In this Document

  Abstract
  History
  Details
  Previous Releases
  Release 12
  Multi-Org Session Context
  Backwards Compatibility

APPLIES TO:

Oracle Project Foundation - Version 12.0.0 to 12.1.3 [Release 12.0 to 12.1]

Information in this document applies to any platform.

***Checked for relevance on 02-DEC-2013***

ABSTRACT

This paper will review changes in the multi-org architecture in Release 12 designed to enable the Multi-Org Access Control (MOAC) feature. It will discuss how this impacts the users ability to access data from multi-org
enabled objects via SQL*Plus or other client query tools outside of the applications.

HISTORY

Author :  Andrew Lumpe

Create Date 11-Oct-2007 

Update Date 11-Oct-2007 

Expire Date

DETAILS

In Release 12, the architecture of multi-org and the way in which data is partitioned by operating unit has changed significantly. As a result the ways in which data are stored and accessed has changed.

Previous Releases

In previous releases, data was restricted to a single operating unit using views which striped base table data based on the current operating unit setting.

  • Base tables (generally named with ‘_ALL’, e.g. MY_TABLE_ALL) contained data for all operating units.
  • Each such table contained a column named ORG_ID to indicate what operating unit a particular row belonged to.
  • Data was then restricted by using restricted views (e.g. MY_TABLE) which would only return rows which corresponded to the current operating unit’s organization ID.
  • The current operating unit was stored in the first 10 characters of the database Application Context variable CLIENT_INFO.
  • When logging into the applications, the CLIENT_INFO value was set to the appropriate operating unit organization ID for the session based on the profile option setting for “MO: Operating Unit”.
  • In SQL*Plus, CLIENT_INFO could be set to point to a particular operating unit using
execute dbms_application_info.set_client_info(‘<ORG_ID>’);

Release 12

In release 12 a more flexible architecture has been put in place to support Multi-Org Access Control (MOAC). This architecture allows users to define security profiles so that users may access data for more than one operating unit within a single responsibility.



To accomplish this

  • Multi-org views have been removed, and replaced with synonyms. For example, MY_TABLE would no longer be a view defined on MY_TABLE_ALL, but rather a synonym which points to MY_TABLE_ALL
  • The data restriction is accomplished by assigning a virtual private database (VPD) policy to the synonym. This policy allows the system to dynamically generate restricting conditions when queries are run against the synonym.



For example: In release 12 in the APPS schema, PA_PROJECTS and PA_PROJECTS_ALL are both synonyms which point to the table PA.PA_PROJECTS_ALL. However, the view PA_PROJECTS_ALL is unrestricted, whereas, PA_PROJECTS will only display data for
the user’s current operating unit(s) because of the VPD policy that has been assigned to it.





Data relating to defined VPD policies is viewable in the data dictionary view DBA_POLICIES. These policies associate a function with an object, and when the object is accessed, this function can return additional restrictions on the object to restrict the data
returned. The particular policy used to implement Multi-Org in release 12 is:

  • Policy_name: ORG_SEC
  • Policy_group: SYS_DEFAULT
  • Package: MO_GLOBAL
  • Function: ORG_SECURITY

The function (MO_GLOBAL.ORG_SECURITY) is called with the following parameters:

  • obj_schema - the object schema, in this case APPS
  • obj_name – the object name (e.g., MY_TABLE)

The function then returns additional where clause conditions to restrict the data accessible from the object. The structure of this function will dynamically generate conditions which will either:

  1. Restrict the data to a single operating unit if the access mode is Single
  2. Restrict the data to multiple operating units if the access mode is Multiple
  3. Restrict the data to eliminate only seed data rows if the access mode is All
  4. Restrict the data to not return any rows if the access mode is None

The conditions returned in each case are as follows:

Single OU Access

org_id = sys_context('multi_org2','current_org_id')

Only data for the current operating unit is accessible. The value of sys_context('multi_org2','current_org_id') would have to be set to the current operating unit as described below.





Multiple OU Access

EXISTS (SELECT 1

FROM mo_glob_org_access_tmp oa

WHERE oa.organization_id = org_id)

The user will be able to access data for any org_id which has been populated into mo_glob_org_access_tmp. When a session is initialized in the applications, values will be populated into mo_glob_org_access_tmp for each of the operating units the user has access
to based on their "MO: Security Profile" setting.





All OU Access

org_id <> -3113

Seed template records, which are used to create new seed data when a new operating unit is created. are created with an org_id of –3113. So in this mode, only these template records, which do not correspond to any actual operating unit, will be filtered out. 





No OU Access

1 = 2

The condition is never satisfied. No data will be returned from the object.

