white paper multi-org access control uptake r12 vimp

WHITE PAPER – TO ENHANCE/ UPTAKE MULTIPLE ORGANIZATION ACCESS CONTROL FOR R12 UPGRADE ORACLE APPS  Author: Anuj Kumar Creation Date: 01-Feb-2008  Last Updated: 05-Feb-2008  File ame: !ersion: 1"0  #tatus: For $e%ie& 'a(e 1 of 68 Comp!" Co!#$%!&'(

Upload: nagendra

Post on 28-Feb-2018




0 download


Page 1: White Paper Multi-Org Access Control Uptake R12 VIMP

7/25/2019 White Paper Multi-Org Access Control Uptake R12 VIMP

http://slidepdf.com/reader/full/white-paper-multi-org-access-control-uptake-r12-vimp 1/69



  Author: Anuj Kumar Creation Date: 01-Feb-2008

  Last Updated: 05-Feb-2008

  File ame:

!ersion: 1"0

  #tatus: For $e%ie&

'a(e 1 of 68

Comp!" Co!#$%!&'(

Page 2: White Paper Multi-Org Access Control Uptake R12 VIMP

7/25/2019 White Paper Multi-Org Access Control Uptake R12 VIMP

http://slidepdf.com/reader/full/white-paper-multi-org-access-control-uptake-r12-vimp 2/69


) 1.""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" Introduction


1"1 A))ess Control"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""*

1"2 #ele)t +peratin( Unit"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""5

) 2.""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" Business Needs


2"1"1 +r(ani,ation #e)urit +%er%ie&"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""".

) 3."""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" Functional Feature Descriptions8

/"1 A))ess Control - Foundations""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""8

/"1"1 Deinin( #e)urit based on ierar)h or a List o +peratin( Units"""""""""""""""""""""""""""""8/"1"* 'ro)ess Flo&"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""/"1"5 Assi(n 3+: #e)urit 'roile to Appli)ation $esponsibilit""""""""""""""""""""""""""""""""""""""""10

/"2 #pe)ii)ations to +ra)le Forms""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""11

/"2"1 #ele)t +peratin( Unit For #etup and 4ransa)tion Forms"""""""""""""""""""""""""""""""""""""""""""11/"2"/ +peratin( Unit Deault""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""1

/"* $eportin(""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""1.

/"*"1 #in(le +r( $eports"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""1./"*"2 Cross +r( $eports""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""1./"*"/ Deine Con)urrent 'ro(rams 6indo&"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""18

/"5 Con)urrent 'ro(rams 7others than reports"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""18

/"5"1 #in(le +r( Con)urrent 'ro(rams""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""18

/" 'ubli) A'9s"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""1

/". 6orlo&s""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""1

) 4."""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" Technical Feature Descriptions


*"1 A))ess Control Ar)hite)ture""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""21

*"1"1 ;a)(round""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""21*"1"2 !irtual 'ri%ate Database 7!'D"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""21*"1"/ 3ulti-+r( #e)urit 'oli) 'redi)ate""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""22*"1"* 3ulti-+r( 9nitiali,ation"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""2**"1"5 Datamodel Desi(n""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""2.*"1" 'roile +ptions""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""28*"1"8 3ulti-+r( A'9s""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""2

."2 3ulti-+r( !ie&s<4ables Chan(e""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""/2

'a(e 2 of 68

Comp!" Co!#$%!&'( * Fo+ I!&%+!( U,% O!("

Page 3: White Paper Multi-Org Access Control Uptake R12 VIMP

7/25/2019 White Paper Multi-Org Access Control Uptake R12 VIMP

http://slidepdf.com/reader/full/white-paper-multi-org-access-control-uptake-r12-vimp 3/69

."2"1 =nor)e +4 ULL )onstraint on +$>?9D )olumn""""""""""""""""""""""""""""""""""""""""""""""""""/2

."2"2 3odi our Database !ie&s"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""//*"2"/ Atta)h #e)urit 'oli) to our database obje)ts""""""""""""""""""""""""""""""""""""""""""""""""""""""""""*5*"2"* $emo%e Dependen) on 3ulti-+r( in A+L tables""""""""""""""""""""""""""""""""""""""""""""""""""""""**"2"5 $e(ister 3ulti-+r( A))ess =nabled in 3+ table""""""""""""""""""""""""""""""""""""""""""""""""""""""""*

*"/ Forms =nhan)ements"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""*.

*"/"1 3ulti-+r( 9nitiali,ation"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""*.*"/"2 Add +peratin( Unit Field""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""*.*"/"/ Create L+! or +peratin( Unit ield"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""*.

*"/"* Deault +peratin( Unit on orms startup"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""*8*"/" #ettin( the Dnami) 'oli) Conte@t""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""**"/" 3odi $e)ord >roups or +peratin( Unit spe)ii) ields""""""""""""""""""""""""""""""""""""""""""5.*"/"10 Add +$>?9D predi)ate in Client<#er%er Code"""""""""""""""""""""""""""""""""""""""""""""""""""""""""5*"/"11 3odi table handlers""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""0*"/"12 Allo& uer on +peratin( Unit ield""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""2*"/"1/ andle Fle@ields"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""/*"/"1* andle +peratin( Unit %alue )han(e""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""

*"* =nhan)ement to $eports""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""

*"*"1 +%er%ie&""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""*"*"1 #in(le +r( $eports"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""*"*"2 Cross +r( $eports"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""".

*"5 Con)urrent 'ro(ram =nhan)ements"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""".*"5"1 +%er%ie&"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""".*"5"2 #in(le +r( Con)urrent 'ro(rams"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""".*"5"/ 3ultiple +r( Con)urrent 'ro(rams""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""".

) 5."""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" Glossar


'a(e - of 68

Comp!" Co!#$%!&'( * Fo+ I!&%+!( U,% O!("

Page 4: White Paper Multi-Org Access Control Uptake R12 VIMP

7/25/2019 White Paper Multi-Org Access Control Uptake R12 VIMP

http://slidepdf.com/reader/full/white-paper-multi-org-access-control-uptake-r12-vimp 4/69

1. Introduction

4his 6hite 'aper on 3ulti-+r( A))ess Control Uptae<enhan)e do)ument pro%ides un)tional andte)hni)al spe)ii)ations or ne& 3ulti-+r( ar)hite)ture and the tas to Con%ert an )ustom )ode as anup(rade"

1.1 "ccess Control

4he 3ulti-+r( A))ess Control eatureB also no& as #e)urit b +peratin( UnitB &ill enable users toa))ess to se)ured data in one or more +peratin( Units &ithin one responsibilit" 4he eature uses#e)urit 'roile )on)ept introdu)ed in $elease 11i +ra)le uman $esour)es 3ana(ement #stemB &hi)hallo&s sstem administrator to predeine the s)ope o a))ess pri%ile(e as a proile option" A se)urit proile ma be deined in hierar)hi)al or listin( modeB &hi)h ma )onsist one or more +peratin( Units"

A proile optionB 3+: #e)urit 'roileEB is used to asso)iate predeined se)urit proile to a userresponsibilit"

4he ollo&in( t&o pro)ess lo&s illustrate )urrent and ne& models or deinin( 3ulti-+r("

'a(e . of 68

Comp!" Co!#$%!&'( * Fo+ I!&%+!( U,% O!("

Page 5: White Paper Multi-Org Access Control Uptake R12 VIMP

7/25/2019 White Paper Multi-Org Access Control Uptake R12 VIMP

http://slidepdf.com/reader/full/white-paper-multi-org-access-control-uptake-r12-vimp 5/69

D e f in e O p e r a t i n g

U n i t s

S T E P 1

D e f i n e

O r g a n i z a t io n

H i e r a r c h y

E x i s t i n g S e c u r i t y

M o d e l

S T E P 2

D e f i n e S e c u r i t y

P r o f i l e

S T E P 3

R u n S e c u r i t y L i s t

a i n t e n a n c e

P r o g r a !

S T E P "

S e t O # S e c u r i t y

P r o f i l e

D e f in e O p e r a t i n g

U n i t s

N e w S e c u r i t y

M o d e l

S T E P 1

D e f i n e

O r g a n i z a t i o n

H i e r a r c h y

$ s t h e r e a n

  O U h i e r a r c h i c a l

s t r u c t u r e %

S T E P 2

D e f i n e S e c u r i t y

P r o f i l e & R u n

S e c u r i t y L i s t

a i n t e n a n c e

P r o g r a !

S T E P 3

S e t O # S e c u r i t y

P r o f i l e

S T E P "

S e t U s e r D e f a u l t


S T E P '

R u n ( c c e s s

) a l i* a t io n R e p o r t

+ e s

, o

Fi#ure 1 $rocess Flo% &or 'peratin# (nit )ecurit

1.2 )elect 'peratin# (nit

6ith the abilit to a))ess multiple 3ulti-+r( +peratin( Units rom a sin(le appli)ation responsibilitBusers are able to enter setup and transa)tion data and run )on)urrent pro(rams or multiple +peratin(Units &ithout ha%in( to s&it)h the responsibilit" =@)ept in a e& )aseB all 3ulti-+r( enabled setup andtransa)tion orms &ill ha%e +peratin( Unit ield" Users &ill be able to sele)t the +peratin( Unit roma list o %alues assi(ned to the user %ia the se)urit proile and responsibilit

'a(e of 68

Comp!" Co!#$%!&'( * Fo+ I!&%+!( U,% O!("

Page 6: White Paper Multi-Org Access Control Uptake R12 VIMP

7/25/2019 White Paper Multi-Org Access Control Uptake R12 VIMP

http://slidepdf.com/reader/full/white-paper-multi-org-access-control-uptake-r12-vimp 6/69

R e s p o n s i - i l i t y

S c r e e n

. . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . .

O U 1

S e t u p D a t a

T r a n s a c t i o n D a t a

/ o n c u r r e n t P r o g r a ! s

O U 2

S e t u p D a t a

T r a n s a c t i o n D a t a/ o n c u r r e n t P r o g r a ! s

O U 3

S e t u p D a t a

T r a n s a c t i o n D a t a

/ o n c u r r e n t P r o g r a ! s

Fi#ure 2 * )elect 'peratin# (nit $rocess Flo%

'a(e 6 of 68

Comp!" Co!#$%!&'( * Fo+ I!&%+!( U,% O!("

Page 7: White Paper Multi-Org Access Control Uptake R12 VIMP

7/25/2019 White Paper Multi-Org Access Control Uptake R12 VIMP

http://slidepdf.com/reader/full/white-paper-multi-org-access-control-uptake-r12-vimp 7/69

2. Business Needs

2.1 Bac+#round

3ulti-+r( +peratin( Unit a))ess is intended to &or similarl to other inds o or(ani,ation se)uritimplemented in the =-;usiness #uite" For this reasonB it is helpul to understand ho& the %arious tpeso or(ani,ation se)urit &or in the appli)ations"

2.1.1 'r#ani,ation )ecurit '-er-ie%

6hen ou deine an or(ani,ationB ou must irst indi)ate the or(ani,ation tpe o either internal ore@ternalB and then assi(n multiple or(ani,ation )lassii)ations to that or(ani,ation" 4here e@ists no%alidation bet&een or(ani,ation )lassii)ationG and a tpe o Ginternal or e@ternalH" ;elo& is a list o allinternal or(ani,ation tpes and the produ)ts usin( them:

'r#ani,ation Classi&ication (sed B

AA' +r(ani,ation uman $esour)esAsset +r(ani,ation Fi@ed Assets;usiness >roup uman $esour)esCorporate eadIuarters uman $esour)es

C$' +r(ani,ation 3anua)turin(>$=<Le(al =ntit $B A'B A$B et)"$ +r(ani,ation uman $esour)es9n%entor +r( 3anua)turin(

3$' +r(ani,ation 3anua)turin(+peratin( Unit A'B A$B C=B '+B +=B 'AB C$3'roje)t =@penditure<=%ent +r(ani,ation 'roje)ts

'roje)t 9n%oi)e Colle)tion +r(ani,ation 'roje)ts'roje)t 3anua)turin( +r(ani,ation 'roje)ts'roje)t 4as +&nin( +r(ani,ation 'roje)ts$eportin( =stablishment uman $esour)es

69' +r(ani,ation 3anua)turin(

Tale 1*'r#ani,ation Classi&ications

'a(e 0 of 68

Comp!" Co!#$%!&'( * Fo+ I!&%+!( U,% O!("

Page 8: White Paper Multi-Org Access Control Uptake R12 VIMP

7/25/2019 White Paper Multi-Org Access Control Uptake R12 VIMP

http://slidepdf.com/reader/full/white-paper-multi-org-access-control-uptake-r12-vimp 8/69

3. Functional Feature Descriptions

3.1 "ccess Control * Foundations

4he 3ulti-+r( A))ess Control eature enables users to a))ess to one or more +peratin( Units &ithin oneuser responsibilit" A le@ible se)urit proile &ill be implemented &ith a ne& proile option 3+:#e)urit 'roile to )ontrol a))ess or one responsibilit to multiple +peratin( Units" 4his se)urit proile &ill permit a))ess to oneB multiple or all 3ulti-+r( +peratin( Units in the sstem" 4he ne&se)urit proile &ill be )reated throu(h the e@istin( $ #e)urit 'roile &indo&

4he uman $esour)es produ)t team )urrentl maintains both the +r(ani,ation ierar)h and #e)urit'roile orms" 4he #e)urit 'roile orm needs to be enhan)ed to support the additional +peratin( Unita))ess eatures"

3.1.1 De&inin# )ecurit ased on /ierarch or a 0ist o& 'peratin# (nits

Users &ant to base se)urit on an or(ani,ation hierar)h or a list o or(ani,ations" 4he ollo&in(dia(ram sho&s a hpotheti)al enterprise stru)tures:

Fi#ure 3 * 'r#ani,ation )tructures

4his is a simple enterprise stru)ture" 4here is no hierar)hi)al stru)ture o or(ani,ationsB sin)e the led(eris not )onsidered an or(ani,ation in the subled(ers" 9n this )aseB the user &ill &ant to (ain a))ess to+U1B +U2B or +U1 J +U2B all o &hi)h are lists o or(ani,ationsB and not based on a hierar)h" AlsoB auser mi(ht ha%e a simple hierar)hi)al stru)ture &ith a e& numbers o or(ani,ations" A user )an still base the se)urit on a list o or(ani,ations b sele)tin( all parent and subordinate +peratin( Units in thelist" For se)urit proiles based on hierar)hiesB the user must )omplete set up #tep 1 - Deine+r(ani,ation ierar)h"

'a(e 8 of 68

Comp!" Co!#$%!&'( * Fo+ I!&%+!( U,% O!("

Page 9: White Paper Multi-Org Access Control Uptake R12 VIMP

7/25/2019 White Paper Multi-Org Access Control Uptake R12 VIMP

http://slidepdf.com/reader/full/white-paper-multi-org-access-control-uptake-r12-vimp 9/69

Fi#ure 4 * )ecurit $ro&ile For

3.1.4 $rocess Flo%

4he ollo&in( pro)ess lo& lists the steps to implement +peratin( Unit se)urit" 4his pro)ess lo&applies to all o the )ases listed abo%e"

'a(e of 68

Comp!" Co!#$%!&'( * Fo+ I!&%+!( U,% O!("

Page 10: White Paper Multi-Org Access Control Uptake R12 VIMP

7/25/2019 White Paper Multi-Org Access Control Uptake R12 VIMP

http://slidepdf.com/reader/full/white-paper-multi-org-access-control-uptake-r12-vimp 10/69

S T E P 3

S e t O # S e c u r i t yP r o f i l e

S T E P 1

D e f i n e

O r g a n i z a t io n

H i e r a r c h y

D e f in e O p e r a t i n g

U n i t s

$ s t h e r e a n

  O U h i e r a r c h i c a l

s t r u c t u r e %

S T E P 2

D e f i n e S e c u r it y

P r o f i l e & R u n

S e c u r i t y L i s t

a i n t e n a n c e

P r o g r a !

S T E P 4

S e t U s e r D e f a u l t


S T E P 5R u n ( c c e s s

) a l i* a t io n R e p o r t

+ e s

, o

Fi#ure 5 * 'peratin# (nit )ecurit $rocess Flo%

3.1.5 "ssi#n ' )ecurit $ro&ile to "pplication esponsiilit

4he last step is to assi(n a se)urit proile to user responsibilit %ia #stem 'roile !alues &indo&"

'a(e 1) of 68

Comp!" Co!#$%!&'( * Fo+ I!&%+!( U,% O!("

Page 11: White Paper Multi-Org Access Control Uptake R12 VIMP

7/25/2019 White Paper Multi-Org Access Control Uptake R12 VIMP

http://slidepdf.com/reader/full/white-paper-multi-org-access-control-uptake-r12-vimp 11/69

Fi#ure ! * "ssi#nent o& )ecurit $ro&ile

3.2 )peci&ications to 'racle Fors

3.2.1 )elect 'peratin# (nit For )etup and Transaction Fors

#ele)tin( an +peratin( Unit or setup data and transa)tions pro%ides the abilit to users to entertransa)tions and Iuer data or multiple +peratin( Units &ith one responsibilit and rom &ithin ones)reen" 4he +peratin( Unit &ill be added as a ield on all produ)t orms &ith &hi)h users Iuer orupdate 3ulti-+r(-striped data" 4his in)ludes all transa)tions and setup data that are +peratin( Unitspe)ii)" #etup orms not ae)ted are those throu(h &hi)h users a))ess (lobal dataB su)h as A' pamenttermsB A' )alendars and A$ re)eipt )lasses"

Addin( the +peratin( Unit to all 3ulti-+r( orms &ill assure that the user &ill onl need oneresponsibilit or both transa)tion and setup data or the +peratin( Units that a user has a))ess" 9t has been )onsidered to not pro%ide this eature or setup dataB sin)e the %olume and<or reIuen) o addin(or updatin( setup data )an be small" 9 &e did not pro%ide this eatureB ho&e%erB the user &ould beor)ed to )reate additional responsibilities solel or setup dataB &hi)h &ould deeat a main obje)ti%e ode)reasin( the o%erall number o responsibilities"

4he user &ill enter the setup and transa)tion ormsB sele)t the +peratin( Unit in the irst ieldB and thenenter the data or the spe)ii) +peratin( Unit" 4he list o %alues or the +peratin( Unit ield &ill berestri)ted to the +peratin( Unit or(ani,ations to &hi)h the userGs appli)ation responsibilit has a))ess"

4here e@ist se%eral beneits o pro%idin( the +peratin( Unit ield on 3ulti-+r( setup and transa)tions)reens"

• A user )an Iuer setup and transa)tion data or all the +peratin( Units to &hi)h the user has a))ess"

4he user does not need to no& the +peratin( Unit b &hi)h data mi(ht be partitioned"

• A user )an mae use o the dupli)ate re)ord eature in orms 7rom the =dit menu &here appli)ableB

to )op data rom one +peratin( Unit to another"

• A user &ill be able to easil tell &hether or not setup data is 3ulti-+r( partitioned or not" 9 dataa))essed throu(h a parti)ular setup s)reen is not or( stripedB then the +peratin( Unit ield &ill notappear in the s)reen" CurrentlB the user must reer to the produ)t userGs (uide or na%i(ate bet&een+peratin( Units to see i the setup data are the same or all +peratin( Units 7(lobal or +peratin(Unit spe)ii)"

'a(e 11 of 68

Comp!" Co!#$%!&'( * Fo+ I!&%+!( U,% O!("

Page 12: White Paper Multi-Org Access Control Uptake R12 VIMP

7/25/2019 White Paper Multi-Org Access Control Uptake R12 VIMP

http://slidepdf.com/reader/full/white-paper-multi-org-access-control-uptake-r12-vimp 12/69 For 'peratin# (nit Field In Fors

