Oracle Apps R12 MOAC and its impact

Oracle R12 MOAC and its impact Setup the Security Profile: 1.Create a Security Profile in HRMS Responsibility HRMS Manager>Security>Profile In this setup specify different Operating Units that you want to Access. 2.Run the Security List Maintenance This is a required step when you create a new Profile or modify existing one.

3.Setup the MO: Security Profile value to above created security profile. This "MO: Security Profile" Profile option has to be setup at the responsibility level.This will ensure that Responsibility will have access to the data of all the Operating units under the Security Profile.

Important profile option MO: Security Profile: MO: Operating Unit: This comes from 11i and is still valid only its evaluated, if there is no value setup at MO:Security Profile. MO: Default Operating Unit If the security profile is setup to access multiple operating units, this requires users to select the Operating Unit every time user access the Sub ledger pages. To avoid this the Default Operating Unit profile can be setup. How MOAC impacts the way we work in TOAD 11i To set the Org id in TOAD 1. Get the Org_id from HR_ORGANIZATION_UNITS 2. In toad execute the below code begin fnd_client_info.set_org_context(&org_id); end;

To set the responsibility context in TOAD 1. Get the User id, Responsibility Id and Application id from Front end Help>Diagnostic>Examine and select BLOCK as "$PROFILES$" and then get the respective IDS 2. Using the IDs execute the below code in TOAD begin FND_GLOBAL.APPS_INITIALIZE(user_id in number,resp_id in number,resp_appl_id in number); end; R12: To set the Org id in TOAD 1. Get the Org_id from HR_ORGANIZATION_UNITS 2. In toad execute the below code --Sets the 201 as single Org id exec MO_GLOBAL.SET_POLICY_CONTEXT('S',201); Pass a value "S" in case you want your current session to work against Single ORG_ID Pass a value of "M" in case you want your current session to work against multiple ORG_ID's To set the responsibility context and initiate MOAC in TOAD

1. Get the User id, Responsibility Id and Application id from Front end Help>Diagnostic>Examine and select BLOCK as "$PROFILES$" and then get the respective IDS 2. Using the IDs execute the below code in TOAD a. exec FND_GLOBAL.INITIALIZE This will set your responsibility id, user_id etc b. call MO_GLOBAL.INIT('AR') This will read the MO profile option values for your responsibility/user, and will initialize the Multi Org Access. MOAC for table access In 11i _ALL Tables where non Org specific and Org specific views were created on these tables. But in R12 its different concept a. For the table AP_INVOICES_ALL a synonym AP_INVOICES_ALL is created in APPS. b. Also another synonym AP_INVOICES is created which refers to AP_INOICES_ALL. c. A Row Level security is applied to AP_INVOICES, using package function MO_GLOBAL.ORG_SECURITY. This can be double-checked by running SQL select * from all_policies where object_name='AP_INVOICES' e. The effect of this policy is that,whenever you access AP_INVOICES, Oracle RLS will dynamically append WHERE CLAUSE similar to below SELECT * FROM AP_INVOICES WHERE EXISTS (SELECT 1 FROM mo_glob_org_access_tmp oa WHERE oa.organization_id = org_id)

Multi Org Structure in R12: An Overview

What is a Multi Org Structure?
If an enterprise or a business wants to implement multiple organizations such as multiple Ledgers (Sets of Books), or Legal Entities, or Business Groups within a single installation of Oracle Applications, then we can summarize that the enterprise is planning to implement a multi org setup.

How About a Close to Real Life Case Study?

Before we dive into this topic, let us draw a multi org structure on a whiteboard. It would help to analyze a real picture, as we pick at the concepts that go into designing a multi org structure.

The above is the organization structure for Office Smart Solutions, which is a major office supplies retailer, headquartered in Naperville, Illinois, USA. The organization operates in three countries the US, Canada and India. Office Smart has an organization structure with the following:

2 Business Groups one in the US, which controls the organization structure in North America, and one in India 3 Legal Entities one in the US, one in Canada, and one in India 3 Primary Ledgers one in the US, one in Canada, and one in India 3 Operating Units one in the US, one in Canada, and one in India 5 Inventory organizations two in the US, one in Canada, and two in India Subinventories and locators exist beneath the inventory organizations, but they are not relevant for the session on multi org structures. With this, let us step back and reflect

The way it was in 11i

In 11i, a user working with a specific responsibility, under a given operating unit, would need to switch responsibilities, if she were to access a sales order that was created from a different operating unit. For this to happen, the user had to be assigned a second responsibility that was linked to the second operating unit. From an implementation perspective, this implied that each responsibility could be linked to one and only one operating unit. Thus, if a user in Office Smart Canada, needed access to data in Office Smart US, then she would need to be assigned a responsibility that was tied to the US Operating Unit Office Smart Operations. Responsibilities were tied to operating units through the profile option MO: Operating Unit.

