by ORG_ID. All you need to do in such case is to assign package function MO_GLOBAL.ORG_SECURITY to
    that table/synonym/view.

    Will the Multi Org Row Level security be applied against the table or the synonym or the view?
    In theory, RLS can be applied against any of the above objects. However in practice, you will apply RLS against Objects in APPS Schema. This
    means, you will most probably apply RLS on Synonyms. Basically, the Multi Org Views are now replaced by RLS Secured Synonyms. Hence no code
    change is required where the pre-R12 Multi-Org secured view was being accessed. The responsibility of securing data as per ORG_ID now
    lies with RLS [also known as VPD - Virtual Private Database].

    I have made changes to my Multi Org Security Profile, by attaching a new Org Hierarchy. Do i need to run any process?
    Just like we do in HRMS, it is advised that any changes to Security Profiles must be followed by running "Security List Maintenance"

    What is MO_GLOBAL.INIT
    Purpose of mo_global.init :-
    It will check if new Multi Org Security Profile is set, to decide if new Security Profile method will be used.
    If the new MO security profile is set, then mo_global.init inserts one record, for each Organization in Org Hierarchy, in table
    mo_glob_org_access_tmp

    When & from where is mo_global.init called ?


    This package procedure will be called as soon as you login or as soon as you switch responsibility. Just like FND_GLOBAL.INITIALIZE is called.
    It is safe to assume that Oracle will invoke MO_GLOBAL.INIT after FND_GLOBAL.INITIALIZE

    Is mo_glob_org_access_tmp table a global temporary table?


    Yes, it is. Hence after Multi Org is initialised for your session, your session will have X number of records in table mo_glob_org_access_tmp.
    X is the number of organizations assigned to MO Security profile [view org hierarchy or org list in security profile]

    What is the purpose of MO_GLOBAL.ORG_SECURITY?


    The purpose of Row-Level-Security is to hide certain data[based on some conditions]. RLS does so by appending a where clause to the secured
    object.
    1. MO_GLOBAL.ORG_SECURITY is a function that returns a predicate for the WHERE CLAUSE
    2. The where clause will be appended to Table/Synonym/View for which Multi Org Row Level security is enabled

    What is the purpose of MO_GLOBAL.SET_POLICY_CONTEXT ?


    This procedure has two parameters
    p_access_mode
    Specifies the operating unit access. 'S' for
    Single, 'M' for Multiple, 'A' for All
    p_org_id
    only applicable if p_access_mode is passed value of "S"

    In SQL*Plus, I wish to set my session to work against a specific Org [one single org]. How do I do that in R12
    SQL>> exec MO_GLOBAL.SET_POLICY_CONTEXT('S',101);
    In the above case, ORG_ID 101 will be assigned as current org for your session.
    Internally, following code in blue will be executed by Oracle when you set your context to single Org,
    dbms_session.set_context('multi_org2', 'current_org_id', 101);

    **** If the current database session is initialised for Single Org[as in above step], then Where clause appended to object by Row-Level-
    Security will be
    WHERE org_id = sys_context('multi_org2','current_org_id')

    Why will I as a Apps Techie ever use MO_GLOBAL.SET_POLICY_CONTEXT ?


    Lets say you wish to call an API to create invoices in ORG_ID 101. In case the API does not have a parameter for Org_id, you can do the below
    a. exec MO_GLOBAL.SET_POLICY_CONTEXT('S',101)
    b. Call the Invoice API, which will internally read the ORG_ID from MO Current Context.

    From SQL*Plus, I wish to simulate login to a specific responsibility. How do I do this?


    a. Call FND_GLOBAL.INITIALIZE
    This will set your responsibility id, user_id etc
    b. call MO_GLOBAL.INIT
    This will read the MO profile option values for your responsibility/user, and will initialize the Multi Org Access.

    You might also like