Multi-Org Session Context

The database utility DBMS_SESSION.SET_CONTEXT(<namespace>, <attribute>, <value>) is used to initialize and set the Multi-Org context information for a user’s session. The utility SYS_CONTEXT(<namespace>, <attribute>)
is used to retrieve this data. The key context items are:

Namespace Attribute Value
multi_org access_mode S=Single, M=Multiple, A=All, X=None
multi_org2 current_org_id Operating unit org id, only applicable if access mode is Single


For example: The following example shows how you could set the access mode or determine the current setting:

dbms_session.set_context('multi_org','access_mode','S');



myvar := sys_context('multi_org','access_mode');

dbms_output.put_line('Access Mode: '||myvar);

However, it is generally preferable to use the following wrapper functions from MO_GLOBAL which will call the appropriate utilities to maintain the various elements of the multi-org context:



Procedure: SET_POLICY_CONTEXT(p_access_mode varchar2, p_org_id number)

This procedure will set the access mode, and when applicable the current operating unit context. 



Procedure: SET_ORG_ACCESS(p_org_id_char varchar2, p_sp_id_char varchar2, p_appl_short_name varchar2)

This procedure determines if the application specified has multi-org access control enabled, by querying FND_MO_PRODUCT_INIT for the application short name. If this is enabled, and a security profile is specified (p_sp_id_char), then all orgs the user has
access to will be populated in MO_GLOB_ORG_ACCESS_TMP. If there are more than one such org, the access method will be set to "Multiple". Otherwise if no security profile id is specified, it will use the value of p_org_id to set the current operating unit value
and set the access mode to "Single".




Procedure: INIT(p_appl_short_name varchar2)

The procedure used by the applications when starting a new session. Based on the profile options "MO: Operating Unit" (ORG_ID) and "MO: Security Profile" (XLA_MO_SECURITY_PROFILE_LEVEL), this procedure calls set_org_access to establish the multi-org context
for the session. To call this from withing SQL, the profile option context should have been initialized for the session.



Function: GET_CURRENT_ORG_ID

Returns the current operating unit setting. This should be null if the access mode is not 'S'



Function: GET_ACCESS_MODE

Returns the current access mode value.

For Example: 



1) When logging into a SQL session to set the org context as it would be for a particular user in a particular responsibility:



a) If you know the security_profile_id for that responsibility and user, you could call:

execute mo_global.set_org_access(null, <sp_id>, 'PA');

Security profiles are stored in PER_SECURITY_PROFILES, and the final parameter is the application short name of the application associated with the responsibility you would be using.

b) If you do not know the security profile or operating unit profile option settings for your user, responsibility and application, you could use code similar to the following to get this information:

declare



  l_user_id fnd_user.user_id%type;

  l_resp_id fnd_responsibility.responsibility_id%type;

  l_appl_id fnd_application.application_id%type;

  l_appl_short_name fnd_application_vl.application_short_name%type;

  l_ou_value fnd_profile_option_values.profile_option_value%type;

  l_sp_value fnd_profile_option_values.profile_option_value%type;



begin



select user_id into l_user_id

from fnd_user

where user_name = upper('&user_name');



select responsibility_id into l_resp_id

from fnd_responsibility_vl

where responsibility_name = ('&resp_name');



select application_id, application_short_name into l_appl_id, l_appl_short_name

from fnd_application_vl

where application_short_name = upper('&appl_short_name');



l_ou_value := fnd_profile.value_specific(

  'ORG_ID',l_user_id, l_resp_id, l_appl_id);

l_sp_value := fnd_profile.value_specific(

  'XLA_MO_SECURITY_PROFILE_LEVEL', l_user_id, l_resp_id, l_appl_id);



dbms_output.put_line('MO: Operating Unit: '||l_ou_value);

dbms_output.put_line('MO: Security Profile: '||l_sp_value);



if l_sp_value is null and l_ou_value is null then

  dbms_output.put_line('No operating unit or security profile information 

    found');

else

  mo_global.set_org_access(l_ou_value, l_sp_value, l_appl_short_name);

end if;



exception when others then

  dbms_output.put_line('Error: '||sqlerrm);

end;

/

2) To set the operating unit context to a single operating unit, you could simply use:

execute mo_global.set_policy_context(‘S’,<org_id>);

Backwards Compatibility

When running queries on multi-org objects in SQL, you can still use the old CLIENT_INFO settings to gather data and run queries against multi-org objects if the profile option:

MO: Set Client_Info for Debugging (FND_MO_INIT_CI_DEBUG)

is set to "Yes". 



When this profile option is set to “Yes” and the global access mode setting is null (as it would be in a SQL*Plus or other client session unless specifically set), the VPD function MO_GLOBAL.ORG_SECURITY will return the following as the additional where clause
condition for the object:

org_id = substrb(userenv('CLIENT_INFO'),1,10)

This will limit the data returned by the object to the current value set in CLIENT_INFO. This value is set as described at the beginning of this article under "Previous Releases".

