转:Oracle R12 多组织访问的控制 - MOAC(Multi-Org Access Control)

什么是MOAC

MOAC(Multi-Org Access Control)为多组织访问控制,是Oracle EBS R12的重要新功能,它可以实现在一个Responsibility下对多个Operation Unit(OU)进行操作。MOAC允许用户在不切换responsibility的情况下,在一个responsibility下处理多个OU组织的事务。

User --> Responsibilities --> Single Operation Unit Mode  /  Multiple Operation Unit Mode

一个应用场景:

某集团公司下边主要分为三个区域(北美,欧洲,亚太),亚太区你是一采购部经理,负责所有七个Operation Unit。 这种情况下,系统管理员可以创建一个security profile,这个security profile设置成可以访问这七个亚太组织,并把这个security profile赋予到你的responsibility下,这样你就能在同一个职责下访问这七个OU了,就不用不停地切换职责来访问不同OU了。

另外如果你要经常处理中国OU下的事务,那么你可以设置Profile:MO: Default Operating Unit到中国,那么业务默认的OU就是中国了。

MOAC相关的Profile

有三个主要的Profile

MO: Security Profile :provides access to multiple operating units from a single responsibility.If the MO: Security Profile is set, then the MO: Operating Unit profile will be ignored.

MO: Default Operating Unit :If you set the MO: Security Profile profile option, you can also set an operating unit as the default operating unit using the MO: Default Operating Unit profile option. This is useful when you transact in multiple operating unit but frequently transact in one operating unit.

MO:  Operating Unit :MO: Operating Unit profile option only provides access to one operating unit.

MOAC profiles rules

1) If the profile  option “MO: Security Profile” is not set, then “MO:  Operating Unit”  value is used  as the default Operating Unit even if “MO:  Default Operating Unit” profile is set to a different value. 2) If the profile option “MO: Security Profile” is set and gives access to only one Operating Unit, the default Operating Unit will return this  value even if “MO: Default Operating Unit” is set to a different  value. 3) If the profile option “MO: Security  Profile” is set and gives access to  multiple Operating Units :       -  If the profile value “MO: Default Operating Unit”  is set,  it  is validated  against the list of Operating Units in “MO: Security Profile”.          + If  the Operating Unit is included in the security profile then it is  returned as the default value.           + Else there is no defaulted Operating Unit .      -  If the Profile Option “MO: Default Operating Unit”  is not  set,  then there is zero (no)  default Operating Unit.

单组织的案例

单组织即一个Responsibility只访问一个OU,设置情况大体如下,对于职责:Manufacturing and Distribution Manager,

MO: Operating Unit=Vision Operations

MO: Security Profile=空

这样我们在使用职责:Manufacturing and Distribution Manager的时候,就只能访问到Vision Operations的数据,比如创建的PO,这个PO只能处于OU:Vision Operations下,另外所选取的供货商也只能是Vision Operations下的。

多组织的案例

首先定义一个Security Profile,路径:HRMS Super User Responsibility > Security > Define Security Profile,Business Group:Vision Corporation,‘Security Type‘选择‘Secure organizations by organization hierarchy and/or organization list‘,并且我们把在Organization Name列表中添加三个OU:Vision Operations,Vision Corporation ,Vision Services.

保存定义的Security Profile,然后在HR职责下,运行“Security List Maintenance” program,“Generate lists for”= One Named Security Profile ,Security Profile是刚刚定义的‘PTIAN_SECURITY_PROFILE‘。

Security List Maintenance的作用是让你定义的Security Profile生效,能够设置到Profile "MO: Security Profile"(The Security List Maintenance concurrent program must be run each time you add or change Security Profiles.)

System Admin职责下,Profile > System,设置MO: Security Profile为刚刚定义的‘PTIAN_SECURITY_PROFILE‘

再切回Manufacturing and Distribution Manager职责,打开PO,这个时候,你就可以不切换职责的情况,定义三个OU下的采购订单了。

MOAC的实现原理-VPD技术

MOAC的实现是通过Oracle数据库的VPD(Virtual Private Database)技术来实现的。VPD技术提供了数据库对象(表,同义词,视图)行级别访问的控制。使用VPD技术可以有效地限制用户获取数据的范围。

Secooler 的一篇文章 使用Oracle VPD(Virtual Private Database)限制用户获取数据的范围  讲VPD,里边的例子非常容易理解.

[sql] view plain copy print?