What R12 brings to the table

Release 12 brought with it, the philosophy of Multi Org Access Control (MOAC). Globalization is unstoppable. Regardless of geography, industry or income, companies are globalizing to gain new customers and access new markets. Is this a good thing? Nearly two-thirds of the CEOs we surveyed are positive about the impact that globalization will have on their organizations over the next three years. Source: 9th Annual Global CEO Survey Globalization and Complexity; PwC 2006 With Release 12, Oracle Applications had to ensure that certain aspects of the applications were redesigned to meet the inevitable advance of Globalization.

Organizational changes in R12

The Set of Books evolved into Ledgers and Ledger Sets. The philosophy of Multiple Organization Access Control (MOAC) introduced in R12, ensured that the same user could perform multiple tasks across operating units without changing responsibilities. The use of Security Profiles was extended beyond HR to make MOAC possible.

Organization Access Control in R12

In a multi org environment, securing the data in each organization becomes a key task and concern for management and the implementation team. By creating custom responsibilities, management ensures that employees are given access to only those menus and functions that they need to perform their routine activities. However, an addition layer of security needs to be designed to ensure that using those menus and forms given to them, employees cannot trespass into an organization that they should not have access to. As mentioned above, in 11i access to organizations was compartmentalized based on operating units. This ensured data security, but at the expense of making it a little cumbersome for the user to switch between organizations that belong to different operating units. The Multi Org Access Control (MOAC) feature in R12 retains the data security aspect between organizations and users. However, it also brings with it a certain degree of user friendliness in navigating between different operating units.

How does R12 implement this change?

This series is designed to highlight all that it takes to implement a Multi Org Structure in Release 12.

R12: Setting up MOAC (Multi Org Access Control) in R12

Prior to R12, end users use to toggle / switch / change responsibilities in order to do transactions (like invoice / payment processing in AP) in different operating unit. This is a very time consuming and inefficient way of recording transactions when you have 100s of operating units specially Internet based organizations who have world wide operations in almost all the countries. To address this, a new feature in R12 has been introduced in which user can switch between operating units within a responsibility something similar to "Change Organization" feature in inventory. Prior to R12, user would have to switch responsibilities in order to enter transactions in respective operating units (tagged to the responsibility). To enable this feature, Oracle has provided MOAC (Multi Org Access Control) in R12 to achieve this functionality. Most of the setup steps for this is similar to setting up of HR Security. So, if you know how to set HR security then setting MOAC is just a piece of cake. Do the following setups as part of MOAC setupStep 1. Create Organization HierarchyNavigate to Human Resource responsibility > Define Organization Hierarchy

Create an Organization Hierarchy as shown below. Here I have named it as "XXTech Vision". This is my Org hierarchy name. This has following heirarchy, Organization name (This would show-up all Organizations in the current business group): Vision Corporation --Vision Services --Vision Leasing --Vision Utilities

Once you set this up, you can see how your hierarchy looks like in the Organization Diagrammer as shown below,

Step 2- Create HR Security Profile as shown below (Navigation - Human Resources responsibility > Security > Profile) Enter the values as shown in the below picture.

Step 3- The final step of the setup is to attach the HR security profile just created to the "MO:Security Profile" profile for the responsibility to which you want to have the MOAC functionality as shown in the below picture,

Step 4- Run "Security List Maintenance" concurrent request, This process maintains the list of employees, organizations, positions, payrolls and applicants that security profile holders have access to. Schedule this request to run every night during quite hours if possible. If it is run when the users are logged in then users may experience unexpected results while doing transactions like additional employees / OUs may become visible or previously visible employees may no longer be visible for a brief period of time. Once the process completes then everything would work normal. If it does not run due to some reason then this can be manually run as shown in the picture,

Step 5- Test the setup Now navigate to "Payables Manager" responsibility > Invoices Workbench > Click on the LOV of OU > It would show up all the organizations (setup as operating units that were part of the security profile >

organization hierarchy as shown in the below picture,

Oracle apps MOAC setup

The Security Profiles form allows you to group together Operating Units Define the security profile for the order management responsibility: Navigate: HRMS Management responsibility: 1. HRMS Manager > Security > Profile 2. 3. 4. Verify that the security profile is defined for the OM responsibility. If the security profile is not yet setup, enter it and attach the operating units SAVE

The Security List Maintenance concurrent program must be run each time you add or change Security Profiles.

There are three Profile Options you need to be aware of related to Multi-Org that should be set at the Responsibility Level. The R12 profile option MO: Security Profile is always evaluated first. The pre-R12 profile option MO: Operating Unit still works in R12. It is just a secondary priority being evaluated after MO: Security Profile. The R12 profile option MO: Default Operating Unit sets the default Operating Unit for transactions when running under a Security Profile. Many R12 applications modules do not work with MO: Security Profile set for a given responsibility.

They must only use MO: Operating Unit. Some even require all three Profile Options set. Examples: CRM Modules Certain GL Drill Down Functions (Trial and error determination of setups, no clear direction)

Now check the operating unit field in the orders screen Vision Operations defaults as the operating unit in the form per profile option setting for OM: Default Operating Unit at responsibility level