General recoendations

• 4he +peratin( Unit ield should be pla)ed in the top let )orner o the orm

• >lobal data )an be entered beore the +peratin( Unit" +peratin( Unit spe)ii) data should beentered ater the +peratin( Unit is sele)ted

• 9 user responsibilit allo&s a))ess to one +peratin( Unit onlB then %alue or the +peratin( Unitield and its dependent attributes should be deaulted

'la)ement o the +peratin( Unit ield on the &indo& is dependent on the tpe o &indo&" Child&indo&s must displa the +peratin( Unit name onl in the &indo& title bar in the )onte@t o a sa%ed parent re)ord"

6hen determinin( &hether to pla)e the +peratin( Unit on the s)reensB ou should )onsider %arious tpeso orms" 4here are t&o (eneral orm models in the appli)ations: sin(le re)ord and multi-re)ord ormat"#in(le re)ord ormats allo& the ma@imum number o ields or a sin(le re)ord to be displaed at onetime" 3ulti-re)ord ormats allo& the ma@imum number o re)ords or a sin(le database entit to bedisplaed at one time"

4he ollo&in( e@amples illustrate the dierent s)enarios:

Case 1 )in#le ecord Forat**asterDetail records displaed in a sin#le %indo%

An e@ample is the 'aables Distribution #ets ormB &hi)h allo&s entr and displa o all the attributes othe distribution set in a sin(le &indo&" 4he +peratin( Unit ield should be displaed in the master blo)" 9 the detail re)ords )an be entered onl in the same +peratin( Unit as the master re)ordB thenBthe +peratin( Unit ield need not be displaed in the detail blo)"

'a(e 12 of 68

Comp!" Co!#$%!&'( * Fo+ I!&%+!( U,% O!("

Page 13: White Paper Multi-Org Access Control Uptake R12 VIMP

7/25/2019 White Paper Multi-Org Access Control Uptake R12 VIMP

http://slidepdf.com/reader/full/white-paper-multi-org-access-control-uptake-r12-vimp 13/69

Fi#ure 7 * )in#le record &orat e6aple $aales Distriution )ets

Case 2 )in#le ecord Forat**asterDetail records displaed in ultiple %indo%s

An e@ample o this tpe is the $e)ei%ables 4ransa)tion &orben)h ormB &hi)h allo&s a transa)tion to be entered in multiple &indo&s - 4ransa)tion header and DistributionsB LinesB et)" )hild &indo&s" 4he+peratin( Unit ield should be displaed in the master &indo&" 9 the detail re)ords )an be entered onlin the same +peratin( Unit as the master re)ordB thenB the +peratin( Unit ield need not be displaed inthe )hild &indo&s" 9nsteadB the +peratin( Unit name should appear in ea)h o the )hild &indo&s"

'a(e 1- of 68

Comp!" Co!#$%!&'( * Fo+ I!&%+!( U,% O!("

Page 14: White Paper Multi-Org Access Control Uptake R12 VIMP

7/25/2019 White Paper Multi-Org Access Control Uptake R12 VIMP

http://slidepdf.com/reader/full/white-paper-multi-org-access-control-uptake-r12-vimp 14/69

Fi#ure 8 * )in#le record &orat %ith tas e6aple ecei-ales Transaction or+ench

'a(e 1. of 68

Comp!" Co!#$%!&'( * Fo+ I!&%+!( U,% O!("

Page 15: White Paper Multi-Org Access Control Uptake R12 VIMP

7/25/2019 White Paper Multi-Org Access Control Uptake R12 VIMP

http://slidepdf.com/reader/full/white-paper-multi-org-access-control-uptake-r12-vimp 15/69

Fi#ure * Child %indo%s e6aple ecei-ales Distriutions

Case 3 )in#le ecord Forat %ith Ta re#ions

#in(le re)ord ormats oten use tab re(ions to displa all re)ord attributes &ithin a sin(le &indo&" An

e@ample is the 'aables Finan)ials +ptions orm" 4he +peratin( Unit ield should be displaed abo%ethe tab re(ionB so that the ield is %isible rom all tab pa(es"

Fi#ure 19 * )in#le record &orat e6aple %ith ta re#ions $aales Financials 'ptions

Case 4 ulti*ecord Forat %ith ultiple child %indo%s

An e@ample is the $e)ei%ables 4ransa)tion #ummar orm &hi)h presents multiple ro&s o headerre)ords and buttons to na%i(ate to detail &indo&s )ontainin( additional attributes o the re)ord" 4he+peratin( Unit ield should be displaed in the master &indo&" 9 the detail re)ords )an be entered onlin the same +peratin( Unit as the master re)ordB thenB the +peratin( Unit ield need not be displaed inthe )hild &indo&s" 9nsteadB the +peratin( Unit name should appear in ea)h o the )hild &indo&s"

'a(e 1 of 68

Comp!" Co!#$%!&'( * Fo+ I!&%+!( U,% O!("

Page 16: White Paper Multi-Org Access Control Uptake R12 VIMP

7/25/2019 White Paper Multi-Org Access Control Uptake R12 VIMP

http://slidepdf.com/reader/full/white-paper-multi-org-access-control-uptake-r12-vimp 16/69

Fi#ure 11 * ulti*record :)uar: tpe e6aple ecei-ales Transaction )uar

Case 5 Find indo%s

4he Find &indo& in an o the orm - setup or transa)tion that displas the +peratin( Unit ieldB shouldin)lude +peratin( Unit ield in the Find dialo(ue &indo&" 4his enables eas data entr and Iuerin()apabilities b +peratin( Unit"

Fi#ure 12 * Find %indo%

3.2.3 'peratin# (nit De&ault

4o better a)ilitate data entrB a user )an optionall set up a deault +peratin( Unit %alue" A ne& proileoptionB 3+: Deault +peratin( UnitB is used to deine deaultin( +peratin( UnitB and it )an be set at$esponsibilit and User le%els" 4he +peratin( Unit user deines in this proile option must be a %alid

'a(e 16 of 68

Comp!" Co!#$%!&'( * Fo+ I!&%+!( U,% O!("

Page 17: White Paper Multi-Org Access Control Uptake R12 VIMP

7/25/2019 White Paper Multi-Org Access Control Uptake R12 VIMP

http://slidepdf.com/reader/full/white-paper-multi-org-access-control-uptake-r12-vimp 17/69

%alue &ithin his se)urit proile or deaultin(" 4his eature is useul &hen user needs to transa)t inmultiple +peratin( UnitsB but majorit o time he transa)ts in one +peratin( Unit"

AlsoB an +peratin( Unit %alue is deaulted &hen userGs se)urit proile )ontains a))ess to one +peratin(Unit onl" 4his eliminates user to e@pli)itl deine +peratin( Unit &hen he )an onl a))ess to oneor(ani,ation"

3.4 eportin#

$eports that are impa)ted b 3ulti-+r( A))ess Control eature )an be )lassiied into 2 broad )ate(ories

1" #in(le +r( $eports

2" Cross +r( $eports

3.4.1 )in#le 'r# eports

#in(le +r( reports are the reports that displa data or one +peratin( Unit onl" 4oda 73ulti-+r( usin(CL9=4?9F+ these reports sho& data or the +peratin( Unit spe)iied b 3+: +peratin( UnitE proile option" 6ith 3ulti-+r( A))ess ControlB a responsibilit )ould ha%e a))ess to one or more+peratin( Units" =%en &ith openin( up a))essB the business reIuirement is that these reports should)ontinue to report data or one +peratin( Unit onl at a time" 4his implies that the user needs the abilitto sele)t an +peratin( Unit and submit the report" For e@ampleB i the proile option 3+: #e)urit

'roileE (i%es a))ess to / +peratin( UnitsB the user should ha%e the abilit to )hoose one +peratin( Unitrom the a%ailable three and submit the report"

9 the user has a))ess to onl one +peratin( UnitB then that %alue should be deaulted or +peratin( Unit"9 user has a))ess to multiple +peratin( UnitsB then deaultin( should happen i the proile 3+: Deault+peratin( UnitE is set and is %alid"

3.4.2 Cross 'r# eports

Cross +r( $eports introdu)ed in $elease 11iB are reports that report data or one or multiple +peratin(Units" 4he Cross +r( report e@e)utables and %aluesets use the unse)ured 3ulti-+r( tables" CurrentlBthere are t&o parameters $eportin( Le%el and $eportin( Conte@t to determine at &hat le%el a user )ansubmit a report or 7sin(le +peratin( UnitB or all +peratin( Units under a Le(al =ntitB or all +peratin(Units under a #et o ;oos" 4he %aluesets or these parameters &ill be modiied or 3+AC proje)t totae 3+: #e)urit 'roileE proile option into )onsideration" Also Led(ers &ill repla)e #et o ;oos orthe $eportin( Le%el as part o Led(er uptae"

Althou(h there is no un)tional impa)t to Cross +r( reports b 3ulti-+r( A))ess Control eatureB aminor se)urit enhan)ement is made" #e)urit enhan)ement &ill list %alid %alues or $eportin( Le%eland $eportin( Conte@t based on se)urit a))ess pri%ile(e" 4his is a )han(e rom toda &here proile3+: +peratin( UnitE is )onsidered or se)urit and not 3+: #e)urit 'roileE proile"

A user &ill be able to report at the Led(er le%el onl i all the +peratin( Units under the )urrent led(erare en)ompassed b the se)urit proile and the %alue o 3+: 4op $eportin( Le%elE proile is Led(er"

A user &ill be able to report at the Le(al =ntit le%el onl i all the +peratin( Units under at least 1 le(alentit are en)ompassed b the se)urit proile and the %alue o 3+: 4op $eportin( Le%elE proile isLe(al =ntit or Led(er" 4he a%ailable reportin( )onte@ts are the Le(al =ntities that ha%e the +peratin(Units en)ompassed b the )urrent se)urit proile"

A user &ill al&as be able to report at the +peratin( Unit le%el" 4he a%ailable reportin( )onte@ts are the+peratin( Units that are en)ompassed b the )urrent se)urit proile"

At submission timeB &hen Cross +r( reports are sele)tedB the temporar table is initiali,ed &ith one ormultiple +peratin( Units based on 3+: #e)urit 'roileE proile option" 4he temporar table )ontrolsthe data the users sees or the $eportin( Le%el and $eportin( Conte@t parameters" For this spe)ial pro)essin( o 3ulti-+r( initiali,ationB Cross-+r( reports need to be la((ed as 3UL49'L= in the DeineCon)urrent 'ro(rams orm or the +peratin( Unit mode"

'a(e 10 of 68

Comp!" Co!#$%!&'( * Fo+ I!&%+!( U,% O!("

Page 18: White Paper Multi-Org Access Control Uptake R12 VIMP

7/25/2019 White Paper Multi-Org Access Control Uptake R12 VIMP

http://slidepdf.com/reader/full/white-paper-multi-org-access-control-uptake-r12-vimp 18/69

3.4.3 De&ine Concurrent $ro#ras indo%

4he Deine Con)urrent 'ro(rams orm is modiied to in)lude a ne& ield +peratin( UnitmodeE that &ould allo& users to )ate(ori,e the )on)urrent pro(rams or 3ulti-+r( A))essControl eature uptae" 4he )on)urrent pro(rams )an be )ate(ori,ed into #9>L=B 3UL49'L=or ULL" ; deault the %alue o this ne& ield is ULL or blan" A poplist allo&s users to)han(e the %alue" 4he )on)urrent pro(ram )ate(or is used to e@e)ute the 3ulti-+r(initiali,ation and also determine &hen to e@pose +peratin( Unit ield in the #ubmit $eIuests&indo& and #)hedule $eIuests &indo&"

3.5 Concurrent $ro#ras ;others than reports<

Con)urrent 'ro(rams that are ae)ted b 3ulti-+r( A))ess Control are )lassiied into 2 broad)ate(ories:

1" #in(le +r( Con)urrent 'ro(rams

2" Con)urrent 'ro(rams that run or the #e)urit 'roile

3.5.1 )in#le 'r# Concurrent $ro#ras

#in(le +r( )on)urrent pro(rams are non-report pro(rams that report or pro)ess data or one +peratin(Unit onl" 4oda 73ulti-+r( usin( CL9=4 these pro(rams sho& data or the +peratin( Unit spe)iied b 3+: +peratin( UnitE proile option" 6ith 3ulti-+r( A))ess ControlB a responsibilit )ould ha%ea))ess to one or more +peratin( Units" =%en &ith openin( up a))essB the business reIuirement is thatthese )on)urrent pro(rams should )ontinue to report or pro)ess data or one +peratin( Unit onl at atime" 4his implies that the user needs the abilit to sele)t an +peratin( Unit and submit the pro(ram"

4hese pro(rams are treated in the same &a as the #in(le +r( $eports and should be la((ed as #9>L=)ate(or or +peratin( Unit mode in the Deine Con)urrent 'ro(rams &indo&"

#pe)ial pro)essin( is done or these pro(rams in the #$# &indo& and the #)hedule $eIuests pa(es toinitiali,e the temporar table and e@pose +peratin( Unit spe)ial parameter"

3.5.2 ultiple 'r# Concurrent $ro#ras

4hese are )on)urrent pro(rams that pro)ess or report data or one or multiple +peratin( Unitsspe)iied b 3+: #e)urit 'roileE proile option" #u)h pro(rams should e@pose +peratin(Unit as an optional parameter" User sele)ts an +peratin( Unit and submits the pro(ram orlea%es it blan" 9 the parameter is let blanB the )on)urrent pro(ram should pro)ess or reportdata or the +peratin( Units spe)iied b 3+: #e)urit 'roileE"

Fi(ure belo& sho&s #$# s)reen &ith the +peratin( Unit parameter added or the 'aables +pen9ntera)e 9mport pro(ram" Users ma )hoose to enter a %alue or the +peratin( Unit ield and thussubmit the reIuest or onl the spe)iied or(ani,ationB or the ma lea%e the ield blan and pro)essin%oi)es or all the +peratin( Units &ithin the )urrent se)urit proile"

'a(e 18 of 68

Comp!" Co!#$%!&'( * Fo+ I!&%+!( U,% O!("

Page 19: White Paper Multi-Org Access Control Uptake R12 VIMP

7/25/2019 White Paper Multi-Org Access Control Uptake R12 VIMP

http://slidepdf.com/reader/full/white-paper-multi-org-access-control-uptake-r12-vimp 19/69

Fi#ure 13 * )uission screen &or the $aales 'pen Inter&ace Iport concurrent pro#ra.

3ultiple +r( Con)urrent pro(rams reIuire that the 3ulti-+r( temporar table be populated&ith one or multiple +peratin( Units dependin( upon the proile option 3+: #e)urit 'roileE"

4hese pro(rams should be la((ed as 3UL49'L= or +peratin( Unit mode in the DeineCon)urrent 'ro(rams so that the 3ulti-+r( temporar table is initiali,ed &hen the user sele)tsthe pro(ram"

4he e@e)utables or su)h )on)urrent pro(rams should be modiied to utili,e the +peratin( Unit parameter to a%oid Cartesian joins and pro)ess or report data )orre)tl or the spe)iied+peratin( Units"

 o spe)ial pro)essin( is done or su)h )on)urrent pro(rams at runtimeB sin)e the e@e)utables aremodiied to handle multiple +peratin( Units a))ess" 4he 3ulti-+r( initiali,ation populates thetemporar table &ith one or multiple +peratin( Units based on the a))ess enabled status o the produ)to&nin( the )on)urrent pro(ram at runtime"

3.! "$Is

'ubli) A'9s that are ae)ted b 3ulti-+r( A))ess Control should a))ept +peratin( Unit as input eitheras parameter or b deaultin( rom 3+: Deault +peratin( UnitE proile option similar to the Forms U9or the Frame&or 'a(es" 'rior to 3ulti-+r( A))ess ControlB the A'9s pro)ess data or one +peratin(Unit onl )ontrolled b 3+: +peratin( UnitE proile"

• 6ith 3ulti-+r( A))ess ControlB the pro)essin( should %alidate that +peratin( Unit is passed as

input and it is %alid 7in)luded &ithin the user responsibilit proile 3+: #e)urit 'roileE" 9a user is trin( to pro)ess data or an +peratin( Unit that 7she does not ha%e a))ess toB )riti)alerror should be raised and urther pro)essin( stopped"

3.7 or+&lo%s

6orlo&s that are ae)ted b 3ulti-+r( A))ess Control should allo& users to initiate the pro)ess or

an +peratin( Unit that 7she has a))ess to &ithout ha%in( to s&it)h responsibilit" AlsoB &orlo&administrators should be able to perorm administrati%e tass lie Abort 'ro)ess or =@pedite 'ro)essirrespe)ti%e o the a))ess to the +peratin( Unit the &orlo& is initiated or"

6orlo&s submitted rom U9 pa(esB &ould ha%e the +peratin( Unit %alidated upstreamB sin)e the L+!&ould allo& users to pi) an +peratin( Unit that 7she has a))ess to" #imilarlB &orlo&s submitted&ithin 'ubli) A'9s &ould ha%e the +peratin( Unit %alidated beore the &orlo& pro)ess is initiated"4he +peratin( Unit 7+$>?9D should be )aptured as part o the a)ti%it to be pro)essed and should beused to set the 3ulti-+r( !'D poli) )onte@t" For e@ampleB the +$>?9D o the item es lie Credit3emo $eIuest 9dB =@pense $eport eader 9d et)" 4he proile options 3+: Deault +peratin( UnitEB3+: #e)urit 'roileE or 3+: +peratin( UnitE should not be relied upon or &orlo&sB sin)e the

'a(e 1 of 68

Comp!" Co!#$%!&'( * Fo+ I!&%+!( U,% O!("

Page 20: White Paper Multi-Org Access Control Uptake R12 VIMP

7/25/2019 White Paper Multi-Org Access Control Uptake R12 VIMP

http://slidepdf.com/reader/full/white-paper-multi-org-access-control-uptake-r12-vimp 20/69

+peratin( Unit o the transa)tion )ould be dierent rom the +peratin( Unit7s responsibilit (i%esa))ess to"


'a(e 2) of 68

Comp!" Co!#$%!&'( * Fo+ I!&%+!( U,% O!("

Page 21: White Paper Multi-Org Access Control Uptake R12 VIMP

7/25/2019 White Paper Multi-Org Access Control Uptake R12 VIMP

http://slidepdf.com/reader/full/white-paper-multi-org-access-control-uptake-r12-vimp 21/69

4. Technical Feature Descriptions

• 4his se)tion pro%ides de%elopers inormation ne)essar to implement 3ulti-+r( A))ess Control

eature" Appli)ation de%elopers must )areull stud these te)hni)al (uidelinesB and implementthe a))ess )ontrol eature a))ordin( to the (uideline"

4.1 "ccess Control "rchitecture

4.1.1 Bac+#round

3ultiple +r(ani,ation Ar)hite)ture &as irst introdu)ed in $elease 10"B or data se)urit b +peratin(Unit" 9n $elease 10".B &e added a )olumnB +$>?9DB to ea)h base table that reIuires Epartit ionin(E b+peratin( Units" All the tables that are partitioned are renamed &ith sui@B ?ALLHB and their)orrespondin( se)ured %ie&s are )reated in A''# s)hema" 4he dia(ram (i%en belo& sho&s the sin(leor(ani,ation %ie& in the appli)ations 7A''# s)hema"

Fi#ure 14 * Dataase )chea

3ulti-+r( %ie&s restri)t data a))ess b ilterin( re)ords or a sin(le +peratin( Unit set b appli)ationresponsibilit le%el proileB 3+: +peratin( UnitE"E 4he %alue or the proile option is )a)hed inAppli)ation Conte@tB and is initiali,ed &hene%er FD initiali,ation routine is )alled" All 3ulti-+r(