  1. --1.Create Data
  2. create table t (x number);
  3. insert into t values (1);
  4. insert into t values (2);
  5. insert into t values (10001);
  6. insert into t values (10002);
  7. commit;
  8. select * from t;
  9. output:
  10. 1
  11. 2
  12. 10001
  13. 10002
  14. --2.Create VPD FUNCTION
  15. CREATE OR REPLACE FUNCTION f_limited_query_t (s_schema IN VARCHAR2,
  16. s_object IN VARCHAR2)
  17. RETURN VARCHAR2
  18. AS
  19. BEGIN
  20. RETURN ‘X <= 10000‘;
  21. END;
  22. --3.Register VPD Policy.
  23. BEGIN
  24. DBMS_RLS.add_policy (object_schema   => ‘APPS‘,
  25. object_name     => ‘T‘,
  26. policy_name     => ‘POLICY_LIMITED_QUERY_T‘,
  27. function_schema => ‘APPS‘,
  28. policy_function => ‘F_LIMITED_QUERY_T‘);
  29. END;
  30. select * from t;
  31. output:
  32. 1
  33. 2

--1.Create Data
create table t (x number);
insert into t values (1);
insert into t values (2);
insert into t values (10001);
insert into t values (10002);
commit;
select * from t;
output:
1
2
10001
10002

--2.Create VPD FUNCTION
CREATE OR REPLACE FUNCTION f_limited_query_t (s_schema IN VARCHAR2,
                                              s_object IN VARCHAR2)
   RETURN VARCHAR2
AS
BEGIN
   RETURN ‘X <= 10000‘;
END;

--3.Register VPD Policy.
BEGIN
   DBMS_RLS.add_policy (object_schema   => ‘APPS‘,
                        object_name     => ‘T‘,
                        policy_name     => ‘POLICY_LIMITED_QUERY_T‘,
                        function_schema => ‘APPS‘,
                        policy_function => ‘F_LIMITED_QUERY_T‘);
END;

select * from t;
output:
1
2

对于上边例子,我们对表T使用了VPD技术,引入了表限制Function f_limited_query_t,这样我们通过function限制了对表的查询,查询结果只返回小于10000的数字。

如何查看我们是否对某张表使用了VPD技术

SELECT * FROM DBA_POLICIES WHERE object_name = ‘T‘;

查询结果中,其中Pakcage + Function就是我们对于表所加的限制。

那么Oracle EBS是如何使用VPD技术来实现多组织的

R12里,以PO表为例,PO_HEADERS_ALL是基础表(PO/APPS Scehma),PO_HEADERS是PO_HEADERS_ALL对应的Synonym对象(Apps Schema),我们对PO_HEADERS应用VPD技术.MO_GLOBAL-Dive into R12 Multi Org Design 有较为详细的说明,

In pre Release 12, you would have had following methodology for PO_HEADERS_ALLa. A table is created in PO Schema, named PO_HEADERS_ALLb. A synonym named PO_HEADERS_ALL is created in APPS schema, referring to PO.PO_HEADERS_ALLc. Create a view PO_HEADERS in APPS schema, as "select * from po_headers_all where org_id=client_info"But now in R12, following will happena. A table is created in PO Schema, named PO_HEADERS_ALLb. A synonym named PO_HEADERS_ALL is created in APPS schema, referring to PO.PO_HEADERS_ALLc. Another synonym named PO_HEADERS is created in APPS, referring to PO_HEADERS_ALLd. A Row Level security is applied to PO_HEADERS, using package function MO_GLOBAL.ORG_SECURITY.This can be double-checked by running SQL select * from all_policies where object_name=‘PO_HEADERS‘e. The effect of this policy is that,whenever you access PO_HEADERS, Oracle RLS will dynamically append WHERE CLAUSE similar to belowSELECT * FROM PO_HEADERS WHERE EXISTS (SELECT 1 FROM mo_glob_org_access_tmp oa WHERE oa.organization_id = org_id)

看下下边Query的输出

SELECT * FROM DBA_POLICIES WHERE object_name = ‘PO_HEADERS‘;

可以看到,我们对表PO_HEADERS加了MO_GLOBAL.ORG_SECURITY限制,MO_GLOBAL.ORG_SECURITY的作用实际上就是根据你关于MOAC Profiles的设置,然后转换为相应Where条件(组织过滤),再进行查询。

对于VPD表的查询

对于VPD表,简单的查询一般是不返回记录的,如果想查到记录,需要设置一下上下文先

--普通查询VPD表

select * from PO_HEADERS;--No Output

--Single OU Mode

BEGIN  execute mo_global.set_policy_context(‘S‘,204); --204为ORG_ID,S表示Single Org ContextEND;select * from PO_HEADERS;--会输出OU:204下边的所有PO

--Multiple OU Mode(simulate login to a specific responsibility)

a. Call fnd_global.apps_initialize(userid,resp_id,resp_appl_id);

b. call MO_GLOBAL.INIT(p_appl_short_name);This will read the MO profile option values for your responsibility/user, and will initialize the Multi Org Access.

c.select * from po_headers

MOAC API

What is the purpose of MO_GLOBAL.ORG_SECURITY?

