Implementing Data Security For Financials in Fusion SaaS R12
Implementing Data Security For Financials in Fusion SaaS R12
Data security on the database tables is controlled through Fine Grained Access Control. Synonyms are
created and Row Level Security is applied to these synonyms based upon the roles assigned to the user.
For example, a synonym AP_INVOICES will be created for table AP_INVOICES_ALL. Row Level Security
will then be applied to AP_INVOICES using the MO_GLOBAL procedures.
A predicate restricting the rows accessed to only the Business Units authorized to the User’s roles then will
be applied each time the secured synonym is referenced by a SQL statement.
The following privileges can be used to secure reports for the following products:
Product Privilege
Payables AP_MANAGE_PAYABLES_INVOICE_DATA
Receivables AR_VIEW_RECEIVABLES_ACTIVITIES_DATA
Copy the following into the SQL Query section. Substitute the privilege passed to the MO_GLOBAL.Init
procedure for the one required by your report. See the section Overview of MOAC in Fusion for the list
of privileges.
DECLARE
type refcursor is REF CURSOR;
xdo_cursor refcursor;
BEGIN
MO_GLOBAL.Init('AP_MANAGE_PAYABLES_INVOICE_DATA');
Note: Data sets of type Procedure Call use REF CURSORS which must return some data. Therefore, once the
MO_GLOBAL.init procedure has been executed, the cursor returns the report run date as the data for the data set.
For example:
Create an additional data set of type Standard SQL. This will contain the main report query which will
be restricted by the row level data security applied by the first data set.
For this data set, provide values for the required fields:
Enter the query to return the data that you wish displayed in your report.
Note: It is important to reference the MOAC enabled synonyms as opposed to the underlying tables. The underlying
tables will return all rows whilst the MOAC enabled synonyms will only return the rows to which the user has access.
For example, reference AP_INVOICES, which is a MOAC enabled synonym, instead of AP_INVOICES_ALL, which
will return all rows regardless of access.
Please see Appended I for a list of the available MOAC enabled synonyms.
For example:
Examples
Please find some examples for securing AP and AR reports below.
1. Accounts Payable
DECLARE
type refcursor is REF CURSOR;
xdo_cursor refcursor;
BEGIN
MO_GLOBAL.Init('AP_MANAGE_PAYABLES_INVOICE_DATA');
OPEN :xdo_cursor FOR
SELECT SYSDATE RUN_DATE
from dual;
END;
Next, create the additional data set with the main report query. Here’s an example query to fetch invoice
number, invoice amount and invoice date:
SELECT invoice_num,
invoice_amount,
invoice_date
FROM AP_INVOICES
2. Accounts Receivable
Next, create the additional data set with the main report query. Here’s an example query to fetch
transaction number, transaction date and a flag to determine completion.
SELECT trx_number,
trx_date,
complete_flag
FROM RA_CUSTOMER_TRX
General Ledger
Data security for General Ledger is managed using:
You assign users to the appropriate security context, in this case data access set, for job roles using
the Manage Data Access for Users page.
The Data Access Sets assigned to a user via the Manage Data Access for Users UI are recorded in the
table FUN_USER_ROLE_DATA_ASGNMNTS.
This table can be used in BI Publisher data models to secure access to the appropriate data access
sets for each user.
Data Access Sets can secure Full Ledgers or can secure individual Balancing Segments. Therefore,
restricting a report purely by ledger could have security implications as a user may not have access
to the full ledger, only certain Balancing Segments. Therefore, the code needs to ensure that only
segments to which the user has access are reported. For example:
select l.name,
&BALANCING_SEGMENT_VALUE balancing_segment
from gl_ledgers l,
gl_code_combinations cc
where l.chart_of_accounts_id = cc.chart_of_accounts_id
and (l.ledger_id, &BALANCING_SEGMENT_VALUE) in
(select asa.ledger_id,
decode(a.security_segment_code,
'F', &BALANCING_SEGMENT_VALUE,
asa.segment_value)
from gl_access_sets a,
gl_access_set_assignments asa
where a.access_set_id = :P_DAS_ID
and asa.access_set_id = a.access_set_id
)
P_DAS_ID is a parameter based upon a list of values which will only return the data access sets
assigned to the user, for example:
select distinct a.name, a.access_set_id
from gl_access_sets a,
fusion.fun_user_role_data_asgnmnts urda
where urda.user_guid = FND_GLOBAL.USER_GUID
and a.access_set_id = urda.access_set_id
&BALANCING_SEGMENT_VALUE is defined as a flexfield lexical in the data model and will return
the balancing segment value:
When defining the flexfield lexical, it is necessary to supply a Structure Instance number which is the
Chart of Accounts Id. In the example above, :P_STRUCT_NUM is used which is a parameter based
upon the following List of Values:
select l.chart_of_accounts_id
from gl_access_sets a,
fusion.fun_user_role_data_asgnmnts urda,
where urda.user_guid = FND_GLOBAL.USER_GUID
and a.access_set_id = urda.access_set_id
and a.access_set_id = :P_DAS_ID
Set up segment value security rules on value sets to control access to parent or detail segment
values for chart of accounts segments, also called flexfield segments. Segment value security rules
restrict data entry, online inquiry, and reporting.
Note:The return value of &FLEX_SECURE would be ‘Y’ if the account is secured, or ‘N’ if it’s unsecured.
Fixed Assets
In Oracle Fusion Assets, you can secure access to assets to perform transactions and view their
information by asset book. The permission must be explicitly granted to each user.
You assign users to the appropriate security context, in this case asset book, for job roles using the
Manage Data Access for Users page.
The asset books assigned to a user via the Manage Data Access for Users UI are recorded in the table
FUN_USER_ROLE_DATA_ASGNMNTS.
This table can be used in BI Publisher data models to secure access to the appropriate asset books
for each user.