%ie&s as &ell as an #L statements that reIuire 3ulti-+r( se)urit )ontains FD CL9=4?9F+ predi)ate" FD?CL9=4?9F+ un)tion retrie%es +$>?9D %alue stored in the appli)ation )onte@t" 4he%alue is %alid durin( a session unless it is e@pli)itl )han(ed b pro)edure )alls"

4o retrie%e all inormation re(ardless o the +peratin( UnitB the ?ALL table should be used in the #Lstatement" Cross-+r(ani,ation reports are (ood e@ample in &hi)h the Iuer statements are perormeda(ainst ?ALL tables rather than 3ulti-+r( se)ured %ie&s" 3ost +ra)le Finan)ials reports (enerateoutputs rom a sin(le +peratin( UnitB and the Iuer statements are perormed a(ainst 3ulti-+r( %ie&s"9n order to in)rease le@ibilit and perorman)e in 3ulti-+r( en%ironment &hile pro%idin( the samele%el data se)uritB !irtual 'ri%ate Database 7!'D eature introdu)ed in +ra)le 8i $D;3# &ill repla)eusa(e o CL9=4?9F+ un)tion in 3ulti-+r( A))ess Control"

4.1.2 =irtual $ri-ate Dataase ;=$D<

4he !irtual 'ri%ate Database eature allo&s de%elopers to enor)e se)urit b atta)hin( a se)urit poli)to tables and %ie&s in +ra)le8iB and to snonms in +ra)le i $elease2" 9t atta)hes predi)ates or these)urit poli)ies to e%er #L statement a(ainst the database obje)ts &here poli)ies are applied" 6hen auser dire)tl or indire)tl a))esses a table &ith a se)urit poli)B the $D;3# dnami)all re&rites userHs#L statement to in)lude )onditions set b se)urit poli) transparentl to the user" 4he )onditions )an be e@pressed inB or returned b a un)tion"

"ccess to sin#le 'peratin# (nit

'a(e 21 of 68

Comp!" Co!#$%!&'( * Fo+ I!&%+!( U,% O!("

Page 22: White Paper Multi-Org Access Control Uptake R12 VIMP

7/25/2019 White Paper Multi-Org Access Control Uptake R12 VIMP

http://slidepdf.com/reader/full/white-paper-multi-org-access-control-uptake-r12-vimp 22/69

APPS Schema

AP!N"#!$ESA%% 0synony! to the

 (P$,)O$/ES(LL ta-le

AP!N"#!$ES 0synony! ith the

security policy attache* that gi4es

access to OR5$D61

AP Schema

AP!N"#!$ESA%% ta-le

OR5$D $,)O$/E$D

1 1&&&

1 1&&1

1 1&&2

2 1773

2 177"

Fi#ure 15 * Dataase )chea

"ccess to ultiple 'peratin# (nits

APPS Schema

AP!N"#!$ESA%% 0synony! to the

 (P$,)O$/ES(LL ta-le

AP!N"#!$ES 0synony! ith the

security policy attache* that gi4es

access to OR5$D 1 an* 2

AP Schema

AP!N"#!$ESA%% ta-le

OR5$D $,)O$/E$D

1 1&&&

1 1&&1

1 1&&2

2 1&&32 1&&4

Fi#ure 1! * Dataase )chea

4.1.3 ulti*'r# )ecurit $olic $redicate

4he sin(le or(ani,ation %ie&s that ha%e the CL9=4?9F+ predi)ate atta)hed to them should be madeobsolete and snonms should be )reated to repla)e them" A se)urit poli) un)tion should be atta)hedto the 3ulti-+r( snonms durin( install time" 4he se)urit is in pla)eB no matter &hate%er tools is usedto a))ess the se)ured snonms"

4he se)urit poli) un)tion returns dierent predi)ate based on the number o +peratin( Units a))ess"An appli)ation )onte@t attribute ACC=##?3+D=E is set based on the +peratin( Units a))ess" 4he poli) un)tion is dnami)B as it is reparsedB &hene%er a #L statement is e@e)uted" 4he reason to optor dnami) se)urit poli) un)tion is to minimi,e the )odin( impa)t" 4he 3ulti-+r( )ode toda &orsin the )onte@t o one +peratin( Unit" 3ajorit o the )ode )an be reused i the poli) predi)ate )an)han(e dnami)all" For e@ampleB ou open a orm rom a responsibilit that has a))ess to multiple+peratin( Units" Ater an +peratin( Unit is sele)tedB the +peratin( Unit )onte@t is established and the)ode that is used or %alidation rom that point on&ards need not be modiied i the snonms returndata or the +peratin( Unit sele)ted"

6hen the a))ess?mode is 3ultiple 73B the poli) predi)ate issues an =9#4# sub-Iuer a(ainst a(lobal temporar table" 4he (lobal temporar table is a ne& eature introdu)ed in +ra)le 8i" 9t allo&s

table to store and manipulate data spe)ii) to a #=##9+ or 4$A#AC49+" 6hen the a))ess?modeis #in(leB a simple eIualit predi)ate is used or perorman)e reasonsB sin)e it is )ost ee)ti%e )omparedto usin( the temporar table" An a))ess mode o All 7A is in)orporated or uture purposes &here these)urit is bpassed or un)tionalities that need ull table a))ess" 9 the a))ess?mode is not setB then asimple predi)ate that uses the CL9=4?9F+ %alue or +$>?9D is used or the poli) predi)ate" 4his isto support the ba)&ard )ompatibilit or produ)tsB &hi)h ha%e not enabled the 3ulti-+r( A))essControl eatureB but ha%e made the datamodel )han(es"

3+?>L+;AL"+r(?#e)urit un)tion:

FUNCTION org_security(obj_schema VARCHAR2,


'a(e 22 of 68

Comp!" Co!#$%!&'( * Fo+ I!&%+!( U,% O!("

Page 23: White Paper Multi-Org Access Control Uptake R12 VIMP

7/25/2019 White Paper Multi-Org Access Control Uptake R12 VIMP

http://slidepdf.com/reader/full/white-paper-multi-org-access-control-uptake-r12-vimp 23/69


  --  -- Returns different predicates based on the access_mode

  -- The codes for access_mode are

  -- M - Multiple OU Access  -- A - All OU Access

  -- S - Single OU Access  -- Null - Backward Compatibility - CLIENT_INFO case


  IF g_access_mode IS NOT NULL THEN  IF g_access_mode = 'M' THEN

  RETURN 'EXISTS (SELECT 1  FROM mo_glob_org_access_tmp oa

  WHERE oa.organization_id = org_id)';  ELSIF g_access_mode = 'A' THEN -- for future use


  ELSIF g_access_mode = 'S' THEN  RETURN 'org_id =

sys_context(''multi_org2'',''current_org_id'')';  END IF;


  RETURN 'org_id = substrb(userenv(''CLIENT_INFO''),1,10)';  END IF;

END org_security;

4he simple predi)ate usin( CL9=4?9F+ is used or these )ases:

• a))ess is not enabled meanin( or ba)&ard )ompatibilit" 3ulti-+r( A))ess

Control is not enabled or all produ)ts at one time" 4here are 3ulti-+r( %ie&s thatare shared bet&een produ)ts that are at dierent le%els" For e@ampleB 'aablesopens up a))ess and 'ur)hasin( does not" 4he %ie&s that A' shared &ith '+7'+?!=D+$?#94=#B '+?=AD=$#B et) ha%e to be repla)ed b '+ to se)uredsnonms" 4he se)ured snonms should )ontinue to &or as toda or '+B sin)etheir )ode is not modiied and '+ )ode relies on CL9=4?9F+"

4he simple predi)ate usin( )urrent?or(?id is used or these )ases:

• a))ess is enabledB but limited to onl +peratin( Unit" For e@ampleB 3+: #e)urit'roile (i%es a))ess to onl one +peratin( Unit or it is not setB in &hi)h )aseB the

a))ess is based on 3+: +peratin( UnitE" 4he a))ess?mode is set to G#G or this)ase"

• a))ess is enabled and se)urit proile (i%es a))ess to multiple +peratin( UnitsB but&ithin the s)ope o a transa)tionB sin)e +peratin( Unit is determinedB a simple predi)ate &ould eliminate additional )han(es to the ser%er and )lient side )ode" 4hea))ess mode is set to G#G or this )ase"

4he reason 2 simple predi)ates are used one &ith a))ess?mode M G#G and the other &ith ull is toeliminate the need to set the )urrent?or(?id or ba)&ard )ompatibilit" 9 &e )ombine the t&o predi)ates into oneB &e need to either set the )urrent?or(?id alon( &ith CL9=4?9F+B or useCL9=4?9F+ as all ba) or )urrent?or(?id"

4he )omple@ predi)ate is used or these )ases:

• a))ess is enabled and the se)urit proile (i%es a))ess to multiple +peratin( Units and

the broader a))ess is needed or Iuerin( dataB deri%e +peratin( Unit eature and)onsolidated transa)tions &here the s)ope o the transa)tion e@tends to multiple+peratin( Units" 4he a))ess mode is set to G3G or this )ase"

For e@ampleB an sele)t statement on $A?CU#4+3=$?4$ 7snonm to &hi)h the se)urit poli) isatta)hed &ill be dnami)all modiied to mae use o the poli) predi)ate"

A simple Iuer b the user:

SELECT trx_number from ra_customer_trx

'a(e 2- of 68

Comp!" Co!#$%!&'( * Fo+ I!&%+!( U,% O!("

Page 24: White Paper Multi-Org Access Control Uptake R12 VIMP

7/25/2019 White Paper Multi-Org Access Control Uptake R12 VIMP

http://slidepdf.com/reader/full/white-paper-multi-org-access-control-uptake-r12-vimp 24/69

  &ill be modiied at runtime i the responsibilit has a))ess to multiple +peratin( Units as:

SELECT trx_number from ra_customer_trx


  FROM mo_glob_org_access_tmp oa  WHERE oa.organization_id = org_id))

or &ill be modiied at runtime i the responsibilit has a))ess to one +peratin( Unit &ith a))ess )ontrolenabled or the module as:

SELECT trx_number from ra_customer_trx ORG_ID = sys_context('multi_org2','current_org_id')

4.1.4 ulti*'r# Initiali,ation

3ulti-+r( A))ess Control eature is de%eloped and deli%ered in phases b inan)ials produ)ts irstollo&ed b other produ)ts" 4he 3ulti-+r( (lobal temporar table is populated based on either 3+:#e)urit 'roileE or 3+: +peratin( UnitE proile option" 4he proile option 3+: #e)urit 'roileEtaes pre)eden)e o%er 3+: +peratin( UnitE" Until A))ess Control is turned on or a produ)tB the proile option 3+: #e)urit 'roileE is i(nored and onl 3+: +peratin( UnitE is honored"

'rodu)ts at dierent le%elsB a))ess )ontrol enabled and not enabled 7in transition )an be )ombinedto(ether under one appli)ation menu" Under su)h )aseB the 3ulti-+r( initiali,ation should be based onthe appli)ation o the )allin( module and not based on the appli)ation tied to the responsibilitB sin)e the proile +ption 3+: #e)urit 'roileE should be i(nored or produ)ts &ho ha%e not enabled a))ess or inthe transition phase"

A ne& table 73+?'$+DUC4?994 is introdu)ed or produ)t teams to re(ister their appli)ation aterthe ha%e opened up a))ess or their produ)t" An entr in this table indi)ates that the produ)t is 3ulti-+r( A))ess Control enabled" 4he 3ulti-+r( initiali,ation A'9 maes use o the module o&ner )allin(the initiali,ation to initiali,e the temporar table appropriatel &ith one or multiple +peratin( Unitsdependin( upon the produ)t status"

$roduct teas ust seed an entr in the ulti*'r# tale %hen the are read to turn on ulti*'r# "ccess Control &or their product.

Tale FND>'>$'D(CT>INIT

6hen 'aables 7C$ opens up a))essB the must seed a ro& in the 3ulti-+r( table to indi)ate thata))ess is turned on" C$3 oundation 7N4F has 3ulti-+r( A))ess Control turned on alread"




A loader ile must be deli%ered to the )ustomer to populate this inormation at the site" 'lease )onta)t#hared #er%i)es team or the loader ile" A loader )oni(uration ile amoinit"l)t is a%ailable ore@tra)tin( the loader ile"

9nitiall the plan &as to use re(ister 3ulti-+r( initiali,ation in A+L Callout tables" #in)e the A+LCallout routines use the appli)ation tied to the responsibilit or initiali,ationB the module inormationstored in the !O#=##9+ &as planned to be used in the 3ulti-+r( initiali,ation" o&e%er there are)ertain limitations &ith this approa)h:

1" 9nabilit to identi the module o&ner 

'a(e 2. of 68

Comp!" Co!#$%!&'( * Fo+ I!&%+!( U,% O!("

Page 25: White Paper Multi-Org Access Control Uptake R12 VIMP

7/25/2019 White Paper Multi-Org Access Control Uptake R12 VIMP

http://slidepdf.com/reader/full/white-paper-multi-org-access-control-uptake-r12-vimp 25/69

3odule inormation is not (uaranteed to be set or all modulesB espe)iall #el #er%i)eAppli)ationsB &here there is no stron( tie bet&een un)tions and pa(es"

2" A+L Callout is not reentrant

A+L 9nitiali,ation &ill be e@e)uted onl &hen there is a responsibilit )han(e 7%alidate#essionroutine is optimi,ed to e@e)ute onl under a )onte@t )han(e" 6hen a))essin( dierent pa(esrom &ithin the same responsibilitB the pa(es belon(in( to dierent appli)ations 7a))ess enabledand not enabledB the initiali,ation is done one &a &hi)h does not &or &hen na%i(atin( rom a pa(e that is not enabled a))ess to a pa(e that is enabled or %i)e %ersa"

Due to the abo%e reasonsB 3ulti-+r( initiali,ation &ill not be re(istered in the A+L Callout tablesanmore" 9nsteadB it &ill be e@e)uted onl &hen )alled e@pli)itl b the produ)ts"

$roducts should call '>G0'B"0.init;< "$I to e6ecute the ulti*'r# initiali,ation.

3ulti-+r( initiali,ation perorms t&o thin(s:

1" 9nitiali,es the se)urit poli) predi)ate

2" 'opulates a (lobal temporar table used in the U9s and the se)urit poli) un)tion"

Fun)tions are a%ailable to a))ess data rom the temporar table" Pou should not a))ess the (lobal

temporar table dire)tl in their )ode" Pou should use the 'L<#L un)tions instead"

'seudo Code or 3+ 9nitiali,ation un)tion is (i%en belo&:

'>G0'B"0.Init $rocedure

PROCEDURE init(p_appl_short_name VARCHAR2)

IS  l_security_profile_id

fnd_profile_option_values.profile_option_value%TYPE := NULL;  l_org_id

fnd_profile_option_values.profile_option_value%TYPE := NULL;


BEGIN  IF is_multi_org_enabled = 'Y' THEN

  IF p_appl_short_name IS NULL THEN  RAISE NO_APPL_NAME; -- Seed a new mesg ???


  --  -- Get the profile values and call set_org_access API

  --  fnd_profile.get('XLA_MO_SECURITY_PROFILE_LEVEL',


fnd_profile.get('ORG_ID', l_org_id);  set_org_access(l_org_id,



  END IF; -- Multi-Org is enabledEXCEPTION

  …END init;

'>G0'B"0.)et>'r#>"ccess $rocedure

'a(e 2 of 68

Comp!" Co!#$%!&'( * Fo+ I!&%+!( U,% O!("

Page 26: White Paper Multi-Org Access Control Uptake R12 VIMP

7/25/2019 White Paper Multi-Org Access Control Uptake R12 VIMP

http://slidepdf.com/reader/full/white-paper-multi-org-access-control-uptake-r12-vimp 26/69

4his A'9 )an be )alled to e@e)ute 3ulti-+r( initiali,ation outside o Appli)ations" For e@ampleB toe@e)ute 3ulti-+r( initiali,ation rom tools lie #LQ'lusB 4+AD et)"

PROCEDURE set_org_access(p_org_id_char VARCHAR2,  p_sp_id_char VARCHAR2,

  p_appl_short_name VARCHAR2)IS


  l_access_ctrl_enabled VARCHAR2(1);  l_security_profile_id

fnd_profile_option_values.profile_option_value%TYPE := p_sp_id_char;

  l_org_idfnd_profile_option_values.profile_option_value%TYPE := p_org_id_char;

  l_current_org_id hr_operating_units.name%TYPE;

  l_view_all_orgs VARCHAR2(1);




  IF is_multi_org_enabled <> 'Y' THEN  RETURN;


  IF p_org_id_char IS NULL AND p_sp_id_char IS NULL THEN



  -- Replace this code with 10g shared globals  --

  BEGIN  SELECT nvl(mpi.status, 'N')

  INTO l_access_ctrl_enabled

  FROM fnd_mo_product_init mpi  WHERE mpi.application_short_name = p_appl_short_name;


  l_access_ctrl_enabled := 'N';  WHEN OTHERS THEN

  generic_error('MO_GLOBAL.SET_ORG_ACCESS', sqlcode, sqlerrm);


  --  -- Delete temporary table data first for all products access

-- enabled or not

  --  delete_orgs;

  --  -- For all products, when the access control feature is enabled,

  -- 1. Use the MO: Security Profile if it is set.