SQL Queries and Multi-Org Architecture in Release 12的更多相关文章

  1. [Oracle EBS R12]SQL Queries and Multi-Org Architecture in Release 12 (Doc ID 462383.1)

    In this Document   Abstract   History   Details   Previous Releases   Release 12   Multi-Org Session ...

  2. EF: Raw SQL Queries

    Raw SQL Queries Entity Framework allows you to query using LINQ with your entity classes. However, t ...

  3. Executing Raw SQL Queries using Entity Framework

    原文 Executing Raw SQL Queries using Entity Framework While working with Entity Framework developers m ...

  4. Monitor All SQL Queries in MySQL (alias mysql profiler)

    video from youtube: http://www.youtube.com/watch?v=79NWqv3aPRI one blog post: Monitor All SQL Querie ...

  5. Error Code: 1175. You are using safe update mode and you tried to update a table without a WHERE that uses a KEY column To disable safe mode, toggle the option in Preferences -> SQL Queries and reconn

    使用MySQL执行update的时候报错:   MySQL     在使用mysql执行update的时候,如果不是用主键当where语句,会报如下错误,使用主键用于where语句中正常. 异常内容: ...

  6. EF Core 2.1 Raw SQL Queries (转自MSDN)

    Entity Framework Core allows you to drop down to raw SQL queries when working with a relational data ...

  7. 【MySQL笔记】解除输入的安全模式,Error Code: 1175. You are using safe update mode and you tried to update a table without a WHERE that uses a KEY column To disable safe mode, toggle the option in Preferences -> SQL Queries and reconnect.

    Error Code: 1175. You are using safe update mode and you tried to update a table without a WHERE tha ...

  8. Tracing SQL Queries in Real Time for MySQL Databases using WinDbg and Basic Assembler Knowledge

    https://www.codeproject.com/Articles/43305/Tracing-SQL-Queries-in-Real-Time-for-MySQL-Databas     As ...

  9. Using Load-Balancers with Oracle E-Business Suite Release 12 (Doc ID 380489.1)

      Using Load-Balancers with Oracle E-Business Suite Release 12 (Doc ID 380489.1) Modified: 12-Jun-20 ...

随机推荐

  1. BASH如何获得某个目录下的某类文件的文件名

    假设某个目录下有一堆以jpeg为后缀的文件名,我们需要在另一个目录中获得他们的文件名,并输出. 可以联合使用ls,awk,sed等命令来完成. 方法一: 使用ls列出目录下以.jpeg为结尾的文件,然 ...

  2. wincvs的“License for this product has expired”问题解决

    新入职的公司代码管理工具是CVS,使用wincvs作为客户端工具.今天发现执行login.logout.update等操作的时候总是报"License for this product ha ...

  3. Android开发学习之路--RxAndroid之操作符

      学习了RxAndroid的一些基本知识,上篇文章也试过了RxAndroid的map操作符,接着来学习更多的操作符的功能吧.   操作符就是为了解决对Observable对象的变换的问题,操作符用于 ...

  4. SpringMVC源码分析--容器初始化(五)DispatcherServlet

    上一篇博客SpringMVC源码分析--容器初始化(四)FrameworkServlet我们已经了解到了SpringMVC容器的初始化,SpringMVC对容器初始化后会进行一系列的其他属性的初始化操 ...

  5. gradle编译自定义注解(annotation)的未解决问题

    最近把一个用eclipse构建的项目,加上了Gradle脚本,用它来编译.虽然最后编译是显示BUILD SUCCESSFUL,但是在编译过程中,却打印出一大堆栈信息,似乎是在编译我自定义的注解时出现的 ...

  6. ECMAScript 6之Set和Map数据结构

    Set 基本用法 ES6提供了新的数据结构Set.它类似于数组,但是成员的值都是唯一的,没有重复的值. Set本身是一个构造函数,用来生成Set数据结构. var s = new Set(); [2, ...

  7. Android:android sdk源码中怎么没有httpclient的源码了

    欢迎关注公众号,每天推送Android技术文章,二维码如下:(可扫描) 今天想使用这个API,怎么也找不到.废了好多时间... 查阅资料才知道如下解释: 在android 6.0(API 23)中,G ...

  8. sed在行首或者行尾添加内容

    原文地址:http://www.cnblogs.com/ITEagle/archive/2013/06/20/3145546.html 用sed命令在行首或行尾添加字符的命令有以下几种: 假设处理的文 ...

  9. 谈谈Ext JS的组件——容器与布局

    概述 在页面中,比较棘手的地方就是布局.而要实现布局,就得有能维护布局的容器.可以说,在我试过和使用过的Javascript框架中,Ext JS的布局是做得最棒的一个,而这得益于它强大的容器类和丰富的 ...

  10. javascript之prototype原型属性案例

    练习: 给字符串对象添加一个toCharArray的方法,然后再添加一个reverse(翻转)的 方法 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML ...