Monday, April 6, 2009

MOAC(Multi Org Access Control) in OA Framework

Hi All,
After a long time a small and crisp article of how you can set MOAC in your custom OAF code. With release of R12 Oracle EBS has introduced a security feature in apps for multi -org access. Lets have a quick introduction of what is MOAC all abaout :

What is MOAC ?
The Access Control feature in Release 12 allows the user to enter or query records in one or more operating units without changing application responsibility. It is the system administrator’s discretion to either implement the feature or use the same multiple organizations profile option setting available before Release 12 by using the single operating unit mode (i.e. one operating unit for a responsibility).
In Release 12, the multiple organizations context value is no longer initialized by the FND_GLOBAL.APPS_INITIALIZE routine thereby reducing unnecessary context setting and resource consumption for applications that do not use operating unit context for data security.
To use the single operating unit mode, you must set the value for the "Initialization SQL Statement – Custom profile" to "mo_global.init('S',null);". This initializes the operating unit context based on the "MO: Operating Unit" profile option and the "MO: Security Profile" profile option must not be set.
Fresh install of Release 12 Application is enabled with multiple organizations, however, the system administrator must create operating units to use multi organizations sensitive application products. The user can create new operating units in the Accounting Setup Manager page in addition to HRMS’s Define Organizations page.

MOAC Implementation In Apps
A new or fresh installation of an Oracle Applications instance does not automatically enable multiple organizations. Typically, the system administrator defines "MO: Operating Unit" profile at Responsibility and/or User level. The "organization_id" of the "MO: Operating Unit" profile option value filters the transactional data. The CLIENT_INFO application context space stores the multiple organizations context value.
Multi-Org views use the following WHERE clause to filter application records:
'org_id = substrb(userenv(''CLIENT_INFO''),1,10)'

MOAC in terms of OAF:
Its very natural while developing extension or developing OAF custom pages , you may require quering of views, synonyms which use MOAC via VO.Also, it is possible that you might be calling some standard Oracle PL/SQL APIs which usually need MOAC context to be set.

Every transaction that requires multiple organizations must call the Multiple Organizations initialization in the root Application Module (AM).
Use the following declarative mechanism to initialize the multiple organizations settings for application teams to implement multiple organizations:
1. To enable multiple organizations for the root application module , go to the BC4J Application Module wizard - Properties section and specify the property as MULTIORG_ENABLED and value as either S (single operating unit mode) or M (Multiple operating unit mode).
2. Click Add, then Apply or OK.
On specifying this property, the OA Framework automatically initializes the multiple organizations context at the following appropriate program event points:
1. When reserving or activating the application module.
2. When initializing or validating the Oracle Applications user session.
You initialize the context once for each transaction and session and not instantiate for every page. If your transaction retains the root AM, then the above steps are the easiest to initialize multiple organizations.

If a transaction has multiple pages and the root AM is not retained, then you must call the method OADBTransaction.setMultiOrgAccess to initialize the multiple organizations context to help the user select an operating unit for a transaction.Here is how u can code in AM
OADBTransactionImpl trx = (OADBTransactionImpl)getOADBTransaction(); getOADBTransaction().setMultiOrgAccess(String.valueOf(trx.getOrgId()),String.valueOf(trx.getSecurityProfileId()),trx.getApplicationShortName());

If the operating unit the user selected must appear in the subsequent pages, then pass the curr_org_id to the page and use OADBTransaction.setMultiOrgPolicyContext method to set the operating unit context for the pages that need multiple organizations.
OADBTransactionImpl trx = (OADBTransactionImpl)getOADBTransaction();

There is often a case when you create a custom application in apps under $JAVA_TOP, in order to keep all your customizations, lets say XXABC.When we make a new application in Apps like XXABC, we need to register the application for Multi-Org as single or multiple.
This is important, if we are defining new custom responsibilities on this application and we are planning to have custom, as well as seeded pages attached in this responsibility.If you have this scenario, where you custom responsibility is defined on custom application and it is using seeded pages as well as custom pages, you may face a error in your multi-org enabled seeded AM pages like :
oracle.apps.fnd.framework.OAException: Application: FND, Message Name: FND_GENERIC_MESSAGE. Tokens: MESSAGE = java.sql.SQLException: ORA-20001: SQL_PLSQL_ERROR: N, ROUTINE, MO_GLOBAL.INIT, N, ERRNO, -20001, N, REASON, ORA-20001: SQL_PLSQL_ERROR: N, ROUTINE, MO_GLOBAL.SET_ORG_ACCESS, N, ERRNO, -20001, N, REASON, ORA-20001: APP-FND-02938: Multi-organization routine failed to initialize a session for the product: &PRODUCT. Please inform your support representative.
ORA-06512: at "APPS.FND_MESSAGE", line 509
ORA-06512: at "APPS.MO_GLOBAL", line 36
ORA-06512: at "APPS.MO_GLOBAL", line 757
ORA-06512: at "APPS.MO_GLOBAL", line 700
ORA-06512: at line 1

The reason for this error is Oracle Apps seeded pages which have AM with multi-org enabled,if you will check the AM xml file , they use MULTIORG_ENABLED as Y and not as S or M . This is because in Apps, you can directly register an application with multi-org enabled in table fnd_mo_product_init by using API :
-- To enable MO access in a custom application:

Since, seeded applications are already registered here, its not a problem, when you run seeded pages because MULTIORG_ENABLED=Y in AM sets correct multi org access, but in case of custom application/responsibility based on custom application running seeded pages throws error, because the custom application XXABC is not registered in table fnd_mo_product_init. Hence , in order to run both seeded pages and custom pages fine i.e. code work correctly in case of MULTIORG_ENABLED=Y (used by seeded pages) or MULTIORG_ENABLED=S/M (custom pages), register the custom application using the FND_MO_PRODUCT_INIT_PKG.register_application API.