  -- 2. Use the MO: Operating Unit if “MO: Security Profile” is not

  -- set  --  IF (l_access_ctrl_enabled = 'Y') THEN

  IF l_security_profile_id IS NOT NULL THEN  l_org_id := null;


  --  -- Populate temp table

  --  populate_orgs(l_org_id,



'a(e 26 of 68

Comp!" Co!#$%!&'( * Fo+ I!&%+!( U,% O!("

Page 27: White Paper Multi-Org Access Control Uptake R12 VIMP

7/25/2019 White Paper Multi-Org Access Control Uptake R12 VIMP

http://slidepdf.com/reader/full/white-paper-multi-org-access-control-uptake-r12-vimp 27/69

  l_view_all_orgs);  --

  -- Check if you have access to at least one Operating Unit.  --

  IF g_ou_count = 0 THEN


  --  -- Set the 'Single' access contexts:


  set_policy_context('S', l_current_org_id);  ELSE

  --  -- Added code for All mode to avoid using the policy predicate

  -- when user has access to global view all security profile  -- Bug (2720892)

  -- Set the access contexts:

  --  IF l_view_all_orgs = 'Y' THEN

  set_policy_context('A','');  ELSE



  ELSE  --

  -- Reset the context for products that have not enabled access

-- control  --

  set_policy_context('','');  END IF;



END set_org_access;

4.1.5 Dataodel Desi#n

Ne% Tales


4his is a session-spe)ii) (lobal temporar table that stores the +peratin( Units )ontained in the )urrentresponsibilitGs 7or site le%el 3+: #e)urit 'roileE proile option" 9 the proile optionB 3+: #e)urit'roileE is not deined thenB the +peratin( Unit )ontained in )urrent responsibilitHs 7or site le%el 3+:+peratin( UnitE proile option is stored in the table" 9t is populated &ith re)ords rom the tables<%ie&s'=$?+$>A9RA49+?L9#4 and $?+'=$A49>?U94#" 9t is used in the 3ulti-+r( se)urit

 poli) initiali,ation"

Colun Nae Tpe Null (niue ColunDescription


+$>A9RA49+?9D umber715 ot ull

Pes +peratin(Unitidentiier 


 A3= !ar)har272*0 null ame o the+peratin(Unit


'a(e 20 of 68

Comp!" Co!#$%!&'( * Fo+ I!&%+!( U,% O!("

Page 28: White Paper Multi-Org Access Control Uptake R12 VIMP

7/25/2019 White Paper Multi-Org Access Control Uptake R12 VIMP

http://slidepdf.com/reader/full/white-paper-multi-org-access-control-uptake-r12-vimp 28/69

A uniIue inde@ 3+?>L+;?+$>?ACC=##?43'?U1 e@ists on +$>A9RA49+?9D )olumn"


4his table is used to store the inormation i a produ)t is 3ulti-+r( A))ess Control enabled" An entr inthis table indi)ates that the produ)t has opened up a))ess" 9 a produ)t has enabled a))essB the 3ulti-+r(initiali,ation )ode &ill use the pre)eden)e o 3+: #e)urit 'roileE o%er 3+: +peratin( UnitE"

Colun Nae Tpe Null (niue ColunDescription


A''L9CA49+?#+$4?  A3=

!ar)har2750 ot ull

Pes Appli)ation#hort ame


C$=A49+?DA4= Date ot ull

Creation Date o

C$=A4=D?;P umber715 ot ull

Created ; o

LA#4?U'DA4=D?;P umber715 ot ull

Last Updated;


LA#4?U'DA4=?DA4= Date ot ull

Last UpdateDate


LA#4?U'DA4=?L+>9 umber715 Last UpdateLo(in


A uniIue inde@ FD?3+?'$+DUC4?994?U1 e@ists on A''L9CA49+?#+$4?A3= )olumn"

4.1.! $ro&ile 'ptions

'rior to openin( up a))essB upon )hoosin( a responsibilitB the CL9=4?9F+ or( predi)ate &asinitiali,ed to the +peratin( Unit the responsibilit has a))ess" 4he ne& proile optionB 3+: #e)urit'roileBE &ill be used in 3ulti-+r( A))ess Control eature" 4his proile option )an be set at #ite and$esponsibilit le%els"

4here is also a ne& proile option a%ailable or deaultin( +peratin( Unit in setup and transa)tion orms"4his proile option is set at #iteB $esponsibilit and User le%els"

' )ecurit $ro&ile

Field Nae =alue

 ame LA?3+?#=CU$94P?'$+F9L=?L=!=LAppli)ation +ra)le Common A))ountin( 3odules

User 'roile ame 3+: #e)urit 'roileDes)ription 3ulti-+r( A))ess Control#L !alidation #LM#=L=C4

#"#=CU$94P?'$+F9L=?A3= S#e)urit 'roileSB  #"#=CU$94P?'$+F9L=?9D94+ :!9#9;L=?+'49+?!ALU= B  :'$+F9L=?+'49+?!ALU=F$+3 '=$?#=CU$94P?'$+F9L=# #+$D=$ ;P #"#=CU$94P?'$+F9L=?A3=C+LU3MS#e)urit 'roileS7Q

User A))ess !isible: PesUpdatable: o

'ro(ram A))ess !isible: PesUpdatable: o

#stem Administrator A))ess: #ite !isible: PesUpdatable: Pes

#stem Administrator A))ess: Appli)ation !isible: oUpdatable: o

#stem Administrator A))ess: $esponsibilit !isible: Pes

'a(e 28 of 68

Comp!" Co!#$%!&'( * Fo+ I!&%+!( U,% O!("

Page 29: White Paper Multi-Org Access Control Uptake R12 VIMP

7/25/2019 White Paper Multi-Org Access Control Uptake R12 VIMP

http://slidepdf.com/reader/full/white-paper-multi-org-access-control-uptake-r12-vimp 29/69

Field Nae =alue

Updatable: Pes#stem Administrator A))ess: User  !isible: o

Updatable: o

4o minimi,e up(rade eortB 3ulti-+r( initiali,ation pa)a(e &ill irst attempt to read a))ess )ontrolrom 3+: #e)urit 'roileE option" 9 no %alue is assi(ned or the )urrent responsibilit or siteB then itattempts to determine +peratin( Unit a))ess rom 3+: +peratin( UnitE proile option" 3+:+peratin( UnitE proile &ill be obsolete ater all 3ulti-+r( produ)ts ha%e been up(raded to use 3ulti-+r( A))ess Control eature"

' De&ault 'peratin# (nit

Field Nae =alue

 ame D=FAUL4?+$>?9DAppli)ation Appli)ation +bje)t LibrarUser 'roile ame 3+: Deault +peratin( Unit

Des)ription Deault +peratin( Unit the $esponsibilit Lo(s +nto#L !alidation #LM#=L=C4 +$>A9RA49+?9DB A3= 94+

:'$+F9L=?+'49+?!ALU=B :!9#9;L=?+'49+?!ALU= F$+3$?+'=$A49>?U94# C+LU3MA3=7Q

User A))ess !isible: PesUpdatable: Pes

'ro(ram A))ess !isible: PesUpdatable: o

#stem Administrator A))ess: #ite !isible: PesUpdatable: Pes

#stem Administrator A))ess: Appli)ation !isible: oUpdatable: o

#stem Administrator A))ess: $esponsibilit !isible: PesUpdatable: Pes

#stem Administrator A))ess: User  !isible: PesUpdatable: Pes

User )an optionall set this proile option to deault an +peratin( Unit and other 3ulti-+r( dependent%alues in user &indo&s" Deaultin( &ill o))ur onl i userHs se)urit proile in)ludes the +peratin( Unitspe)iied in this proile option"

4.1.8 ulti*'r# "$Is

Teporar Tale processin#

4he 3ulti-+r( temporar table 3+?>L+;?+$>?ACC=##?43' is populated &hen 3ulti-+r(initiali,ation is in%oed" 'rodu)t teams must not reeren)e the temporar table dire)tl an&here in

their )ode" 9nstead the should use the un)tions (i%en belo& to retrie%e data rom the temporar table:

'>G0'B"0.Chec+>"ccess Fun)tion

4his un)tion )he)s i a parti)ular +$> is a%ailable in the temporar table populated b theset?or(?a))ess A'9" 9 ound the un)tion returns la( PHB other&ise H"

FUNCTION check_access(p_org_id NUMBER)




'a(e 2 of 68

Comp!" Co!#$%!&'( * Fo+ I!&%+!( U,% O!("

Page 30: White Paper Multi-Org Access Control Uptake R12 VIMP

7/25/2019 White Paper Multi-Org Access Control Uptake R12 VIMP

http://slidepdf.com/reader/full/white-paper-multi-org-access-control-uptake-r12-vimp 30/69

Page 31: White Paper Multi-Org Access Control Uptake R12 VIMP

7/25/2019 White Paper Multi-Org Access Control Uptake R12 VIMP

http://slidepdf.com/reader/full/white-paper-multi-org-access-control-uptake-r12-vimp 31/69



4his A'9 )an be used in the 'ubli) A'9s or %alidatin( +$>?9D input"

$olic Conte6t "$Is

A'9s are a%ailable to set the appli)ation )onte@t attributes used in the se)urit poli) un)tion"

'>G0'B"0.set>polic>conte6t  'ro)edure

4his A'9 sets the appli)ation )onte@t attributes - )urrent or( id and the a))ess modeB &hi)h are used inthe 3ulti-+r( se)urit poli) un)tion or(?se)urit" 4he )urrent?or(?id )onte@t )an also be used in the produ)t spe)ii) ser%er side %alidation A'9s"

3ulti-+r( )ode a%ailable todaB &ors &ithin the )onte@t o one +peratin( Unit" 4o reuse the )odeB theappli)ation )onte@t attribute a))ess?mode )an be set to sin(leB so that %alidation A'9s )an )ontinue to&or &ithin the )onte@t o one +peratin( Unit &ithout an )han(e" 4his A'9 )an be used to set the poli) )onte@t in the dierent tri((ers in the orms"

'>G0'B"0.#et>current>or#>id  Fun)tion

4his un)tion returns the )urrent?or(?id attribute %alue stored in the appli)ation )onte@t"



  RETURN to_number(g_current_org_id


'>G0'B"0.#et>access>ode  Fun)tion

4his un)tion returns the a))ess?mode attribute %alue stored in the appli)ation )onte@t"



  RETURN (g_access_mode);


"ccess Control e#istration "$Is

A'9s are a%ailable to re(ister or remo%e an appli)ation as a))ess enabled in the 3ulti-+r( table"

FND>'>$'D(CT>INIT>$G.re#ister>application 'ro)edure

4his A'9 populates an entr in the FD?3+?'$+DUC4?994?'K> indi)atin( that a produ)t is 3ulti-+r( A))ess Control enabled"

FND>'>$'D(CT>INIT>$G.reo-e>application 'ro)edure

4his A'9 deletes an entr in the FD?3+?'$+DUC4?994?'K>"

'a(e -1 of 68

Comp!" Co!#$%!&'( * Fo+ I!&%+!( U,% O!("

Page 32: White Paper Multi-Org Access Control Uptake R12 VIMP

7/25/2019 White Paper Multi-Org Access Control Uptake R12 VIMP

http://slidepdf.com/reader/full/white-paper-multi-org-access-control-uptake-r12-vimp 32/69

'r# De&aultin# "$Is

A'9s are a%ailable to (et the deault +peratin( Unit" A ne& proile option 73+: Deault +peratin(UnitE is a%ailable to deine the +peratin( Unit to be used as deault or our siteB responsibilit or user"4he deault +peratin( Unit &ill be used in both setup as &ell as transa)tion orms" 6hen ou )hoose aresponsibilitB the 3ulti-+r( initiali,ation )ode &ill set the (lobal %ariables or the deault +peratin(Unit name and +$> 9D"

4he proile option 3+: Deault +peratin( UnitE )an be set at siteB responsibilit and user le%els"o&e%erB the proile option 3+: #e)urit 'roileE is set at site or responsibilit le%el" 4he deaultin(is based on the 3ulti-+r( proile options setup" 9t is possible thatB the deault +peratin( Unit %alue that

is set at user le%el ma not be in)luded in the se)urit proile set at responsibilit le%el" 4his is taeninto )onsideration in the 3ulti-+r( A'9 that %alidates the proile options and returns the deault %alue"Follo&in( deaultin( rules appl:

• 9 the proile option 3+: #e)urit 'roileE is not setB then 3+: +peratin( UnitE %alue

is used as the deault +peratin( Unit e%en i 3+: Deault +peratin( UnitE proile is setto a dierent %alue"

• 9 the proile option 3+: #e)urit 'roileE is set and (i%es a))ess to one +peratin(UnitB the deault +peratin( Unit &ill return this %alue e%en i 3+: Deault +peratin(UnitE is set to a dierent %alue"

• 9 the proile option 3+: #e)urit 'roileE is set and (i%es a))ess to multiple +peratin(

UnitsB then the proile %alue 3+: Deault +peratin( UnitE i set is %alidated a(ainst thelist o +peratin( Units in 3+: #e)urit 'roileE" 9 the +peratin( Unit is in)luded inthe se)urit proile then it is returned as the deault %alue" +ther&ise there is no+peratin( Unit deault" AlsoB i the 'roile +ption 3+: Deault +peratin( UnitE is notsetB then there is o deault +peratin( Unit"

'>(TI0).Get>De&ault>'( 'ro)edure

'>(TI0).#et>de&ault>or#>id Fun)tion

4his A'9 returns the deault +peratin( Unit +$>?9D or a (i%en responsibilit" 4he deault +$>?9D)ould be ULLB i there is no %alid deault +peratin( UnitB &hi)h is determined b the deaultin( rules"

7.2 ulti*'r# =ie%sTales Chan#e

=a)h produ)t team o&nin( 3ulti-+r( %ie&s<tables should )areull re%ie& and implement proposed)han(es:

7.2.1 An&orce N'T N(00 constraint on 'G>ID colun

3odi our 3ulti-+r( tables 7?ALLB ?ALL?4L and ?ALL?; to add +4 ULL )onstraint on+$>?9D )olumn" 3ulti-+r( is mandator or $12" =%en in 3ulti-+r( instan)e ULL %alue or+$>?9D is allo&ed or (lobal data 7transa)tion and seed"

4he datatpe o +$>?9D )olumn should be as sho&n belo&:

Colun Nae DataTpe Not Null

+$>?9D umber715 Pes

7.2.2 odi& our Dataase =ie%s

4he 3ulti-+r( A))ess Control me)hanism maes use o a se)urit poli) atta)hed to the 3ulti-+r(snonms to implement se)urit instead o the CL9=4?9F+ predi)ate" CurrentlB the se)urit isimplemented in the 3ulti-+r( %ie&s b the CL9=4?9F+ predi)ate"

'a(e -2 of 68

Comp!" Co!#$%!&'( * Fo+ I!&%+!( U,% O!("

Page 33: White Paper Multi-Org Access Control Uptake R12 VIMP

7/25/2019 White Paper Multi-Org Access Control Uptake R12 VIMP

http://slidepdf.com/reader/full/white-paper-multi-org-access-control-uptake-r12-vimp 33/69

4he 3ulti-+r( %ie&s )an be di%ided into t&o )ate(oriesB sin(le or(ani,ation %ie&s and reeren)e %ie&s"

)in#le 'r#ani,ation -ie%s are %ie&s based on the _ALL, _ALL_B or  _ ALL_TL 3ulti-+r( tables andha%e the sin(le or( predi)ate atta)hed to them to return data or the )urrent +peratin( Unit spe)iied bthe CL9=4?9F+ en%ironment %ariable" 4he tablesH _ALL_B and _ALL_TL &ere introdu)ed or3ulti-Lin(ual #upport 73L#" e&erence =ie%s are the %ie&s that are joined to sin(le or(ani,ation %ie&s" 4he do not ha%e the sin(leor( predi)ate atta)hed to them" 4he ma or ma not ha%e the +$>?9D )olumn in)luded in the %ie&deinition"

4he )han(es that need to be done to sin(le or(ani,ation %ie&s and reeren)e %ie&s are e@plained indetail here"

)in#le 'r#ani,ation =ie%s

All sin(le or(ani,ation %ie&s must be repla)ed b snonms to ?ALL tables" 4he se)urit poli)un)tion must be atta)hed to the snonms to enor)e +peratin( Unit se)urit"

Case 1 )in#le 'r#ani,ation -ie%

A6aple 14he %ie& deinition o sin(le or(ani,ation %ie& $A?;A4C=# is sho&n belo& in the e@ample"




...  "ORG_ID" ,










4his sin(le or(ani,ation %ie& $A?;A4C=# must be repla)ed b a snonm as (i%en belo&:


4he summar o )han(es that must be done or sin(le or(ani,ation %ie&s joined to sin(le ?ALL tableare (i%en belo&:

• Drop the sin(le or(ani,ation %ie&

• Create a snonm &ith the same name as the obsolete sin(le or(ani,ation %ie&

• Atta)h poli) un)tion to the snonm

A6aple 2

4he %ie& deinition o simple sin(le or(ani,ation %ie& A$?!A4?4A?; is sho&n belo& in thee@ample"

'a(e -- of 68

Comp!" Co!#$%!&'( * Fo+ I!&%+!( U,% O!("

Page 34: White Paper Multi-Org Access Control Uptake R12 VIMP

7/25/2019 White Paper Multi-Org Access Control Uptake R12 VIMP

http://slidepdf.com/reader/full/white-paper-multi-org-access-control-uptake-r12-vimp 34/69







FO'),1,1),' ',NULL,SUBSTRB(USERENV('CLIENT_INFO'),1,10))),-99))





4his sin(le or(ani,ation %ie& A$?!A4?4A?; must be repla)ed b a snonm &ith the se)urit poli)atta)hed"


A 3ulti-+r( utilit is a%ailable to list sin(le or(ani,ation %ie&s b produ)t" Cli) here to a))ess theutilit"

Pou )an a))ess the utilit rom the ollo&in( U$L:http:<<&&&-apps"us"ora)le")om<ssa<utils<multi-or(-%ie&s"html

A6aple 34he %ie& e@ample o A'?CA$D?#U''L9=$# is as (i%en belo&" 4his %ie& uses $+69D alias or$+6?9D )olumn o the underlin( A'?CA$D?#U''L9=$#?ALL table"CREATE OR REPLACE VIEW AP_CARD_SUPPLIERS AS



4his sin(le or(ani,ation %ie& A'?CA$D?#U''L9=$# must be repla)ed b a snonm &ith the se)urit poli) atta)hed"


6hen the %ie& is repla)ed &ith a snonmB the )ode that is dependent on $+69D )olumn be)omes

9!AL9D as the snonm A'?CA$D?#U''L9=$# does not ha%e this )olumn" #u)h )ode usin(in)orre)t )olumn alias should be i@ed"

4he A$ sin(le or(ani,ation %ie& A$?4A?C$?A>=?9F?! has the similar issue i"e" uses alias$+69D or $+6?9D )olumn" 4he dependent obje)ts reeren)in( the $+69D alias should be i@ed"

A6aple 44he %ie& deinition o sin(le or(ani,ation %ie& A$?'AP3=4?#C=DUL=#?! is sho&n belo& inthe e@ample" 4his is a spe)ial )aseB &here the CL9=4?9F+ predi)ate is )oded in the %ie& deinitionBor perorman)e reasons 7the union )lause in this %ie& deinition maes it non mer(eableB soB usin( basetables instead o %ie&s in the F$+3 )lause is preerred

'a(e -. of 68

Comp!" Co!#$%!&'( * Fo+ I!&%+!( U,% O!("

Page 35: White Paper Multi-Org Access Control Uptake R12 VIMP

7/25/2019 White Paper Multi-Org Access Control Uptake R12 VIMP

http://slidepdf.com/reader/full/white-paper-multi-org-access-control-uptake-r12-vimp 35/69

Page 36: White Paper Multi-Org Access Control Uptake R12 VIMP

7/25/2019 White Paper Multi-Org Access Control Uptake R12 VIMP

http://slidepdf.com/reader/full/white-paper-multi-org-access-control-uptake-r12-vimp 36/69

  ar_cons_inv_all cons,ar_receipt_methods rm,

ar_batch_sources_all bs,

ar_batches_all arb2,

ar_cash_receipt_history_all crh,

ar_cash_receipt_history_all crh_current,ar_cash_receipts_all cr,

hz_cust_site_uses_all su,hz_cust_accounts cust_acct,

  hz_parties party,

ar_payment_schedules_all ps,ar_cash_receipt_history_all crh_remit,

ar_batches_all arb_remit,fnd_currencies fc









), ' ', NULL, SUBSTRB(USERENV('CLIENT_INFO'),1,10))),-99)



),' ', NULL, SUBSTRB(USERENV('CLIENT_INFO'),1,10))),-99)) =





,1),' ', NULL, SUBSTRB(USERENV('CLIENT_INFO'),1,10))),-99)) =





1),' ', NULL, SUBSTRB(USERENV('CLIENT_INFO'),1,10))),-99)) =





NFO'),1,1),' ', NULL, SUBSTRB(USERENV('CLIENT_INFO'),1,10))),-99)) =





'a(e -6 of 68

Comp!" Co!#$%!&'( * Fo+ I!&%+!( U,% O!("

Page 37: White Paper Multi-Org Access Control Uptake R12 VIMP

7/25/2019 White Paper Multi-Org Access Control Uptake R12 VIMP

http://slidepdf.com/reader/full/white-paper-multi-org-access-control-uptake-r12-vimp 37/69

),' ', NULL,SUBSTRB(USERENV('CLIENT_INFO'),1,10))),-99)) = NVL(





),' ', NULL, SUBSTRB(USERENV('CLIENT_INFO'),1,10))),-99)) =









O'),1,1),' ', NULL, SUBSTRB(USERENV('CLIENT_INFO'),1,10))),-99)) =





O'),1,1),' ', NULL, SUBSTRB(USERENV('CLIENT_INFO'),1,10))),-99)) =




4his sin(le or(ani,ation %ie& A$?'AP3=4?#C=DUL=#?! in addition to CL9=4?9F+ predi)ate in)ludes additional ilter )onditionB &hi)h needs to sta" en)e this sin(le or(ani,ation %ie&must be )on%erted to a re&erence -ie% ollo&in( the (uidelines o reeren)e %ie&s (i%en in the ne@tse)tion"

