Monday, April 6, 2009

MOAC(Multi Org Access Control) in OA Framework

Hi All,
After a long time a small and crisp article of how you can set MOAC in your custom OAF code. With release of R12 Oracle EBS has introduced a security feature in apps for multi -org access. Lets have a quick introduction of what is MOAC all abaout :

What is MOAC ?
---------------
The Access Control feature in Release 12 allows the user to enter or query records in one or more operating units without changing application responsibility. It is the system administrator’s discretion to either implement the feature or use the same multiple organizations profile option setting available before Release 12 by using the single operating unit mode (i.e. one operating unit for a responsibility).
In Release 12, the multiple organizations context value is no longer initialized by the FND_GLOBAL.APPS_INITIALIZE routine thereby reducing unnecessary context setting and resource consumption for applications that do not use operating unit context for data security.
To use the single operating unit mode, you must set the value for the "Initialization SQL Statement – Custom profile" to "mo_global.init('S',null);". This initializes the operating unit context based on the "MO: Operating Unit" profile option and the "MO: Security Profile" profile option must not be set.
Fresh install of Release 12 Application is enabled with multiple organizations, however, the system administrator must create operating units to use multi organizations sensitive application products. The user can create new operating units in the Accounting Setup Manager page in addition to HRMS’s Define Organizations page.


MOAC Implementation In Apps
-----------------------------
A new or fresh installation of an Oracle Applications instance does not automatically enable multiple organizations. Typically, the system administrator defines "MO: Operating Unit" profile at Responsibility and/or User level. The "organization_id" of the "MO: Operating Unit" profile option value filters the transactional data. The CLIENT_INFO application context space stores the multiple organizations context value.
Multi-Org views use the following WHERE clause to filter application records:
'org_id = substrb(userenv(''CLIENT_INFO''),1,10)'

MOAC in terms of OAF:
----------------------
Its very natural while developing extension or developing OAF custom pages , you may require quering of views, synonyms which use MOAC via VO.Also, it is possible that you might be calling some standard Oracle PL/SQL APIs which usually need MOAC context to be set.

Every transaction that requires multiple organizations must call the Multiple Organizations initialization in the root Application Module (AM).
Use the following declarative mechanism to initialize the multiple organizations settings for application teams to implement multiple organizations:
1. To enable multiple organizations for the root application module , go to the BC4J Application Module wizard - Properties section and specify the property as MULTIORG_ENABLED and value as either S (single operating unit mode) or M (Multiple operating unit mode).
2. Click Add, then Apply or OK.
On specifying this property, the OA Framework automatically initializes the multiple organizations context at the following appropriate program event points:
1. When reserving or activating the application module.
2. When initializing or validating the Oracle Applications user session.
You initialize the context once for each transaction and session and not instantiate for every page. If your transaction retains the root AM, then the above steps are the easiest to initialize multiple organizations.

If a transaction has multiple pages and the root AM is not retained, then you must call the method OADBTransaction.setMultiOrgAccess to initialize the multiple organizations context to help the user select an operating unit for a transaction.Here is how u can code in AM
OADBTransactionImpl trx = (OADBTransactionImpl)getOADBTransaction(); getOADBTransaction().setMultiOrgAccess(String.valueOf(trx.getOrgId()),String.valueOf(trx.getSecurityProfileId()),trx.getApplicationShortName());



If the operating unit the user selected must appear in the subsequent pages, then pass the curr_org_id to the page and use OADBTransaction.setMultiOrgPolicyContext method to set the operating unit context for the pages that need multiple organizations.
OADBTransactionImpl trx = (OADBTransactionImpl)getOADBTransaction();
getOADBTransaction().setMultiOrgPolicyContext("S",trx.getMultiOrgCurrentOrgId());

There is often a case when you create a custom application in apps under $JAVA_TOP, in order to keep all your customizations, lets say XXABC.When we make a new application in Apps like XXABC, we need to register the application for Multi-Org as single or multiple.
This is important, if we are defining new custom responsibilities on this application and we are planning to have custom, as well as seeded pages attached in this responsibility.If you have this scenario, where you custom responsibility is defined on custom application and it is using seeded pages as well as custom pages, you may face a error in your multi-org enabled seeded AM pages like :
oracle.apps.fnd.framework.OAException: Application: FND, Message Name: FND_GENERIC_MESSAGE. Tokens: MESSAGE = java.sql.SQLException: ORA-20001: SQL_PLSQL_ERROR: N, ROUTINE, MO_GLOBAL.INIT, N, ERRNO, -20001, N, REASON, ORA-20001: SQL_PLSQL_ERROR: N, ROUTINE, MO_GLOBAL.SET_ORG_ACCESS, N, ERRNO, -20001, N, REASON, ORA-20001: APP-FND-02938: Multi-organization routine failed to initialize a session for the product: &PRODUCT. Please inform your support representative.
ORA-06512: at "APPS.FND_MESSAGE", line 509
ORA-06512: at "APPS.MO_GLOBAL", line 36
ORA-06512: at "APPS.MO_GLOBAL", line 757
ORA-06512: at "APPS.MO_GLOBAL", line 700
ORA-06512: at line 1


