Table of Contents

Basic Navigation within Oracle Applications

Users and Responsibilities
Concurrent Program
Other AOL Objects
Profile Options
Lookups
Functions (OAF/Forms)
Menus
Flexfield Key/Descriptive
Messages
Multi-Org Access Control (MOAC)

Copyright 2008 Deloitte Development LLC. All rights reserved.

Multi-Org Access Control (MOAC)

By the end of this session, you will know:
What is MOAC?
Benefits of MOAC
MOAC setup
Technical details
How the access control works?
Multi-Org Concurrent Programs/Reports
Developer Notes

Copyright 2008 Deloitte Development LLC. All rights reserved.

Multi-Org Access Control (MOAC)

Brief History
Multi-Org architecture was first introduced in Oracle Applications Release
10.6
Primary objective was to secure data from unauthorized access by
individuals.
User can access data authorized by the Operating Unit selected for the profile
MO: Operating Unit at Site, Application, Responsibility or User level.
Reasons for implementing MOAC
New requirements to enable a user to access one or more Operating Units
per responsibility.
It helps in reduction of Operating costs
It provides more flexibility.

Copyright 2008 Deloitte Development LLC. All rights reserved.

Multi-Org Access Control (MOAC)

11i Scenario
User has access to only one operating unit based on the responsibility.
User needs to switch responsibility to access information in different operating
unit.
Application can assume the operating unit through profile value of MO:
Operating Unit or CLIENT_INFO
Allows the ability to supports multiple Organizations of the enterprise in the
same database
R12 Scenario
With MOAC, a responsibility has access to one or more operating units.
Access to more than one operating unit is available through MO: Security
Profile

Copyright 2008 Deloitte Development LLC. All rights reserved.

Multi-Org Access Control (MOAC)

Earlier Representation

United States

Canada

Argentina

Legal Entity

Legal Entity

Legal Entity

USA

Canadian

Argentinean

Operating Unit

Operating Unit

Operating Unit

Responsibility

Responsibility

Responsibility

Copyright 2008 Deloitte Development LLC. All rights reserved.

Multi-Org Access Control (MOAC)

Current Representation

United States

Canada

Argentina

Ledger

Ledger

Ledger

USA

Canadian

Argentinean

Operating Unit

Operating Unit

Operating Unit

Responsibility

Copyright 2008 Deloitte Development LLC. All rights reserved.

MOAC: Benefits
Improve efficiency
Easily access data from different operating units
Improve Shared Services operations
Provide more information for decision making
Global consolidated view of data across operating units
Reduce Costs
Cut down processing time

Copyright 2008 Deloitte Development LLC. All rights reserved.

MOAC: Setup

PROCESS

SETUP

Define security profile &

assign operating units

Run Security List

Maintenance

Assign
security profile to
responsibility or user

Login into a
responsibility

Open Application

Application
checks
access privilege

Enter data for

operating units
Automated process

Copyright 2008 Deloitte Development LLC. All rights reserved.

MOAC: Setup - Organization Hierarchy

Copyright 2008 Deloitte Development LLC. All rights reserved.

MOAC: Setup - Security Profile

Copyright 2008 Deloitte Development LLC. All rights reserved.

10

MOAC: Setup - Submit Request

Copyright 2008 Deloitte Development LLC. All rights reserved.

11

MOAC: Setup - Profile Options

Copyright 2008 Deloitte Development LLC. All rights reserved.

12

MOAC: Setup - User Preferences

Copyright 2008 Deloitte Development LLC. All rights reserved.

13

MOAC: How the access control works?

Security Policy: VPD concept to dynamically attach a predicate to sql
statement against the db object having policies attached.
Attaching security policy to a synonym:
FND_ACCESS_CONTROL_UTIL.Add_Policy(
p_object_schema

=> l_apps_user ,

p_object_name

=> XX_XYZ',

p_policy_name

=> 'ORG_SEC',

p_function_schema

=> l_apps_user,

p_policy_function

=> 'MO_GLOBAL.ORG_SECURITY',

p_statement_types

=> 'SELECT, INSERT, UPDATE, DELETE',

p_update_check

=> TRUE ,

p_enable

=> TRUE);

Copyright 2008 Deloitte Development LLC. All rights reserved.

14

MOAC: How the access control works?

Policy predicate function 'MO_GLOBAL.ORG_SECURITY returns different
predicates depending on ACCESS_MODE attribute
ACCESS_MODE: An application context attribute which indicates the number of
Operating Units the user has access to. It can take following values:
M indicates user can access data of all OUs defined in the security profile.
S indicates user can access data of only one OU.