4he CL9=4?9F+ predi)ate must be remo%ed rom the 6here ClauseB +$>?9D )olumn must beadded to the %ie&B +$>?9D ilter added or tables &ith +$>?9D as part o the )omposite e 7as insetup tables that )ontain seed data repli)ated to e%er or( or +$>?9D is the dri%in( e or the table 7asin produ)t sstem options tables and the dri%in( table or the %ie& is repla)ed b a se)ured snonm7A$?'AP3=4?#C=DUL=#:





  FROM ar_lookups al_status,ar_collectors ar_coll,

ar_cons_inv_all cons,

ra_cust_trx_types_all ctt,

ra_batch_sources_all bs,

ra_customer_trx_all ct,hz_cust_site_uses_all su,

hz_cust_accounts cust_acct,hz_parties party,

ar_payment_schedules ps










'a(e -0 of 68

Comp!" Co!#$%!&'( * Fo+ I!&%+!( U,% O!("

Page 38: White Paper Multi-Org Access Control Uptake R12 VIMP

7/25/2019 White Paper Multi-Org Access Control Uptake R12 VIMP

http://slidepdf.com/reader/full/white-paper-multi-org-access-control-uptake-r12-vimp 38/69




...  PS.ORG_ID

FROM ar_lookups al_risk_receipt,

ar_cons_inv_all cons,

ar_receipt_methods rm,

ar_batch_sources_all bs,ar_batches_all arb2,

ar_cash_receipt_history_all crh,

ar_cash_receipt_history_all crh_current,

ar_cash_receipts_all cr,

hz_cust_site_uses_all su,

hz_cust_accounts cust_acct,

  hz_parties party,ar_payment_schedules ps,

ar_cash_receipt_history_all crh_remit,

ar_batches_all arb_remit,

fnd_currencies fc






Cli)  here to run the utilit s)ript that lists the 3ulti-+r( tables that in)lude +$>?9D as part o the)omposite e" Pou )an a))ess the utilit rom the ollo&in( U$L:http:<<&&&-apps"us"ora)le")om<ssa<utils<)omposite-inde@"html

A6aple 54he %ie& deinition o sin(le or(ani,ation %ie& $A?ADD$=##=# is sho&n belo& in the e@ample"4his is a spe)ial )ase" 4he %ie& is based on $A?ADD$=##=#?ALL snonm and in)ludesCL9=4?9F+ ilter" 4he snonm $A?ADD$=##=#?ALL in turn is based on$A?ADD$=##=#?3+$> %ie&" $A?ADD$=##=#?3+$> %ie& is based on se%eral R tables7R?CU#4?ACC4?#94=#?ALLB R?L+C?A##9>3=4#B R?L+CA49+# andR?'A$4P?#94=#" 4his is done or ba)&ard )ompatibilit or )ustomer mi(ration to 4CA"



'a(e -8 of 68

Comp!" Co!#$%!&'( * Fo+ I!&%+!( U,% O!("

Page 39: White Paper Multi-Org Access Control Uptake R12 VIMP

7/25/2019 White Paper Multi-Org Access Control Uptake R12 VIMP

http://slidepdf.com/reader/full/white-paper-multi-org-access-control-uptake-r12-vimp 39/69

Page 40: White Paper Multi-Org Access Control Uptake R12 VIMP

7/25/2019 White Paper Multi-Org Access Control Uptake R12 VIMP

http://slidepdf.com/reader/full/white-paper-multi-org-access-control-uptake-r12-vimp 40/69

3odiied !ie& deinition &ith 3L# lo(i)




B.ORG_ID ...





WHERE B.VAT_TAX_ID = T.VAT_TAX_IDAND NVL(B.ORG_ID, -99) = NVL(T.ORG_ID, -99) (not needed since

vat_tax_id is unique across orgs)

AND T.LANGUAGE = userenv('LANG')

4he summar o )han(es that must be done or sin(le or(ani,ation %ie&s &ith 3L# lo(i) are (i%en


• Add +$>?9D )olumn to %ie& deinition i it does not e@ist

• $emo%e Client 9no predi)ate rom the 6here Clause o the %ie&

• $epla)e the dri%in( 3ulti-+r( base table reeren)e &ith se)ured snonm

• Add +$>?9D ilters i the underlin( 3ulti-+r( tables used in the join )ondition in)lude+$>?9D as part o the )omposite e or +$>?9D is the dri%in( e to a%oid Cartesian joins

Note 9n the abo%e e@ampleB +$>?9D ilter in the 6here Clause is remo%edB sin)e it is not part o the)omposite inde@ or the tables joined"

Case 3 )in#le 'r#ani,ation -ie% %ith ulti*eportin# Currenc

+ri(inal #in(le +r( !ie& Deinition &ith 3$C lo(i):













'a(e .) of 68

Comp!" Co!#$%!&'( * Fo+ I!&%+!( U,% O!("

Page 41: White Paper Multi-Org Access Control Uptake R12 VIMP

7/25/2019 White Paper Multi-Org Access Control Uptake R12 VIMP

http://slidepdf.com/reader/full/white-paper-multi-org-access-control-uptake-r12-vimp 41/69

4he abo%e %ie& deinition in addition to CL9=4?9F+ predi)ate in)ludes ilter )ondition or 3$Clo(i)B &hi)h needs to sta" en)eB the sin(le or(ani,ation %ie& should be )on%erted to a reeren)e %ie&as (i%en belo&:

3odiied !ie& Deinition &ith 3$C lo(i):










 4he summar o )han(es that must be done or sin(le or(ani,ation %ie&s &ith 3$C are (i%en belo&:

• Add +$>?9D )olumn i it does not e@ist

• $emo%e Client 9no predi)ate rom the 6here Clause o the %ie&

• $epla)e the dri%in( 3ulti-+r( base table reeren)e &ith se)ured snonm

• Add +$>?9D ilters i the underlin( 3ulti-+r( tables used in the join )ondition in)lude

+$>?9D as part o the )omposite e or +$>?9D is the dri%in( e to a%oid Cartesian joins

e&erence =ie%s

4he reeren)e %ie&s join one or more sin(le or(ani,ation %ie&s" 4hese %ie&s must be modiied toin)lude just one se)ured snonm in the join )ondition" 4he ?ALL tables must be used or the reeren)eto the rest o the sin(le or(ani,ation %ie&s" 4he )riteria to pi) the se)ured snonm are a is a dri%in(table and b has small %olume o data 7tpi)all a setup table as opposed to a transa)tion table"  +$>?9D ilter must be added to the 6=$= Clause )ondition to a%oid Cartesian produ)ts or tablesthat in)lude +$>?9D as part o the )omposite inde@ 7as in tables that )ontain seed data repli)ated toe%er or( or +$>?9D is the dri%in( e or the table 7as in produ)t sstem options tables"

Iportant =%er reeren)e %ie& should ha%e onl one se)ured snonm" Limitin( the number ose)ured snonms to onl one impro%es perorman)e"

A6aple 1

+ri(inal $eeren)ed !ie& Deinition









'a(e .1 of 68

Comp!" Co!#$%!&'( * Fo+ I!&%+!( U,% O!("

Page 42: White Paper Multi-Org Access Control Uptake R12 VIMP

7/25/2019 White Paper Multi-Org Access Control Uptake R12 VIMP

http://slidepdf.com/reader/full/white-paper-multi-org-access-control-uptake-r12-vimp 42/69

















,  …











4he %ie& deinition is modiied or 3ulti-+r( A))ess Control repla)in( reeren)e to sin(le or(ani,ation%ie&s &ith ?ALL tables or all e@)ept one obje)t $A?CU#4+3=$?4$ &hi)h is the dri%in( table soept as se)ured snonm as (i%en belo&:













'a(e .2 of 68

Comp!" Co!#$%!&'( * Fo+ I!&%+!( U,% O!("

Page 43: White Paper Multi-Org Access Control Uptake R12 VIMP

7/25/2019 White Paper Multi-Org Access Control Uptake R12 VIMP

http://slidepdf.com/reader/full/white-paper-multi-org-access-control-uptake-r12-vimp 43/69
























4he summar o )han(es that must be done or reeren)e %ie&s are (i%en belo&:

• Add +$>?9D )olumn i it does not e@ist

• $epla)e sin(le or(ani,ation %ie&s &ith ?ALL tables or all e@)eptin( oneB &hi)h must be a

se)ured snonm

• 9n)lude +$>?9D ilter in the &here )lause o the %ie& to a%oid Cartesian produ)tB i

+$>?9D is the dri%in( e or part o the )omposite e

• 9n)lude +$>?9D parameter in the )olumns based on un)tions i ne)essar

A6aple 2

+ri(inal $eeren)e !ie& Deinition









'a(e .- of 68

Comp!" Co!#$%!&'( * Fo+ I!&%+!( U,% O!("

Page 44: White Paper Multi-Org Access Control Uptake R12 VIMP

7/25/2019 White Paper Multi-Org Access Control Uptake R12 VIMP

http://slidepdf.com/reader/full/white-paper-multi-org-access-control-uptake-r12-vimp 44/69

Page 45: White Paper Multi-Org Access Control Uptake R12 VIMP

7/25/2019 White Paper Multi-Org Access Control Uptake R12 VIMP

http://slidepdf.com/reader/full/white-paper-multi-org-access-control-uptake-r12-vimp 45/69


FND_ACCESS_CONTROL_UTIL.Add_Policy  ( p_object_c!e"# $% &''&)  -- Apps user name

   p_object_*#"e $% 'FINANCIALS_SYSTEM_PARAMETERS')  p_policy_*#"e $% &ORG_SEC+)  p_,-*ctio*_c!e"# $% &''&)  -- Apps user name

   p_policy_,-*ctio* $% 'MO_GLOBAL.ORG_SECURITY &)  p_t#te"e*t_type $% &SELECT) INSERT) UPDATE) DELETE&)  p_-pd#te_c!ec $% TRUE)  p_e*#ble $% TRUE)

  p_t#tic_policy $% FALSE/0


4he ADD?'+L9CP A'9 )he)s i the poli) is atta)hed to the obje)t" 9 it is atta)hedB then drops the poli) and then reatta)hes" 4he irst t&o parameters to this pro)edure are the s)hema &here the obje)tto &hi)h poli) is atta)hed resides and the name o the obje)t" 4he ne@t three parameters are the poli)nameB the s)hema &here the poli) un)tion is a%ailable and the poli) un)tion name" 4he ne@t three parameters are the statement tpe 7D3L to &hi)h poli) appliesB a la( to )he) the poli) a(ainst aninserted or updated %alue and a la( to indi)ate &hether the poli) is enabled or not" 4he last parameteris to indi)ate stati) or dnami) poli) a%ailable in +ra)le i$2"

4.2.4 eo-e Dependenc on ulti*'r# in "'0 tales

4he e@istin( re(istration should be )leaned up" For e@ampleB the dependen) o 'aables on 3ulti-+r(is seeded in the ollo&in( table:


Column Name Size Type Rqd Value

A''L9CA49+?#+$4?A3= 80 !A$CA$2 Pes C$  '$+DUC4?D='=D=CP 80 !A$CA$2 Pes 3+

Use the A'9 pro%ided b A4> to remo%e the dependen) inormation:

To 1e"o2e depe*de*cy3 FND_PRODUCT_INITIALI4ATION_P5G.Re"o2eDepe*de*cy(&666C7R&)&8O&/0

4.2.5 e#ister ulti*'r# "ccess Analed in ' tale

'rodu)t teams must re(ister their produ)t in the 3ulti-+r( table FD?3+?'$+DUC4?994 to indi)atethat 3ulti-+r( A))ess Control is enabled &hen the are read to turn on" 4his inormation is needed ormodule based initiali,ationB to i(nore 3+: #e)urit 'roileE or not"

Tale FND>'>$'D(CT>INIT

6hen 'aables 7C$ opens up a))essB the must seed a ro& in the 3ulti-+r( table to indi)ate thata))ess is turned on" C$3 oundation 7N4F has 3ulti-+r( A))ess Control turned on alread"




'a(e . of 68

Comp!" Co!#$%!&'( * Fo+ I!&%+!( U,% O!("

Page 46: White Paper Multi-Org Access Control Uptake R12 VIMP

7/25/2019 White Paper Multi-Org Access Control Uptake R12 VIMP

http://slidepdf.com/reader/full/white-paper-multi-org-access-control-uptake-r12-vimp 46/69

Use the A'9 pro%ided b #hared #er%i)es to re(ister the a))ess enabled status"

T o e*#ble #cce3 

 FND_ 8O_PRODUCT_INIT_P5G.1e9ite1_#pplic#tio*(&666C7R&)


To delete yo-1 #pplic#tio* e*t1y3 

 FND_ 8O_PRODUCT_INIT_P5G.1e"o2e_#pplic#tio*(&666C7R&/0

Use the FDL+AD utilit to e@tra)t the seed data in FD?3+?'$+DUC4?994 table" A loader ilemust be deli%ered to the )ustomer to populate this inormation at the site" 'lease )onta)t #hared#er%i)es team or the loader ile" A loader )oni(uration ile amoinit"l)t is a%ailable or e@tra)tin( theloader ile"

4.3 Fors Anhanceents

4he 3ulti-+r( setup and transa)tion orms need to e@pose +peratin( Unit ield" 4his &ill allo& theusers to sele)t the +peratin( Unit and then enter the setup or transa)tion or the +peratin( Unit"6here%erB possibleB &e re)ommend simple +peratin( Unit deri%ations rom some attributes o thetransa)tion"

4he ollo&in( se)tion details the )han(es that must be done b the produ)t teams in the setup andtransa)tion orms or 3ulti-+r( A))ess Control:

4.3.1 ulti*'r# Initiali,ation

=%er orm modiied or 3ulti-+r( A))ess Control should in)ludeB the )all to 3ulti-+r( initiali,ationA'9 73+?>L+;AL"init in the 're-Form tri((er" 4he Appli)ation #hort ame passed to the A'9 isused to determine the a))ess enabled status o the produ)t in order to populate the temporar tablea))ordin(l" Also the appli)ation )onte@ts used in the !'D se)urit poli) are initiali,ed" 4heAppli)ation short name should )orrespond to the data re(istered in FD?A''L9CA49+ table"

For e@ampleB a 'aables orm modiied to open up a))essB should in)lude the ollo&in( )ode as (i%en belo& in the '$=-F+$3 tri((er:



  MO_GLOBAL.init (‘XXXCHR’);


9n the abo%e e@ampleB C$ is the appli)ation short name or 'aables"

9 A' has opened up a))ess in 11i@B the abo%e )ode &ould populate the temporar table &ith multiple+peratin( Units i the proile option 3+: #e)urit 'roileE is set or multiple a))ess" Also the a))essmode &ill be set to 3UL49'L=E or ALLE dependin( upon the number o +peratin( Units the user hasa))ess to"

I$'T"NT A+L initiali,ation 7nd?(lobal"apps?initiali,e7 is e@e)uted b the app?standard"e%ent7)all in the 're-Form tri((er" 3ulti-+r( initiali,ation should be e@e)uted ater this )all" 9 this order isnot ollo&edB the proiles 3+: +peratin( UnitE and 3+: #e)urit 'roileE &ill not be )a)hed or theri(ht )onte@t resultin( in in)orre)t initiali,ation or the session"

4.3.2 "dd 'peratin# (nit Field

>eneral re)ommendation is to pla)e the +peratin( Unit ield as the irst displaed ield in the )an%as inthe 3ulti-+r( orms" 9t is a non base table item deri%ed based on the +$>?9D %alue rom $ tables&here +peratin( Unit is deined"

'a(e .6 of 68

Comp!" Co!#$%!&'( * Fo+ I!&%+!( U,% O!("

Page 47: White Paper Multi-Org Access Control Uptake R12 VIMP

7/25/2019 White Paper Multi-Org Access Control Uptake R12 VIMP

http://slidepdf.com/reader/full/white-paper-multi-org-access-control-uptake-r12-vimp 47/69

Add +peratin( Unit and +$>?9D ields in the orm blo)" +peratin( Unit ield is not needed or blo)sthat do not e@pose this ield to the users"

4.3.3 Create 0'= &or 'peratin# (nit &ield

Create a Iuer based re)ord (roup to sho& +peratin( Units that are in)luded in the se)urit proileatta)hed to the responsibilit" 4he 3ulti-+r( (lobal temporar table is populated &ith the +peratin(Unit inormation based on the 3+: #e)urit 'roileE a))ess" For simpli)it and to minimi,e impa)t outure )han(eB A'9s are pro%ided to (et the +peratin( Unit name rom the 4emporar table" 'rodu)t

teams should use these A'9s instead o dire)tl a))essin( the temporar table" A un)tion is alsoa%ailable to )he) the a))ess o parti)ular +peratin( Unit in the 4emporar table"

4he re)ord (roup Iuer or +peratin( Unit ield should be )oded as (i%en belo&:select hr.organization_id org_id  , hr.name operating_unit

  FROM hr_operating_units hr  WHERE mo_global.check_access(hr.organization_id) =



ecord Group Colun )peci&ications

Colun Nae +'=$A49>?U94 +$>?9D

DataTpe Char umber  0en#th 249 9

Create a L+! based on this re)ord (roup" L+! &indo& si,e / @ / in)hes" 4he +peratin( Unit namemust be displaed in the L+! &indo&"

0'= colun appin# $roperties

Colun Nae +'=$A49>?U94 +$>?9D

Displa idth 1"5 0

eturn Ite loc+ naeH.operatin#>unit loc+ naeH.or#>id

Colun Title +peratin( Unit +r( 9D

Atta)h the L+! to +peratin( Unit ield"

4.3.4 De&ault 'peratin# (nit on &ors startup

+n orms startup ou must )all the 3ulti-+r( A'9 3+?U49L#"(et?deault?ou to )op the (lobal%ariables %alue to orm parameters" Pou must )reate ne& orm parameters as (i%en belo& to store theA'9 output and then )op the deault +peratin( Unit to the orm blo) in the &hen-)reate-re)ordtri((er"

Ne% For $araeters

$araeter Nae Datatpe a6iu 0en#th

3+?D=FAUL4?+$>?9D umber 153+?D=FAUL4?+U?A3= Char 2*03+?+U?C+U4 umber 15

$re*For tri##erDECLARE  l_default_org_id number;

  l_default_ou_name varchar2(240);

  l_ou_count number;

BEGIN  ...

  mo_utils.get_default_ou(l_default_org_id, l_default_ou_name,

'a(e .0 of 68

Comp!" Co!#$%!&'( * Fo+ I!&%+!( U,% O!("

Page 48: White Paper Multi-Org Access Control Uptake R12 VIMP

7/25/2019 White Paper Multi-Org Access Control Uptake R12 VIMP

http://slidepdf.com/reader/full/white-paper-multi-org-access-control-uptake-r12-vimp 48/69

  l_ou_count);  :PARAMETER.mo_default_org_id) := l_default_org_id;

  :PARAMETER.mo_default_ou_name := l_default_ou_name;  :PARAMETER.mo_ou_count := l_ou_count;


-- Can also use indirect reference as given below:-- copy(l_default_org_id,’PARAMETER.mo_default_org_id’);

  -- copy(l_default_ou_name,’PARAMETER.mo_default_ou_name’);  -- copy(l_ou_count,’PARAMETER.mo_ou_count’);


Bloc+ 0e-el hen*Create*ecord tri##er  IF :parameter.mo_default_org_id is not null and :block.org_id isnull THEN

  :block.org_id := :parameter.mo_default_org_id);  :block.operating_unit := :parameter.mo_default_ou_name;

  -- Can use copy built in as given below:

  -- copy(‘parameter.mo_default_org_id’,’block.org_id’);  -- copy(‘parameter.mo_default_ou_name’,’block.operating_unit’);


4.3.! )ettin# the Dnaic $olic Conte6t

I$'T"NT #ettin( the )urrent or( in the dierent tri((ers (i%en belo& )/'(0D N'T be used orne& orms that ou are buildin(" For ne& )odeB ou should use ?ALL tables and in)lude orm blo)+$>?9D to restri)t data to the +peratin( Unit that the user sele)ted"

4he 3ulti-+r( se)urit poli) un)tion uses a dnami) predi)ate to handle simple predi)ate &hen thea))ess is limited to one +peratin( Unit %s" )omple@ predi)ate 7e@ists sub-Iuer &hen the a))ess ismultiple" 4he predi)ate is based on the appli)ation )onte@t attribute %alue or a))ess?mode"

4o sal%a(e the e@istin( )odeB dependin( upon &hether the orms uses #ele)t +peratin( Unit or Deri%e+peratin( Unit eatureB the a))ess?mode )an be set to sin(le or multiple in the dierent tri((ers (i%en belo&:

7.3.!.1 Fors that support )elect 'peratin# (nit &eature

Call the 3ulti-+r( A'9 to set the )onte@t to multiple or sin(le in the ollo&in( tri((ers:

hen*Create*ecord Tri##er o& 'peratin# (nit &ield loc+ 

IF (:parameter.mo_default_org_id IS NOT NULL ) THEN

  -- Defaulting org_id from profile option

  :block.org_id := :parameter.mo_default_org_id;  :block.operating_unit := :parameter.mo_default_ou_name;

  -- Set policy context  mo_global.set_policy_context('S’,:block.org_id);


  mo_global.set_policy_context('M', null);


IF :<your block name.org_id> is not null

IF :<block name.org_id> <> nvl(:<parameter.old_org_id>,-99) THEN  -- Get the cache for current org


ELSE  -- Refresh the cache


'a(e .8 of 68

Comp!" Co!#$%!&'( * Fo+ I!&%+!( U,% O!("

Page 49: White Paper Multi-Org Access Control Uptake R12 VIMP

7/25/2019 White Paper Multi-Org Access Control Uptake R12 VIMP

http://slidepdf.com/reader/full/white-paper-multi-org-access-control-uptake-r12-vimp 49/69

Note 4he deaultin( A'9 &ill return data e%en i the 3+: Deault +peratin( UnitE 'roile is not set&hen the responsibilit has a))ess to one operatin(" #o the =L#= )ondition or settin( the poli))onte@t need not )he) the parameter"ou?)ount %alue"

hen*=alidate*Ite Tri##er o& 'peratin# (nit &ield

IF (:<your block name.org_id> IS NOT NULL ) THEN  IF :<block name.org_id> <> nvl(:<parameter.old_org_id>,-99) THEN

  mo_global.set_policy_context('S', :block.org_id);  -- Get the cache for the current org


ELSE -- :block.org_id is null  mo_global.set_policy_context('M', null);

  -- Refresh the cacheEND IF; 

Note 9 ou ha%e Find &indo&s in our orm that e@pose +peratin( Unit ieldB ou must set the poli))onte@t in the 6hen-!alidate-9tem tri((er o the +peratin( Unit ield" For orms that use $o& L+!s oruer FindB should set the poli) )onte@t to 3ultiple to see all +peratin( Units dataB pro%ided the parameter mo?ou?)ount is more than 1"

hen*Ne%*ecord*Instance Tri##er o& 'peratin# (nit &ield loc+ 

IF (:<your block name.org_id> IS NOT NULL ) THEN

  IF :<block name.org_id> <> nvl(:<parameter.old_org_id>,-99) THEN  mo_global.set_policy_context('S', :block.org_id);

  -- Get the cache for the current org

  END IF;ELSE -- :block.org_id is null, so set the context to multiple

  mo_global.set_policy_context('M', null);

  -- Refresh the cache


$re*Insert Tri##er o& 'peratin# (nit &ield loc+ 

4his tri((er is needed onl i our orm allo&s multi re)ord )ommit"

IF (:<your block name.org_id> IS NOT NULL ) THEN

  IF :<block name.org_id> <> nvl(:<parameter.old_org_id>,-99) THEN  mo_global.set_policy_context('S', :block.org_id);

  -- Get the cache for the current org  END IF;

ELSE -- :block.org_id is null, so set the context to multiple

  mo_global.set_policy_context('M', null);

  -- Refresh the cache


$re*uer Tri##er o& 'peratin# (nit &ield loc+ 


  IF :parameter.mo_ou_count = 1 THEN



  mo_global.set_policy_context('M', null);


-- Other Code


'a(e . of 68

Comp!" Co!#$%!&'( * Fo+ I!&%+!( U,% O!("

Page 50: White Paper Multi-Org Access Control Uptake R12 VIMP

7/25/2019 White Paper Multi-Org Access Control Uptake R12 VIMP

http://slidepdf.com/reader/full/white-paper-multi-org-access-control-uptake-r12-vimp 50/69

$re*ecord Tri##er o& 'peratin# (nit &ield loc+ 4his tri((er is need i our orm or)es user to )ommit ater e%er re)ord"IF ("#$%$&%.*%%_%%- / *00 $-

"#$%$&%.*%%_%%- 1= "//&.%33%_%%-) THENIF ("//&.4%&_/$*/ ('CHANGED','INSERT')) THEN

  "#_$%#&%.*_+#%_#/**('S', +"*.#%3_#$_3)4

  -- Get the cache for the current org  55 %$/ %%% &//$3 6 */% &&7  55 %$/ 4%&_%33%_4$0*%7ELSE

  55 N #-3 &&/.55 R/ 6 *%% %%- 8$%$90.

  "#$%$&%.*%%_%%- "= ''7END IF7

ELSE  55 U/% 6$/ $83$- $6% %%-.  55 D %/ 6 *%% %%- 8$%$90.  *007END IF7

$re*(pdate Tri##er4his tri((er is needed i our orm allo&s multi re)ord )ommits &here the re)ords )ould be in dierent+peratin( Units"

IF (:<your block name.org_id> IS NOT NULL ) THEN  IF :<block name.org_id> <> nvl(:<parameter.old_org_id>,-99) THEN

  mo_global.set_policy_context('S', :block.org_id);

  -- Get the cache for the current org



)tep 4 odi& the /AN*CA"TA>AC'D tri##er o& the &or loc+ 

Pou must modi the &hen-)reate-re)ord tri((er o our +peratin( Unit blo) to )op the )urrent+peratin( Unit spe)ii) inormation rom the )a)he to the parameter or non base table blo)" 6hen an+peratin( Unit deault is a%ailableB )a)hin( should happen based on the deault or("

For produ)t teams that need ser%er side )a)hin( to be initiali,ed or %alidations on the ser%erB ou )ould(et the )urrent?or(?id b )allin( the 3ulti-+r( A'9 mo?(lobal"(et?)urrent?or(?id pro%ided ou set thednami) poli) )onte@t )orre)tl"

hen>Create*ecord tri##erDECLARE

  l_gr xx_mo_cache_utils.GlobalsRecord;



-- Check if the default OU is available.  -- If so, copy default OU to form block

IF :parameter.mo_default_org_id is not null and

:block.org_id is null then  :block.org_id = :parameter.mo_default_org_id;

  :block.operating_unit := :parameter.mo_default_ou_name;

  END IF; 

-- Check if the block org is set. Then check if the operating

-- unit available as default is the same as the one available in

-- parameter or a non base table block. If same, then do not copy

'a(e ) of 68

Comp!" Co!#$%!&'( * Fo+ I!&%+!( U,% O!("

Page 51: White Paper Multi-Org Access Control Uptake R12 VIMP

7/25/2019 White Paper Multi-Org Access Control Uptake R12 VIMP

http://slidepdf.com/reader/full/white-paper-multi-org-access-control-uptake-r12-vimp 51/69

  -- again from cache. This ensures that you do not refresh the

-- parameter or a non base table block if you continue to enter

-- transactions for the org which is same as the default org.

  IF :<your block name.org_id> is not null

IF :<block name.org_id> <> nvl(:<parameter.old_org_id>,-99)

THEN  -- Get the current Org attributes from client side cache

  l_gr := xx_mo_local_cache.get_org_attributes(:<<your blockname>>.org_id);


-- Copy from cache to parameter block or non base table block  -- You can replace parameter block shown here with a non

-- base table block:parameter.chart_of_accounts_id := l_gr.chart_of_accounts_id;

  :parameter.ledger_id := l_gr.ledger_id;  :parameter.ledger_name := l_gr.ledger_name;

  :parameter.currency_code := l_gr.currency_code;

  /* << Begin product-specific assignments >> */  -- Additional assignments...

  :parameter.<column1> := l_gr.column1;  /* << End product-specific assignments >> */


-- Copy the block org_id to parameter.old_org_id

  :parameter.old_org_id := <:block name.org_id>;


  -- Copy null to parameter columns


  -- Pass the ORG_ID to server code to use the server cache for the

  -- current org for the record validations

-- Get Batch Source Header Defaults

arp_trx_defaults.get_header_defaults(param1, param2,…,:block.org_id);

  55 O6% C- 55...


)tep 5 odi& the /AN*="0ID"TA*ITA tri##er o& the 'peratin# (nit &ield ;as %ell as 'peratin#(nit speci&ic &ields used in deri-e operatin# &eature<

Ater the user sele)ts an +peratin( UnitB the )urrent +peratin( Unit re)ord must be )opied rom the)a)he to the parameter or non base table blo)"

For produ)t teams that need ser%er side )a)hin( to be initiali,ed or %alidations on the ser%erB ou )ould(et the )urrent?or(?id b )allin( the 3ulti-+r( A'9 mo?(lobal"(et?)urrent?or(?id pro%ided ou set thednami) poli) )onte@t )orre)tl"

Note For orms that support Deri%e +peratin( Unit eatureB the )ode to )op the )a)he to the parameter or non base table blo) should be in)luded not onl in the 6hen-!alidate-9tem tri((er o the +peratin(Unit ieldB but also in the 6hen-!alidate-9tem tri((ers o the +peratin( Unit spe)ii) ields that )ould beused to deri%e the +peratin( Unit" 'lease see Deri%e +peratin( Unit eatureE se)tion or more details"

hen*=alidate*Ite Tri##erDECLARE

  l_gr xx_mo_cache_utils.GlobalsRecord;

BEGIN  -- Check if the new Operating Unit selected by the user is the same

'a(e 1 of 68

Comp!" Co!#$%!&'( * Fo+ I!&%+!( U,% O!("

Page 52: White Paper Multi-Org Access Control Uptake R12 VIMP

7/25/2019 White Paper Multi-Org Access Control Uptake R12 VIMP

http://slidepdf.com/reader/full/white-paper-multi-org-access-control-uptake-r12-vimp 52/69

  -- as the old Operating Unit that is available in the parameter or

-- a non base table block. If same then do not copy again from

-- cache

IF :<block name.org_id> is not null THEN

  IF :<block name.org_id> <> nvl(:<parameter.old_org_id>,-99) THEN

  -- Get the current Org attributes from client side cache

  l_gr := xx_mo_local_cache.get_org_attributes(:<<your block


  -- Copy from cache to parameter block or a non base table block

  -- You can replace parameter block shown here-- with any non base table block

:parameter.chart_of_accounts_id := l_gr.chart_of_accounts_id;  :parameter.ledger_id := l_gr.ledger_id;

  :parameter.ledger_name := l_gr.ledger_name;

  :parameter.currency_code := l_gr.currency_code;  /* << Begin product-specific assignments >> */

  -- Additional assignments...  :parameter.<column1> := l_gr.column1;

  /* << End product-specific assignments >> */

  -- Copy the block org_id to parameter.old_org_id

  :parameter.old_org_id := <:block name.org_id>;


  ELSE  -- Copy null to parameter columns


  -- Pass the ORG_ID to server code to use the server cache for the

-- current org for the record validations

-- Get Batch Source Header Defaultsarp_trx_defaults.get_header_defaults(param1, param2,


-- Other code --


)tep ! odi& the loc+ le-el hen*Ne%*ecord*Instance tri##er o& the 'peratin# (nit &ield loc+ 

6hen the user tries to modi an attribute o a transa)tion ater it is sa%edB the )urrent operatin( re)ordmust be )opied rom the )a)he to the parameter or non base table blo)B to use it or %alidations as &ellas or )ontrollin( the displa properties o the items in the re)ord" 4he parameter or non base table blo) &ill be populated &ith the )urrent or( )a)he &hen the user na%i(ates or one re)ord to anotherater the re)ords are Iueried up"

For produ)t teams that need ser%er side )a)hin( to be initiali,ed or %alidations on the ser%erB ou )ould

(et the )urrent?or(?id b )allin( the 3ulti-+r( A'9 mo?(lobal"(et?)urrent?or(?id pro%ided ou set thednami) poli) )onte@t )orre)tl"

4he &hen-ne&-re)ord-instan)e tri((er must be used to dete)t the updates and a))ordin(l reresh the)a)he"

hen*Ne%*ecord*Instance Tri##erDECLARE

  l_gr xx_mo_cache_utils.GlobalsRecord;


'a(e 2 of 68

Comp!" Co!#$%!&'( * Fo+ I!&%+!( U,% O!("

Page 53: White Paper Multi-Org Access Control Uptake R12 VIMP

7/25/2019 White Paper Multi-Org Access Control Uptake R12 VIMP

http://slidepdf.com/reader/full/white-paper-multi-org-access-control-uptake-r12-vimp 53/69

  -- Check if the new Operating Unit selected by the user is the

-- same as the old Operating Unit that is available in the

-- parameter or non base table block. If same then do not copy

-- again from cache 

IF :<block name.org_id> is not null THEN

  IF :<block name.org_id> <> nvl(:<parameter.old_org_id>, -99)THEN

  -- Get the current Org attributes from client side cache

  l_gr := xx_mo_local_cache.get_org_attributes(:<<your block


  -- Copy from cache to parameter block or non base table block

  -- You can replace parameter block shown here

-- with any non base table block:parameter.chart_of_accounts_id := l_gr.chart_of_accounts_id;

  :parameter.ledger_id := l_gr.ledger_id;

  :parameter.ledger_name := l_gr.ledger_name;  :parameter.currency_code := l_gr.currency_code;

  /* << Begin product-specific assignments >> */  -- Additional assignments...

  :parameter.<column1> := l_gr.column1;

  /* << End product-specific assignments >> */

 -- Copy the block org_id to parameter.old_org_id

  :parameter.old_org_id := <:block name.org_id>;


  -- Pass the ORG_ID to server code to use the server cache for the

  -- current org for the record validations 

-- Get Batch Source Header Defaultsarp_trx_defaults.get_header_defaults(param1, param2,


-- Other code --


)tep 7 odi& the loc+ le-el $ost*uer tri##er o& the 'peratin# (nit &ield loc+ 

I$'T"NT $ost*uer tri##er &ires &or e-er recordJ %hen ou do a lind uer and henceou should consider re%ritin# our )0 to use >"00 tales and use 'G>ID Eoin condition ;asedon the &or loc+ 'G>ID<. ou are not reuired to snchroni,e the cache in the post*uertri##er. The NI %ill snchroni,e the cache.

9n ormsB &here some o the +peratin( Unit spe)ii) displa ields are populated in the post Iuertri((erB ou must sn)hroni,e the )a)he based on the re)ordHs +peratin( Unit"

For produ)t teams that need ser%er side )a)hin( to be initiali,ed or %alidations on the ser%erB ou )ould(et the )urrent?or(?id b )allin( the 3ulti-+r( A'9 mo?(lobal"(et?)urrent?or(?id pro%ided ou set thednami) poli) )onte@t )orre)tl"

$ost*uer Tri##erDECLARE

  l_gr xx_mo_cache_utils.GlobalsRecord;


  -- Check if the new Operating Unit selected by the user is the

'a(e - of 68

Comp!" Co!#$%!&'( * Fo+ I!&%+!( U,% O!("

Page 54: White Paper Multi-Org Access Control Uptake R12 VIMP

7/25/2019 White Paper Multi-Org Access Control Uptake R12 VIMP

http://slidepdf.com/reader/full/white-paper-multi-org-access-control-uptake-r12-vimp 54/69

  -- same as the old Operating Unit that is available in the

-- parameter or non base table block. If same then do not copy

-- again from cache IF :<block name.org_id> is not null THEN

  IF :<block name.org_id> <> nvl(:<parameter.old_org_id>, -99)


  -- Get the current Org attributes from client side cache

  l_gr := xx_mo_local_cache.get_org_attributes(:<<your block


  -- Copy from cache to parameter block or non base table block

  -- You can replace parameter block shown here-- with any non base table block

:parameter.chart_of_accounts_id := l_gr.chart_of_accounts_id;  :parameter.ledger_id := l_gr.ledger_id;

  :parameter.ledger_name := l_gr.ledger_name;

  :parameter.currency_code := l_gr.currency_code;  /* << Begin product-specific assignments >> */

  -- Additional assignments...  :parameter.<column1> := l_gr.column1;

  /* << End product-specific assignments >> */

  -- Copy the block org_id to parameter.old_org_id

  :parameter.old_org_id := <:block name.org_id>;



  -- Pass the ORG_ID to server code to use the server cache for the

  -- current org for the record validations 

-- Get Batch Source Header Defaults

arp_trx_defaults.get_header_defaults(param1, param2,…,:block.org_id);

 -- Other code --


)tep 8 odi& the loc+ le-el $re*Insert tri##er o& the 'peratin# (nit &ield loc+ 

Pou need this tri((er onl i our orm allo&s multi-re)ord )ommitB &here ou must sn)hroni,e the)a)he"

$re*Insert Tri##erDECLARE

  l_gr xx_mo_cache_utils.GlobalsRecord;


  -- Check if the new Operating Unit selected by the user is the-- same as the old Operating Unit that is available in the

-- parameter or non base table block. If same then do not copy

-- again from cache IF :<block name.org_id> is not null THEN

  IF :<block name.org_id> <> nvl(:<parameter.old_org_id>, -99)THEN

  -- Get the current Org attributes from client side cache

  l_gr := xx_mo_local_cache.get_org_attributes(:<<your block


'a(e . of 68

Comp!" Co!#$%!&'( * Fo+ I!&%+!( U,% O!("

Page 55: White Paper Multi-Org Access Control Uptake R12 VIMP

7/25/2019 White Paper Multi-Org Access Control Uptake R12 VIMP

http://slidepdf.com/reader/full/white-paper-multi-org-access-control-uptake-r12-vimp 55/69

  -- Copy from cache to parameter block or non base table block

  -- You can replace parameter block shown here

-- with any non base table block:parameter.chart_of_accounts_id := l_gr.chart_of_accounts_id;

  :parameter.ledger_id := l_gr.ledger_id;

  :parameter.ledger_name := l_gr.ledger_name;  :parameter.currency_code := l_gr.currency_code;

  /* << Begin product-specific assignments >> */  -- Additional assignments...

  :parameter.<column1> := l_gr.column1;

  /* << End product-specific assignments >> */

  -- Copy the block org_id to parameter.old_org_id

  :parameter.old_org_id := <:block name.org_id>;



  -- Pass the ORG_ID to server code to use the server cache for the

  -- current org for the record validations 

-- Get Batch Source Header Defaultsarp_trx_defaults.get_header_defaults(param1, param2,


-- Other code --


)tep odi& the loc+ le-el $re*(pdate tri##er o& the 'peratin# (nit &ield loc+ 

Pou need this tri((er onl i our orm allo&s multi-re)ord )ommitB &here ou must sn)hroni,e the)a)he"

$re*(pdate Tri##erDECLARE

  l_gr xx_mo_cache_utils.GlobalsRecord;


  -- Check if the new Operating Unit selected by the user is the

-- same as the old Operating Unit that is available in the

-- parameter or non base table block. If same then do not copy

-- again from cache 

IF :<block name.org_id> is not null THEN  IF :<block name.org_id> <> nvl(:<parameter.old_org_id>, -99)


  -- Get the current Org attributes from client side cache

  l_gr := xx_mo_local_cache.get_org_attributes(:<<your blockname>>.org_id);

  -- Copy from cache to parameter block or non base table block  -- You can replace parameter block shown here

-- with any non base table block:parameter.chart_of_accounts_id := l_gr.chart_of_accounts_id;

  :parameter.ledger_id := l_gr.ledger_id;  :parameter.ledger_name := l_gr.ledger_name;

  :parameter.currency_code := l_gr.currency_code;

  /* << Begin product-specific assignments >> */  -- Additional assignments...

