Sunday, January 20, 2008

New Grant based Security in AGIS


Managing a large number of responsibilities can become a complex, time consuming and expensive activity. It is also very frustrating for users if they have to constantly switch responsibility if they have a number of roles, this is a big issue in 11i Global Intercompany System as you could only have one Balancing Segment Value (BSV) per GIS responsibility and there can be a large number of BSV often with one person responsible for entering and approving intercompany transactions for many bsv. For example there may be a controller responsible for approving all transactions for the dozens of EMEA subsidiaries.

When we created the new Advanced Global Intercompany Product in R12 we set out to address this issue and came up with a whole new transaction security model. We use a grants based model where a particular user can be granted access to one or more intercompany Organizations (this is the R12 term for the 11i GSI Subsidiaries).

AGIS Security

<Note click on image to see full size>

So now I have been granted access to 3 organizations, what can I do?

I can log in under a single responsibility and see transactions for all many organizations in the same screen, approve them, update them and reject them etc. The screen below shows a number of recipient organizations that I have access to all in the same search results.

AGIS Inbound

<Note click on image to see full size>

If tomorrow I am assigned access to an additional Intercompany organization, then I will see that in the same screen, using the same responsibility, there is no need for me to access any different responsibility. I will those transactions requiring my attention all together in the same UI, using the same responsibility I already use.

We use a feature called FND Grants to implement this security model, that was introduced (I think) in 11.5.9. Without going into the nuts and bolts of it, the model allows you store SQL statements to describe how you determine the access to your objects a user would have. At runtime you call an API that returns a where clause that is appended to your search results to restrict the data a user can access. If you're building customizations you could use FND Grants too. If there's sufficient interest I can write up a 'How to use FND Grants post' with full details, at least I can add it to my blog post to do list!


william chang said...

Can you direct me to documentation regarding fnd grants? How it works, what kind of audit and security features are available, etc.
thanks, William

David Haimes said...

The standard Applications audit trail will be available for a users activity. For further details of Audit Trail, see Oracle Applications System Administrator's Guide - Security.