Copyright 2008 Deloitte Development LLC. All rights reserved.

15

MOAC: How the access control works?

Policy Context/Access Mode set to M using
mo_global.set_policy_context(M', -1)
select * from xx_xyz will return rows for all org_id the user has access to.
Policy context/Access Mode set to S for org_id 82 using
mo_global.set_policy_context('S', 82)
select * from xx_xyz will return rows for org_id = 82

All boils down to setting the policy context to S or M before accessing any
secured synonym.

Copyright 2008 Deloitte Development LLC. All rights reserved.

16

MOAC: Concurrent Programs

While defining concurrent program set the Operating Unit mode as single or
multiple (Navigation: System Administration > Concurrent > Programs >
Create/Update Program)
Single Org Concurrent Programs
Operating Unit is a mandatory field
Once Operating Unit is picked, ORG_ID is set in the context
APIs should use mo_global.get_current_org_id to obtain the value of
selected Operating Unit.
APIs should use secured synonyms, so that the access is restricted to the
eligible Operating Unit.
Multi Org Concurrent Programs
User should be able to run concurrent programs across Operating Units.
APIs should use secured synonyms, so that the access is restricted to the
eligible Operating Units.
Copyright 2008 Deloitte Development LLC. All rights reserved.

17

MOAC: Reports
Single Org Reports
Single Org Reports should be flagged as SINGLE for the Operating Unit mode
in the Define Concurrent Programs form.
Access Mode will be initialized once Operating Unit is selected.
Cross Org Reports
Cross Org Reports should be flagged as MULTIPLE for the Operating Unit
mode in the Define Concurrent Programs form (under System Administration
responsibility).
Access Mode initialization will be taken care off internally.
Product teams just need to take care of setting the Operating Unit mode
correctly while defining the concurrent program.
Remember to use secured synonyms to restrict the access appropriately.

Copyright 2008 Deloitte Development LLC. All rights reserved.

18

MOAC: Developer Notes

mo_glob_org_access_tmp: is the temporary table which is populated with the
org id which user can access. This table is populated when set_policy_context
api is called.
Package: MO_GLOBAL
Some important APIs:
get_current_org_id: returns the current org id
set_policy_context: sets the application context. It takes two parameters:
p_access_mode: M for multi and S for Single
p_org_Id: Org Id must be passed if access mode is S
get_ou_name: returns Operating Unit name for the Org Id passed as
parameter.
check_valid_org/check_access: checks if user has access to the Org Id
passed as parameter.

Copyright 2008 Deloitte Development LLC. All rights reserved.

MOAC.s ql

19

MOAC: Hands On

Refer to AOL Info Pack for details

Copyright 2008 Deloitte Development LLC. All rights reserved.

20

About Deloitte
Deloitte refers to one or more of Deloitte Touche Tohmatsu, a Swiss Verein, its member firms and their respective subsidiaries and affiliates.
Deloitte Touche Tohmatsu is an organization of member firms around the world devoted to excellence in providing professional services and
advice, focused on client service through a global strategy executed locally in nearly 140 countries. With access to the deep intellectual capital
of approximately 135,000 people worldwide, Deloitte delivers services in four professional areas, audit, tax, consulting and financial advisory
services, and serves more than 80 percent of the worlds largest companies, as well as large national enterprises, public institutions, locally
important clients, and successful, fast-growing global growth companies. Services are not provided by the Deloitte Touche Tohmatsu Verein and,
for regulatory and other reasons, certain member firms do not provide services in all four professional areas.
As a Swiss Verein (association), neither Deloitte Touche Tohmatsu nor any of its member firms has any liability for each others acts or
omissions. Each of the member firms is a separate and independent legal entity operating under the names Deloitte, Deloitte & Touche,
Deloitte Touche Tohmatsu or other related names.
In the United States, Deloitte & Touche USA LLP is the U.S. member firm of Deloitte Touche Tohmatsu and services are provided by the
subsidiaries of Deloitte & Touche USA LLP (Deloitte & Touche LLP, Deloitte Consulting LLP, Deloitte Financial Advisory Services LLP, Deloitte
Tax LLP, and their subsidiaries), and not by Deloitte & Touche USA LLP. The subsidiaries of the U.S. member firm are among the nations
leading professional services firms, providing audit, tax, consulting, and financial advisory services through nearly 40,000 people in more than
90 cities. Known as employers of choice for innovative human resources programs, they are dedicated to helping their clients and their people
excel. For more information, please visit the U.S. member firms Web site at www.deloitte.com
Copyright 2007
2008 Deloitte Development LLC. All rights reserved.

21