  :parameter.<column1> := l_gr.column1;  /* << End product-specific assignments >> */

'a(e of 68

Comp!" Co!#$%!&'( * Fo+ I!&%+!( U,% O!("

Page 56: White Paper Multi-Org Access Control Uptake R12 VIMP

7/25/2019 White Paper Multi-Org Access Control Uptake R12 VIMP

http://slidepdf.com/reader/full/white-paper-multi-org-access-control-uptake-r12-vimp 56/69

  -- Copy the block org_id to parameter.old_org_id

  :parameter.old_org_id := <:block name.org_id>;



  -- Pass the ORG_ID to server code to use the server cache for the

  -- current org for the record validations 

-- Get Batch Source Header Defaultsarp_trx_defaults.get_header_defaults(param1, param2,


-- Other code --END;

Note For orms lie A$ $e)eipt 6orben)hB +?L+CK tri((er ma be needed as opposed to 're-Update 7Feedba) rom A$"

)tep 19 odi& the loc+ le-el $re*ecord tri##er o& the 'peratin# (nit &ield loc+ 

Pou need this tri((er onl i our orm or)es users to )ommit the re)ord beore na%i(atin( to the ne@t


$re*ecord Tri##erDECLARE

  l_gr xx_mo_cache_utils.GlobalsRecord;


  -- Get the current Org attributes from client side cache

-- org stored in the parameter.old_org_id

  l_gr :=


  -- Copy from cache to parameter block or non base table block

  -- You can replace parameter block shown here-- with any non base table block

:parameter.chart_of_accounts_id := l_gr.chart_of_accounts_id;  :parameter.ledger_id := l_gr.ledger_id;

  :parameter.ledger_name := l_gr.ledger_name;

  :parameter.currency_code := l_gr.currency_code;  /* << Begin product-specific assignments >> */

  -- Additional assignments...  :parameter.<column1> := l_gr.column1;

  /* << End product-specific assignments >> */



  -- Pass the ORG_ID to server code to use the server cache for the

  -- current org for the record validations -- Get Batch Source Header Defaults

arp_trx_defaults.get_header_defaults(param1, param2,…,:block.org_id);


-- Other code --END;

'a(e 6 of 68

Comp!" Co!#$%!&'( * Fo+ I!&%+!( U,% O!("

Page 57: White Paper Multi-Org Access Control Uptake R12 VIMP

7/25/2019 White Paper Multi-Org Access Control Uptake R12 VIMP

http://slidepdf.com/reader/full/white-paper-multi-org-access-control-uptake-r12-vimp 57/69

4.3. odi& ecord Groups &or 'peratin# (nit speci&ic &ields

$e)ords or +peratin( Unit spe)ii) ields should be modiied as (i%en belo& based on &hether thesupport sele)t +peratin( Unit eature or deri%e +peratin( Unit eature:

• 4he 3ulti-+r( temporar table should not be used dire)tl in the #L Iuer" 9nstead the

'L<#L un)tions a%ailable to )he) the +peratin( Unit a))ess and (et the +peratin( Unitinormation should be used"

• $e)ord (roup #L joinin( &ith t&o or more 3ulti-+r( %ie&sB should be modiied to limit

reeren)e to one 3ulti-+r( se)ured snonm and the rest o the reeren)es to ?ALL tables7similar to $eeren)e %ie& standards"

• +$>?9D ilter should be added to the 6=$= Clause o the re)ord (roup #L to a%oidCartesian joins or tables that in)lude +$>?9D as part o the )omposite e or +$>?9D is thedri%in( e"

•  eed not in)lude orm blo) +$>?9D in the re)ord (roup #LB as settin( the poli) )onte@t asdes)ribed in se)tion ."/" &ill handle sin(le as &ell as multiple +peratin( Units data"

• 9n orms that support deri%e +peratin( UnitE eatureB poli) )onte@t as des)ribed in se)tion."/" must be set not onl in 6hen-!alidate-9tem tri((er o +peratin( Unit ield but also the+peratin( Unit spe)ii) ields that )an be used to deri%e it"

A6aple 1

$e)ord (roups usin( deri%e operatin( eature

4he L+! is al&as enabled" 9 the +peratin( Unit ield is let blanB the )urrent or( is not set and thea))ess mode is set to multiple" #o the re)ord (roup #L &ill return data or multiple +peratin( Units"9 the +peratin( Unit is sele)tedB the )urrent or( is set and the a))ess mode is sin(le and the same L+!&ill return data or the sele)ted +peratin( Unit"

/0 9/.$& /*%, 9/.9$6_/*%_- 9$6_/*%_-,9/.-/%# -/%#,9/.$*_%:_*&9%3_40$3 $*_%:_*&9%3_40$3,9/.9$6_/*%_# 9$6_/*%_#,9/.-4$*0_8_%:_# -4$*0_8_%:_#,.$& -4$*0_#_$&, 9/.%3_-,

   "#_$%#&%.$*_#5_/"(&.#$_3)  4%& _5*_*_*+_%% **,

_&*6_#5 &

 ;6% 9/.-4$*0_8_%:_# = .*/_%:_#_-(+)/3 &.#$_3 = **.#$_3(!)$- 80("3;_6$-%._0$//,'5<<') =

--("3;_6$-%._0$//, *00, '5<<', .#(+) )$- 80("3;_6$-%.%:_-$,%*(//-$)) 9;

80(9/./$%_-$,80("3;_6$-%.%:_-$,%*(//-$)))$- 80(9/.-_-$, 80("3;_6$-%.%:_-$, %*(//-$)))$- 80("3;_6$-%.%:_-$,%*(//-$)) 9;

80(./$%_-$(+),80("3;_6$-%.%:_-$,%*(//-$)))$- 80(.-_-$(+), 80("3;_6$-%.%:_-$,

%*(//-$)))$- 80(9/./$*/, 'A') = 'A'$- ( 9/.9$6_/*%_# ='INV' % "3;_6$-%._0$// =

'CM' )$- 9/.9$6_/*%_- (, 2)$- ( "3;_6$-%.%:_*&9% / *00

% 9/.$*_%:_*&9%3_40$3 = 80("3;_6$-%.9/_$*_%:_*&9%3_40$3,'N') )%-% 9 9/.$&, 9/.-/%#, 9/.9$6_/*%_- 

Note 9n the abo%e e@ampleB +$>?9D ilter is added to a%oid Cartesian join"

A6aple 2

'a(e 0 of 68

Comp!" Co!#$%!&'( * Fo+ I!&%+!( U,% O!("

Page 58: White Paper Multi-Org Access Control Uptake R12 VIMP

7/25/2019 White Paper Multi-Org Access Control Uptake R12 VIMP

http://slidepdf.com/reader/full/white-paper-multi-org-access-control-uptake-r12-vimp 58/69

$e)ord (roups usin( deri%e operatin( eature

/0 ./_9003_*&9%,.*/&%_-,./_*/_-,*.*/&%_$&,*.*/&%_*&9%,/*.0$,

  /*.%3_-,  &_309$0.3_*_$&(/*.%3_-)

  4%& _#/_/7_%% ,%$_*/&%/ *,_*_5 5

 ;6% .*%%_- = "%3;_40-%.*%%_-  /3 .*_5_3 = 5.*_5_3

$- .*/&%_- = *.*/&%_-%-% 9 /_9003_*&9%

Note ere it is not ne)essar to add +$>?9D ilter in the 6here Clause to join $A?#94=?U#=# andA$?C+#?9! %ie&sB sin)e site?use?id is uniIue and sui)ient to determine the +$>"

A6aple 3

$e)ord (roups usin( sele)t operatin( eature4he L+! is disabled until an +peratin( Unit is sele)ted" +n)e an +peratin( Unit is sele)tedB the )urrentor( and the a))ess mode are set" #o the re)ord (roup #L &ill al&as return data or one +peratin(Unit"

select max(tc.name) name,

  lc.displayed_field type,  tc.description

  from ap_lookup_codes lc,  ap_tax_codes tc

 where lc.lookup_type = 'TAX TYPE'

and tc.tax_type != 'OFFSET'and tc.tax_type != 'AWT'

and lc.lookup_code = tc.tax_type

and nvl(tc.enabled_flag,'Y')='Y' group by tc.name, lc.displayed_field, tc.description

Note 1 9t is let to the produ)t teams to implement sele)t +peratin( Unit or deri%e +peratin( Unit orthe re)ord (roups based on the business lo(i)" 4here is no dieren)e to the re)ord (roup #L or sele)t+peratin( Unit %s deri%e +peratin( UnitB sin)e settin( the poli) )onte@t should tae )are o that"

Note 2 For orms that support sele)t +peratin( UnitB sin)e the +peratin( Unit dependent ields are(reed outB until an +peratin( Unit is sele)tedB the re)ords (roups o these ields )ould be based on ?ALL tables instead o se)ured snonm"

4he abo%e sele)t statement )ould be re&ritten to use the ALL tables instead o se)ured snonmsB passin( the orm blo) +$>?9D as (i%en belo&:

select max(tc.name) name,  lc.displayed_field type,  tc.description

  from ap_lookup_codes lc,  ap_tax_codes_ALL tc

 where lc.lookup_type = 'TAX TYPE'

and tc.tax_type != 'OFFSET'and tc.tax_type != 'AWT'

and lc.lookup_code = tc.tax_typeand nvl(tc.enabled_flag,'Y')='Y'

  and tc.org_id = :<block_name.org_id>

 group by tc.name, lc.displayed_field, tc.description

'a(e 8 of 68

Comp!" Co!#$%!&'( * Fo+ I!&%+!( U,% O!("

Page 59: White Paper Multi-Org Access Control Uptake R12 VIMP

7/25/2019 White Paper Multi-Org Access Control Uptake R12 VIMP

http://slidepdf.com/reader/full/white-paper-multi-org-access-control-uptake-r12-vimp 59/69

4.3.19 "dd 'G>ID predicate in Client)er-er Code

9n the )lient side and ser%er side appli)ation )odeB there are #L statements that issue D3L a(ainst3ulti-+r( %ie&s" 4he A'9s that are used or %alidatin( data &ithin an +peratin( UnitB )an beneit romusin( the )urrent or( id set b rom tri((ers beore the %alidation lo(i) is iredB instead o +$>?9D parameter bein( passed" o&e%erB i the same A'9 is used both in the reeren)e %ie& as &ell as ser%erside %alidation rom ormsB then the A'9 needs to be modiied to in)lude +$>?9D input parameter as(i%en in the reeren)e %ie&s se)tion"

4he ollo&in( rules must be ollo&ed:• 4he 3ulti-+r( temporar table should not be used dire)tl in the #L Iuer" 9nstead the

'L<#L un)tions a%ailable to )he) the +peratin( Unit a))ess and (et the +peratin( Unitinormation should be used"

• #L joinin( &ith t&o or more 3ulti-+r( %ie&s should be re&ritten to use just one se)ured

snonm based on the dri%in( table or the Iuer and the rest o the %ie&s repla)ed b ?ALLtables"

• +$>?9D ilter should be added to the 6=$= Clause o the re)ord (roup #L to a%oidCartesian joins or tables that in)lude +$>?9D as part o the )omposite e or +$>?9D is thedri%in( e"

=@ample 1:

BEGIN  SELECT  NVL(#_-_*&9%_40$3, 'N')  INTO  0_#_-_*&9%_40$3  FROM  %$_9$6_/*%/  WHERE  9$6_/*%_- = 0__%.9$6_/*%_-E>CEPTION  WHEN NO_DATA_FOUND THEN  0_#_-_*&9%_40$3 "= 'N'7END7

=@ample 2:

0_%:_/% "= '/0 %$_%:_*&9%_' ??  REPLACE(#_%:_%.9$6_/*%_-, '5', 'N') ??  0_%3_/%??  '_/.:8$0 %:_*&9% ' ??  '4%& %$_9$6_/*%/ ' ??  ';6% 9$6_/*%_- = ' ??  #_%:_%.9$6_/*%_- ??  ' $- $*_%:_*&9%3_40$3 = ''Y''' E>ECUTE IMMEDIATE 0_%:_/%  INTO 0_%:_*&9%7

4.3.11 odi& tale handlers

'rior to openin( up a))essB the $D;3# deault %alue or +$>?9D )olumn &as utili,ed to handle or(?id)olumn population durin( insertsB updates and deletes" 4he $D;3# deault %alue maes use o theCL9=4?9F+ or( )onte@t" 4he table handlers used the sin(le or(ani,ation %ie&s"

6ith openin( up a))essB a responsibilit ma ha%e a))ess to multiple +peratin( Units" Pou must notrel on the $D;3# deault %alue or +$>?9D )olumn sin)e it &ill not be set anmore" The -alue &or'G>ID colun ust e speci&ied e6plicitl in the tale handlers.

'a(e of 68

Comp!" Co!#$%!&'( * Fo+ I!&%+!( U,% O!("

Page 60: White Paper Multi-Org Access Control Uptake R12 VIMP

7/25/2019 White Paper Multi-Org Access Control Uptake R12 VIMP

http://slidepdf.com/reader/full/white-paper-multi-org-access-control-uptake-r12-vimp 60/69

Note 'rodu)t teams should not modi the $D;3# deault %alue or +$>?9D to use the )urrent or("4he )urrent?or( is introdu)ed mainl to minimi,e the )ode )han(e or the produ)t )ode that al&as (etse@e)uted &ithin the )onte@t o one +peratin( Unit" 4he +peratin( Unit is %alidated upront in theorms" 9t is sae to use this %alue in the table handlers rather than relin( on $D;3# deault %alue"

'lease reer to up(rade se)tion to see an e@ample o s)ript to remo%e $D;3# deault %alue or +$>?9D)olumn"

  For insert statements the +$>?9D )olumn %alue must be passed to the table handlers" For updatestatementsB i ou use a primar e )olumn in our sele)tion )riteriaB then +$>?9D %alue is not

reIuired in the table handler" 4he e@amples (i%en belo& demonstrate this:

=@ample 1:An insert statementinsert into <table*>  (<column1>

  <column2>  …


values ( <value1>,  <value2>,

  …  p_org_id)

Q the table indi)ated here is the snonm to &hi)h 3ulti-+r( se)urit poli) is atta)hed"

=@ample 2:An update statementupdate <table>

  set <column1> = <value1>where primary_key = <value>

=@ample /:A delete statement

D=L=4= F$+3 ra?)ustomer?tr@ 6=$= )ustomer?tr@?id M p?)ustomer?tr@?idT

9n the e@ample abo%eB the primar e is used or the update and the delete statementsB hen)e +$>?9Dilter is not added"

'a(e 6) of 68

Comp!" Co!#$%!&'( * Fo+ I!&%+!( U,% O!("

Page 61: White Paper Multi-Org Access Control Uptake R12 VIMP

7/25/2019 White Paper Multi-Org Access Control Uptake R12 VIMP

http://slidepdf.com/reader/full/white-paper-multi-org-access-control-uptake-r12-vimp 61/69

A 3ulti-+r( utilit to list the 3ulti-+r( tables that ha%e the $D;3# deault %alue 7CL9=4?9F+deault or +$>?9D )olumn is a%ailable"

Note 4able handlers )ould use ALL tables instead o se)ured snonmsB pro%ided ou ha%e %alidated the+$>?9D upstream" 9t is important that ou %alidate the +$>?9DB sin)e ou should not be able to do anD3L or an +peratin( Unit that ou do not ha%e a))ess to"

4.3.12 "llo% uer on 'peratin# (nit &ield

4he +peratin( Unit ield is a non database item" 9n order to Iuer b +peratin( Unit ieldB its %alueneeds to be deri%ed rom +$>?9D database )olumn" 4his must be done in the pre-Iuer and post-Iuertri((ers" Use the 3ulti-+r( A'9 FD?ACC=##?C+4$+L?U49L">et?+r(?ame or this purpose"

Bloc+ 0e-el $ost*uer Tri##er  :<your block name>.operating_unit :=

fnd_access_control_util.get_org_name(:<your block


rigger_block, STATUS,QUERY_STATUS);

FND>"CCA))>C'NT'0>(TI0.Get>'r#>NaeFUNCTION Get_Org_Name( p_org_id NUMBER )


  l_return hr_all_organization_units_tl.name%TYPE;


  INTO l_return  FROM hr_all_organization_units_tl

  WHERE organization_id = p_org_id

  AND language = userenv('LANG');


  l_return := NULL;


  RETURN l_return;

END Get_Org_Name;

Forms that &ish to enable the uer =nter un)tionalit or the +peratin( Unit name need to modi the'$=-U=$P tri((er o the +peratin( Unit blo)" 4he tri((er must dnami)all modi theD=FAUL4?6=$= propert o the blo) to append a L9K= sub-Iuer that e@amines thehr?operatin(?units %ie& or re)ords &hose name mat)hes the strin( entered in the +peratin( Unit ield"

Note ueries on the hr?operatin(?units %ie& tae into a))ount the userGs )urrent lan(ua(e )onte@t"

Bloc+ 0e-el $A*(A tri##er

DECLARE  90@_- B0@ "= FIND_BLOC('90@ $&')7

  /*9_;6% VARCHAR2(2)7  -4_;6% VARCHAR2(2)7

  55 L$0 4* -4"


'a(e 61 of 68

Comp!" Co!#$%!&'( * Fo+ I!&%+!( U,% O!("

Page 62: White Paper Multi-Org Access Control Uptake R12 VIMP

7/25/2019 White Paper Multi-Org Access Control Uptake R12 VIMP

http://slidepdf.com/reader/full/white-paper-multi-org-access-control-uptake-r12-vimp 62/69

  BEGIN  IF (NVL(NVL(036(#_;6%), ), ) 1= ) THEN  RETURN( #_;6% ?? ' AND ')7  ELSE  RETURN( #_;6% )7  END IF7



BEGIN  /*9_;6% "= NULL7

  IF (90@ $&.#%$3_* IS NOT NULL) THEN  /*9_;6% "= $--_$-(/*9_;6%) ?? '(NAME LIE '''?? "90@$&.OPERATING_UNIT ??''')'7  END IF7

  IF (/*9_;6% IS NOT NULL) THEN  -4_;6% "= $--_$-(-4_;6%) ?? '((ORG_ID) IN '??'(SELECTORGANIATION_ID '??'FROM

HR_OPERATING_UNITS WHERE '?? /*9_;6% ?? '))'7  END IF7

  55 S#4 6 -4$*0 WHERE 0$*/ 4% 6 90@.  55 T6/ ;00 NOT 8%%- $ 8$0* /$90/6- $ -/3 &  55 8$ 6 P%#% P$0 4% 6 90@'/ WHERE 0$*/ #%#%.

