Monday, March 10, 2008

Multi-Org Access Control

Written by David Haimes

accesscontrol.jpgMultiple Organizations Access Control or MOAC (pronounced MOW-ACK) to use the seemingly obligatory acronym, is a powerful, yet simple to implement feature available in R12.

Implementors spend a lot of time figuring out how to configure their Legal Entities, Ledgers and Operating Units. There are a number of options some restrictions, depending on what features you want to implement and where you are. See my earlier posts on Legal Entities and Operating Units for details on that. However it is worth remembering that change is the Status Quo (No, not the band of rocking all over the world fame - it's latin, look it up) and flexibility is important, what was the optimal way to organize your transaction processing yesterday may not be right today. Many companies are creating shared service centers to centralize processing of financial transactions and a single user may process transactions on behalf of many different Operating Units(OU).

So MOAC allows you to create a security group which can contain many operating units and assign that to the User's responsibility. All the forms that process OU striped data now allow you to pick an OU to work in from a list that contains all the OU you have access to. You will also find all the OU based reports have a parameter added for OU.

The Set Up is straighforward. You can define a security profile in the HR Security Profile form, adding Operating Units to it, then you must run Security List Maintenance program before you can assign the security profile to the profile option MO: Security Profile for a responsibility.

When considering R12 this is one of the quick wins that can be achieved after upgrade and I also noticed it mentioned by the PPM team in an interview on itssafeature too which prompted me to get a post out about it.

9 comments:

Venkataramanan S said...

David, please delete the above post as it has some grammatical errors.

David has given a fantastic overview of MOAC in Release 12. Let me add some technical aspects, from the developer’s perspective.

As pointed out by David, the most important feature that MOAC provides in Release 12 is the ability to handle multiple operating units within the same responsibility. This is beneficial as users don’t have to switch responsibilities in order to change the operating unit. Often people ask me whether its possible to use the 11i single organization behavior in Release 12. Or more importantly whether its possible to use a mixture of both.

Yes, this is possible. Before telling you how to do that, let me explain how MOAC works in Release 12. MOAC is initialized when you open a Form, OA page or a Report. The first MOAC call checks if the profile “MO: Security Profile” has a value. If Yes, then the list of operations units to which access is allowed is fetched and the list of values (LOV) is populated. Then default value of the LOV is set to the operating unit specified in "MO: Default Operating Unit". This is how MOAC works in Release 12 when the value of “MO: Security Profile” is set.

When the profile “MO: Security Profile” does not have a value MOAC switches to the 11i single organization mode. As in 11i, the profile “MO: Operating Unit” is checked and the operating unit is initialized to the one defined in it.

The important point to note here is that the profile “MO: Operating Unit” is ignored when the profile “MO: Security Profile” is set. This enables us to use both both Release 12 MOAC behavior and 11i behavior simultaneously in Release 12. You can also choose to completely use one of them.

A Taylor said...

David and Venkat,

This is great functionality for Release 12. Mo: Security Profile has been around for a while as it is used for example for some subsidiary ledgers and for DBI example.

With that being the case, do you think development might create patch to rollout MOAC functionality for GL in 11.5.10?

David Haimes said...

Even if I knew the answer to that I would not be able to comment on future functionality.

However I will say, the effort involved in adding a profile option is minimal - which may explain why they are so extensively used.

Venkataramanan S said...

I can't comment on the future functionality and also don't know what is in store. However, from the technical point of view, MOAC not only requires addition of new profile option, but also requires changes to every operating unit dependent form/report/OA page.

Seetharaman said...

I have added your link to my blog roll, could you please do the same?

David said...

David,
I had emailed you before that I had some questions on intercompany, however, my question is not related to your most recent blog posting.

Working with intercompany, if a company is global and has legal entities all over the globe, do you recommend that a "corporate rate - one rate for each currency" is given to all foreign entities to use?

I'm just trying to understand how GIS would work if multiple rates were used for the same currency type - If for example, a London site was using a different pound rate than someone in the US.

How does Oracle GIS ensure that the elimination of the intercompanies between global companies is zero? There is always a difference in rates when you enter in two different currencies. Also, when the intercompany is cleared/paid the rates will change too?

thanks for your help,
dave

Seetharaman said...

David,
Does this mean one GL user can have access to muliple Ledger Sets in 12i without switching responsibilities? Please let us know.

http://realworldoracleapps.blogspot.com/

David Haimes said...

Setharaman,

GL does not have the concept of an operating unit and moac does not apply to ledgers, just operating units.

David Haimes said...

dave

For Intercompany currency you have two choices

1) Use corporate rate - these rates need to triangulate so when you consolidate they will all come to the same amount.

2) Use the local rates in each ledger/legal entity and then revaluate before you consolidate.