The reason for this error is Oracle Apps seeded pages which have AM with multi-org enabled,if you will check the AM xml file , they use MULTIORG_ENABLED as Y and not as S or M . This is because in Apps, you can directly register an application with multi-org enabled in table fnd_mo_product_init by using API :
-- To enable MO access in a custom application:
begin
FND_MO_PRODUCT_INIT_PKG.register_application('XXABC','SEED','N');
end;

Since, seeded applications are already registered here, its not a problem, when you run seeded pages because MULTIORG_ENABLED=Y in AM sets correct multi org access, but in case of custom application/responsibility based on custom application running seeded pages throws error, because the custom application XXABC is not registered in table fnd_mo_product_init. Hence , in order to run both seeded pages and custom pages fine i.e. code work correctly in case of MULTIORG_ENABLED=Y (used by seeded pages) or MULTIORG_ENABLED=S/M (custom pages), register the custom application using the FND_MO_PRODUCT_INIT_PKG.register_application API.

11 comments:

Anil said...

Thanks buddy. I was trying to get my query page work that was based on a VO that has multi-org enabled tables in R12 and nothing was working my way until I stumbled into your blog. All I was missing was MULTI_ORG property on AM. Appreciate you for taking time and putting this blog together. Keep up the good work and wish you all the very best.

Unknown said...

nice


Flats in Greater Noida
Property in Noida
NX ONE
Premia Corporate City
Supertech Ecovillage 2
Amrapali Verona Heights
commercial projects in noida
New Project in noida extension
Himalayan Estate

Property Paradise Infratech Pvt. Ltd. said...

nice post dear.
Nx One
Projects in Noida
Projects in Noida Extension

Unknown said...

i read yr all blog
yr blog is very nice.
Medical colleges in india
engineering colleges in noida
Management college in delhi






Unknown said...

i read yr all blog
yr blog is very nice.
Medical colleges in india
engineering colleges in noida
Management college in delhi






Unknown said...

nice post dear.
Admission in B.tech in Galgotia College

Unknown said...

The security at home is essential and must put all our security systemsSecurity on our site is very necessary to do safety systems to give us confidence and tranquility.
security consulting ct.

Rajan Bhatia said...

Can we customized the seeded pages to multi org, and if yes. Do we need to update the AM for this

Clement said...

Hi Mukul,

When using mo_global.set_org_access() in OAF, ALL data are showing up for ra_customer_trx.
Tried fnd_global.apps_initialize(), followed by mo_global.init, it works as expected in TOAD and the count from CO also is as expected. But the VO query is not returning as any data for RA_CUSTOMER_TRX. Any suggestion please.

Vivek

Mnajunath K said...

Hello Mukul,

the issue, am getting while accessing the custom page.

Mo Security profileis set at resp level, and seeded pages are opening without any issue, But Custom pages are going to error saying could not load AM, due to below reason
Application: FND, Message Name: FND_GENERIC_MESSAGE. Tokens: MESSAGE = java.sql.SQLException: ORA-20001: SQL_PLSQL_ERROR: N, ROUTINE, MO_GLOBAL.INIT, N, ERRNO, -20001, N, REASON, ORA-20001: APP-FND-02902: Multi-Org profile option is required. Please set either MO: Security Profile or MO: Operating Unit profile option. ORA-06512: at "APPS.FND_MESSAGE", line 509 ORA-06512: at "APPS.MO_GLOBAL", line 36 ORA-06512: at "APPS.MO_GLOBAL", line 757 ORA-06512: at "APPS.MO_GLOBAL", line 700 ORA-06512: at line 1

And in Custom page even I have MULTIORG_ENABLED ='M' at MA level and even I added the MO_GLOBAL.INIT('M') in Main CO.

Still it going to error out.

While loading from Local System(Jdev) I am not getting any issue. MO_GLOBAL('M') is working as expected.

So any help on this highly appreciated

Regards,
Manjunath K

Unknown said...

Thanks a Lot Mukul for this informative blog.