  /_90@_#%#%(90@_-, DEFAULT_WHERE, -4_;6%)7


4.3.13 /andle Fle6&ields "ccountin# e Fle6&ields

4he )hart o a))ounts 9D asso)iated &ith the a))ountin( le@ields is based on the >L led(er asso)iated&ith the +peratin( Unit" 9n order that the a))ountin( le@ields &or properlB the )hart o a))ounts 9Dmust be passed as an input parameter to the A'9 that deines e le@ield" 6hene%er the +peratin(Unit ield is )han(ed either b sele)tin( the +peratin( Unit rom the L+! or +peratin( Unit ield or bderi%in( the +peratin( Unit rom an +peratin( Unit spe)ii) attributes o the transa)tionB the C+A%alue should be rereshed rom )a)he"

4here is no &a to no& the led(er 9D and )hart o a))ounts 9D at orms openin( i the responsibilithas a))ess to multiple +peratin( Units" 9t is determined onl ater an +peratin( Unit is sele)ted orderi%ed"

4o enable a))ess )ontrol or a))ountin( le@ieldsB the ollo&in( )han(es must be done:

1" Add a ne& item CA$4?+F?ACC+U4#?9D to our orm blo) that is a base blo) o our)an%as" Use this instead o parameter")hart?o?a))ounts?idB &hi)h redu)es the number o )alls ond?e?le@"deine"

2" Call the nd?e?le@"deine in the ollo&in( tri((ers:

• ;lo) Le%el 6hen-Create-$e)ord

• 9tem Le%el 6hen-!alidate-9tem on +peratin( Unit ield and also on +peratin( Unit spe)ii)

ields used in the deri%e +peratin( UnitE eature"

• ;lo) Le%el 'ost-uer

• ;lo) Le%el 're-uer 7i ou need to allo& Iuerin( on a))ountin( le@ields

'a(e 62 of 68

Comp!" Co!#$%!&'( * Fo+ I!&%+!( U,% O!("

Page 63: White Paper Multi-Org Access Control Uptake R12 VIMP

7/25/2019 White Paper Multi-Org Access Control Uptake R12 VIMP

http://slidepdf.com/reader/full/white-paper-multi-org-access-control-uptake-r12-vimp 63/69

/" Disable the )all to nd?le@"deine in the orm le%el as &ell as blo) le%el 're-uer tri((er"+ther&iseB ou &ill (et the error A''-FD-0101: $outine FDF$K#: Unno&n stru)ture 9D orle@ield )ode >L &ith appli)ation 9D 101 durin( blind Iuer or 3ulti-+r( )ase"

For e@ampleB the ollo&in( )ode deines the e le@ield stru)ture or insertsB updates and Iueries"

Bloc+ 0e-el $ost*uer tri##erhen*Create*ecord tri##erhen*=alidate*Ite tri##er on the'peratin# (nit &ield and other 'peratin# (nit speci&ic &ields used to deri-e 'peratin# (nit

  IF ("*% 90@ $&.%3_- IS NOT NULL) AND

("*% 90@ $&.#%$3_* IS NOT NULL) THEN

IF :<block name.org_id> <>

nvl(:<parameter.old_org_id>, -99) THEN

  0_3% "= *% #%-* /6%$&_MO_0$0_$6.3_%3_$%9*/("*% 90@$&.%3_-)7  8&%# /":.6*_#;_#5/*_3 =%_$.6*_#;_#5/*_34  ! I$0 O6% P$%$&%/ !  ...


BLOC=*% 90@ $&,  FIELD =*% 40- $&,TITLE ="90@

$&F0-_$&,  NUM =: 8&%#

/":.6*_#;_#5/*_3, <)4  ...  END IF7  END IF7

uerin# on "ccountin# Fle6&ieldsPou must disable the e le@ield 7nd?le@"e%ent )all in the orm le%el as &ell as in the blo) le%el're-uer tri((ers and enable it in the blo) le%el 'ost-uer tri((er i ou do not need the abilit to

Iuer on a))ountin( le@ields in our orm" 9 ou do not allo& enter-Iuer on A))ountin( Fle@ieldsBou must set the item propert U=$P ALL+6=DE to o"

o&e%erB i ou need the abilit to Iuer on a))ountin( le@ieldsB then ou should add additional lo(i)in the blo) le%el pre-Iuer tri((er to handle enter Iuer" 4he a))ountin( le@ield must be used in theIuer onl i the +peratin( Unit is spe)iied" 9n other &ordsB the a))ountin( le@ield ield should bemade dependent on +peratin( Unit ield" o&e%erB durin( enter-IuerB &e )annot )ontrol item properties to set dependent items" 9nsteadB a messa(e must be displaed to the users asin( them toenter a uniIue +peratin( Unit &hen the e@e)ute enter-Iuer"

4he ollo&in( table lists the s)enarios &hen the messa(e should be displaed to the user:

'peratin# (nit Field "ccountin# Fle6&ieldField


1 An !alue ull =@e)ute the standard enter Iuer2 ull ot ull Displa messa(e 'lease enter +peratin(

UnitE or 3ulti-+r( )ase/ on ull 7Cannot identi

+peratin( Unit uniIuel" ="("!isV

 ot ull Displa messa(e 4he sstem )annotidenti KFF stru)ture" 'lease enter theull +peratin( Unit nameE

* ot ull 7Can identi+peratin( Unit uniIuel" ="("!ision +perations

 ot ull =@e)ute the standard enter Iuer

5 ot ull 7o +peratin( Unit isound mat)hin( &ith the

 ot ull =@e)ute the standard enter Iuer

'a(e 6- of 68

Comp!" Co!#$%!&'( * Fo+ I!&%+!( U,% O!("

Page 64: White Paper Multi-Org Access Control Uptake R12 VIMP

7/25/2019 White Paper Multi-Org Access Control Uptake R12 VIMP

http://slidepdf.com/reader/full/white-paper-multi-org-access-control-uptake-r12-vimp 64/69


4he ollo&in( )ode handles enter Iuer on a))ountin( le@ields:

Bloc+ 0e-el $re*uer Tri##erPROCEDURE PRE_JUERY IS  0_%3_- NUMBER()7  0_3% AP_MO_$6_*0/.G09$0/R%-7  0__*_4*- E>CEPTION7BEGIN

  IF "8/_40-%.#%$3_* IS NULL THEN  IF "8/_40-%.0$90_$* IS NOT NULL THEN  4-_&//$3./_$&('FND','MO_SRCH_OU_REJUIRED')7  4-_&//$3.%%%7


SELECT %3$$_-INTO 0_%3_-

  FROM 6%_#%$3_*/  WHERE %3$$_$& 0@

"8/_40-%.#%$3_*  AND &_309$0.6@_$//(%3$$_-) = KY7  E>CEPTION  WHEN TOO_MANY_ROWS THEN  4-_&//$3./_$&('FND',MO_SRCH_MULT_OU_FOUND)7

4-_&//$3.%%%7  WHEN NO_DATA_FOUND THEN  4-_&//$3./_$&('FND',MO_SRCH_NO_OU_FOUND)7



0_3% "= $#_&_0$0_$6.3_%3_$%9*/(0_%3_-)7


For master-detail blo)sB &here a))ountin( le@ield is present in both the master and detail blo)sB the pre-Iuer tri((er in the master blo) must ha%e the )all to deine e le@ields" Pou must not )all thedeine le@ields in the detail blo)Hs pre-Iuer tri((er" o&e%erB the pre-Iuer tri((er in the detail blo) should ha%e )ode to update the blo)Hs )hart o a))ounts 9D and )all to nd?le@"e%ent as (i%en belo&:

Bloc+ 0e-el $re*uer tri##er

'a(e 6. of 68

Comp!" Co!#$%!&'( * Fo+ I!&%+!( U,% O!("

Page 65: White Paper Multi-Org Access Control Uptake R12 VIMP

7/25/2019 White Paper Multi-Org Access Control Uptake R12 VIMP

http://slidepdf.com/reader/full/white-paper-multi-org-access-control-uptake-r12-vimp 65/69

IF ("*% 90@ $&.%3_- IS NOT NULL) AND("*% 90@ $&.#%$3_* IS NOT NULL)THEN

IF :<block name.org_id> <>nvl(:<parameter.old_org_id>, -99) THEN

  %_$ = 88#5 +#35* 6#*/"::_MO_%#%_6.$*_#$_**&5*(88#5 &%#/"::.#$_3)4 

8&%# /":.6*_#;_#5/*_3 =%_$.6*_#;_#5/*_34  4-_40:.8(KP%5J*%)7  END IF7  END IF7

4.3.14 /andle 'peratin# (nit -alue chan#e

4he user should be allo&ed to )han(e the +peratin( Unit at an point o time beore the re)ord is)ommitted to the database" Ater the re)ord is )ommitted in the databaseB the +peratin( Unit ield should be disabledB pre%entin( users rom updatin( it"

$ost*Insert Tri##er o& 'peratin# (nit &ield Bloc+ 

app?item?propert"set?propert7;L+CK?A3="+'=$A49>?U94HB =A;L=DB'$+'=$4P?+FFT

4he +peratin( Unit ield should not be enabled or the Iueried re)ords"

$ost*uer Tri##er o& 'peratin# (nit &ield Bloc+ 

app?item?propert"set?propert7;L+CK?A3="+'=$A49>?U94HB =A;L=DB'$+'=$4P?+FFT

hen*Ne%*ecord*Instance Tri##er o& 'peratin# (nit &ield Bloc+ 

IF sste.record>status K L(AM T/AN  app?item?propert"set?propert7;L+CK?A3="+'=$A49>?U94HB =A;L=DB'$+'=$4P?+FFT  A0)A  app?item?propert"set?propert7;L+CK?A3="+'=$A49>?U94HB =A;L=DB'$+'=$4P?+T


4.4 Anhanceent to eports

4.4.1 '-er-ie%

4his se)tion details the )han(es or #in(le +r( and Cross +r( reports  

'a(e 6 of 68

Comp!" Co!#$%!&'( * Fo+ I!&%+!( U,% O!("

Page 66: White Paper Multi-Org Access Control Uptake R12 VIMP

7/25/2019 White Paper Multi-Org Access Control Uptake R12 VIMP

http://slidepdf.com/reader/full/white-paper-multi-org-access-control-uptake-r12-vimp 66/69

4.4.1 )in#le 'r# eports

4he +peratin( Unit is a reIuires ield and deault %alue is deri%ed rom the

4.4.2 Cross 'r# eports

Cross +r( $eports should be la((ed as 3UL49'L=H or the +peratin( Unit mode in the Deine

Con)urrent 'ro(ramsE orm"  4he spe)ial parameter +peratin( Unit &ill not be a%ailable or Cross +r($eports" 4he se)urit or Cross +r( $eports is modiied to tae into )onsideration the 3+: #e)urit'roileE proile"

Cross +r( $eports )urrentl ha%e 2 parameters $eportin( Le%el and $eportin( Conte@t" 4he %aluesetso these parameters are modiied to in)lude 3+?>L+;?+$>?ACC=##?43' table" AlsoB 4he Cross+r( A'9s that are )alled in the report e@e)utables are modiied to in)lude 3+: #e)urit 'roileE" 4he)han(es are transparent to the produ)t teamsB sin)e 3ulti-+r( produ)t o&ns the %aluesets and the Cross+r( A'9s"

At runtime the 3ulti-+r( initiali,ation populates the temporar table &ith one or multiple +peratin(Units based on the a))ess enabled status o the produ)t o&nin( the )ross or( report"

Pou should not reer to CL9=4?9F+ lo(i) an&here in the reports" Also !L un)tion or +$>?9D

should be remo%edB as 3ulti-+r( is mandator or $12

4.5 Concurrent $ro#ra Anhanceents

4.5.1 '-er-ie%

4his se)tion details the )han(es or sin(le or( and multiple or( )on)urrent pro(rams"

4.5.2 )in#le 'r# Concurrent $ro#ras

#in(le +r( Con)urrent 'ro(rams should be la((ed as #9>L=H or the +peratin( Unit mode in the

Deine Con)urrent 'ro(ramsE orm" 

4he +peratin( Unit is a reIuires ield and deault %alue is deri%ed rom the3+?U$9L#"(et?deault?or(?id7 A'9"

4.5.3 ultiple 'r# Concurrent $ro#ras

3ultiple +r( Con)urrent 'ro(rams should be la((ed as 3UL49'L=H or the +peratin( Unit mode inthe Deine Con)urrent 'ro(ramsE orm"  4he A4> =nhan)ement 7=$ 2*20.55 &ould allo& 3ulti-+r(temporar table 3+?>L+;?+$>?ACC=##?43' to be populated &hen the user sele)t su)h )on)urrent pro(rams" 4he spe)ial parameter +peratin( Unit &ill not be a%ailable or these pro(rams" 9nstead produ)t teams should e@pose +peratin( Unit parameter as a pro(ram parameter" 4his is an optional parameter that allo&s user to submit the )on)urrent pro(ram or a sin(le +peratin( Unit or or the+peratin( Units spe)iied in 3+: #e)urit 'roileE proile"

4he %alueset o the +peratin( Unit parameter should be as (i%en belo&:

  SELECT hr.organization_id org_id

  , hr.name operating_unit  FROM hr_operating_units hr

  WHERE mo_global.check_access(hr.organization_id) = ‘Y’

Note Pou should not reeren)e the 3ulti-+r( temporar table in the )on)urrent pro(ram seed data or in

'a(e 66 of 68

Comp!" Co!#$%!&'( * Fo+ I!&%+!( U,% O!("

Page 67: White Paper Multi-Org Access Control Uptake R12 VIMP

7/25/2019 White Paper Multi-Org Access Control Uptake R12 VIMP

http://slidepdf.com/reader/full/white-paper-multi-org-access-control-uptake-r12-vimp 67/69

5. Glossar

alancin# entit

An or(ani,ation or &hi)h ou prepare a balan)e sheetB represented as a balan)in( se(ment %alue inour a))ountin( le@ield" 4his is the eIui%alent o a und in (o%ernment or(ani,ations" =@amplesin)lude )ompaniesB strate(i) business unitsB and di%isions"

usiness acti-it

A pro)essB deined b de%elopmentB perormed b appli)ations users that )reates and maintains businesstransa)tions or reeren)e data" =@amples o business transa)tions in)ludeB but are not limited to:reIuisitionsB pur)hase ordersB re)eiptsB in%entor transersB in%oi)esB and paments" =@amples oreeren)e data in)lude )ustomerB supplier and ban a))ount inormation"

usiness #roup

An or(ani,ation &hi)h represents the )onsolidated enterpriseB a major di%isionB or an operation)ompan" 4his entit partitions uman $esour)es inormation and business (roup le%el data is se)ured b se)urit (roups" A business (roup 7;> is a hi(hest le%el in an or(ani,ation hierar)h"

usiness unit

An or(ani,ational (roup &ithin an enterprise" 7#ee also: or(ani,ation"

intercopan in-oice

 An automati)all (enerated statement that eliminates inter)ompan proit" 4his transa)tion ma o))ur bet&een or(ani,ations in the same or dierent le(al entities"

in-entor or#ani,ation

An or(ani,ation that tra)s in%entor transa)tions and balan)esB and<or that manua)tures or distributes produ)ts"

led(er  ;Get de&inition &ro G0<

le(al entit ; eplace 0A de&inition &ro 0A docuent %hen it ecoes a-ailale. 542991<

 An or(ani,ation that represents a le(al )ompan that ou )ontrol inan)ial statements and ta@es7&hether it is in)ome ta@B sales ta@ or an other is)al liabilit" All ta@ related do)uments should belined to the appropriate le(al entit to (rant audit trail reIuired b is)al authorit" Le(al reports should be a%ailable at le(al entit le%el" A le(al entit is )omprised o one or more +peratin( Units" A le(alentit is represented in >eneral Led(er as one or more balan)in( se(ment %alues &ithin a led(er"

ultiple installations

$eers to installin( subled(er produ)ts 7A'B A$B '+B += multiple times or data partitionin( purpose"4his is no lon(er ne)essar under a 3ulti+r( implementation"

ultiple sets o& oo+s

 A >eneral Led(er )on)ept or ha%in( separate entities or &hi)h )hart o a))ountsB )alendarB orun)tional )urren) diers"

'a(e 60 of 68

Comp!" Co!#$%!&'( * Fo+ I!&%+!( U,% O!("

Page 68: White Paper Multi-Org Access Control Uptake R12 VIMP

7/25/2019 White Paper Multi-Org Access Control Uptake R12 VIMP

http://slidepdf.com/reader/full/white-paper-multi-org-access-control-uptake-r12-vimp 68/69

'peratin# (nit

$elease 11i and prior terminolo(: an autonomous or(ani,ation &hi)h uses +ra)le $e)ei%ablesB +ra)le'aablesB +ra)le +rder =ntrB +ra)le 'ur)hasin( or +ra)le 'roje)ts" An +peratin( Unit is al&asasso)iated &ith a sin(le le(al entit" 9normation is se)ured b +peratin( UnitH in the abo%e produ)ts&ith some shared inormation"

$elease 12 terminolo(: an autonomous or(ani,ation &hi)h is assi(ned business a)ti%ities)orrespondin( to an o these produ)ts: $e)ei%ablesB +rder 3ana(ement B 'aablesB 'ur)hasin( and'roje)ts" +peratin( UnitsB in $elease 12B ma be operatin( on behal o one or more le(al entities and is

a mu)h broader )on)ept than that in prior releases" +peratin( Units in prior releases &ere assi(ned to predeined sets o business a)ti%ities b appli)ation module"

'peratin# (nit relationship

9n shared ser%i)es en%ironmentB one +peratin( Unit )an perorm business a)ti%ities on behal o one ormore other +peratin( Units" 4hese relationships are )alled +peratin( Unit relationships"


 An or(ani,ation is an autonomous business unit o an enterpriseB su)h as a plantB &arehouseB di%isionBor department" +r(ani,ations are )ate(ori,ed b or(ani,ation )lassii)ation"

or#ani,ation classi&ication

An or(ani,ation )lassii)ations are a set o sstem-deined attributes that )ate(ori,e an or(ani,ation" Fore@ampleB )lassii)ations in)ludeB but are not limited to: +peratin( UnitB proje)t e@penditure or(ani,ationBin%entor or(ani,ation and human resour)es or(ani,ation" For more inormationB please reer to ArrorOBoo+ar+ not de&ined."

or#ani,ation hierarch

An or(ani,ation hierar)hies sho&s hierar)hi)al relationships amon( or(ani,ations in enterprise"+r(ani,ation hierar)hies are used to )onstru)t se)urit proiles"


Determines the dataB ormsB menusB reportsB and )on)urrent pro(rams ou )an a))ess in +ra)leAppli)ations" 9t is lined dire)tl to a data (roup" #e%eral users )an share the same responsibilitB and asin(le user )an ha%e multiple responsibilities"

9n $elease 11i and prior releasesB a proile option )ontrolled the +peratin( Unit to &hi)h theresponsibilit &as assi(ned"

9n $elease 12B a responsibilit is assi(ned to a se)urit proile to )ontrol a))ess to one or more +peratin(Units is assi(ned to a responsibilit" 4his allo&s a user to a))ess data in multiple +peratin( Units&ithout )han(in( his responsibilit"

securit #roup

Used to se)ure data &ithin one business (roup" 9 installation onl has one business (roupB there is onlone se)urit (roup"

securit pro&ile

A se)urit proile represents a list o one or more +peratin( Units to &hi)h a user has a))ess or inIuirBreportin( and transa)tion and data entr" =%er appli)ation user is assi(ned an or(ani,ation se)urit proile b &a o their responsibilit" #e)urit proiles are deined based on or(ani,ation hierar)hies"

'a(e 68 of 68

Comp!" Co!#$%!&'( * Fo+ I!&%+!( U,% O!("

Page 69: White Paper Multi-Org Access Control Uptake R12 VIMP

7/25/2019 White Paper Multi-Org Access Control Uptake R12 VIMP

http://slidepdf.com/reader/full/white-paper-multi-org-access-control-uptake-r12-vimp 69/69

ser-ice ureau

An implementation that is supportin( man separate enterprises"

set o& oo+s ;a+a led#er<

 A inan)ial reportin( entit that partitions >eneral Led(er inormation and uses a parti)ular )hart oa))ounts 7A))ountin( Fle@ield stru)tureB un)tional )urren)B and a))ountin( )alendar" Pou mustdeine at least one led(er or ea)h enterprise"