The purpose of Row-Level-Security is to hide certain data[based on some conditions]. RLS does so by appending a where clause to the secured object.1. MO_GLOBAL.ORG_SECURITY is a function that returns a predicate for the WHERE CLAUSE2. The where clause will be appended to Table/Synonym/View for which Multi Org Row Level security is enabled

What is the purpose of MO_GLOBAL.SET_POLICY_CONTEXT ?

This procedure has two parameters    p_access_mode          Pass a value "S" in case you want your current session to work against Single ORG_ID          Pass a value of "M" in case you want your current session to work against multiple ORG_ID‘s    p_org_id          Only applicable if p_access_mode is passed value of "S"

MOAC相关的查询语句

Security Profile Definiation

[sql] view plain copy print?

  1. SELECT *
  2. FROM per_security_profiles
  3. WHERE security_profile_name = ‘PTIAN_SECURITY_PROFILE‘;

SELECT *
FROM per_security_profiles
WHERE security_profile_name = ‘PTIAN_SECURITY_PROFILE‘;

check Organization which are related to a profile

[sql] view plain copy print?

  1. select PPO.*
  2. from PER_SECURITY_PROFILES PPR,
  3. PER_SECURITY_ORGANIZATIONS PPO
  4. where PPR.security_profile_id = PPO.security_profile_id
  5. and security_profile_name like ‘%PTIAN_SECURITY_PROFILE%‘;

select PPO.*
from PER_SECURITY_PROFILES PPR,
     PER_SECURITY_ORGANIZATIONS PPO
where PPR.security_profile_id = PPO.security_profile_id
and security_profile_name like ‘%PTIAN_SECURITY_PROFILE%‘;

List Profile Option Values For All Levels

[sql] view plain copy print?

  1. set long 10000
  2. set pagesize 500
  3. set linesize 160
  4. column SHORT_NAME format a30
  5. column NAME format a40
  6. column LEVEL_SET format a15
  7. column CONTEXT format a30
  8. column VALUE format a40
  9. select p.profile_option_name SHORT_NAME,
  10. n.user_profile_option_name NAME,
  11. decode(v.level_id,
  12. 10001, ‘Site‘,
  13. 10002, ‘Application‘,
  14. 10003, ‘Responsibility‘,
  15. 10004, ‘User‘,
  16. 10005, ‘Server‘,
  17. 10006, ‘Org‘,
  18. 10007, decode(to_char(v.level_value2), ‘-1‘, ‘Responsibility‘,
  19. decode(to_char(v.level_value), ‘-1‘, ‘Server‘,
  20. ‘Server+Resp‘)),
  21. ‘UnDef‘) LEVEL_SET,
  22. decode(to_char(v.level_id),
  23. ‘10001‘, ‘‘,
  24. ‘10002‘, app.application_short_name,
  25. ‘10003‘, rsp.responsibility_key,
  26. ‘10004‘, usr.user_name,
  27. ‘10005‘, svr.node_name,
  28. ‘10006‘, org.name,
  29. ‘10007‘, decode(to_char(v.level_value2), ‘-1‘, rsp.responsibility_key,
  30. decode(to_char(v.level_value), ‘-1‘,
  31. (select node_name from fnd_nodes
  32. where node_id = v.level_value2),
  33. (select node_name from fnd_nodes
  34. where node_id = v.level_value2)||‘-‘||rsp.responsibility_key)),
  35. ‘UnDef‘) "CONTEXT",
  36. v.profile_option_value VALUE
  37. from fnd_profile_options p,
  38. fnd_profile_option_values v,
  39. fnd_profile_options_tl n,
  40. fnd_user usr,
  41. fnd_application app,
  42. fnd_responsibility rsp,
  43. fnd_nodes svr,
  44. hr_operating_units org
  45. where p.profile_option_id = v.profile_option_id (+)
  46. and p.profile_option_name = n.profile_option_name
  47. and upper(p.profile_option_name) in ( select profile_option_name
  48. from fnd_profile_options_tl
  49. where upper(user_profile_option_name)
  50. like upper(‘%MO: Security Profile%‘))
  51. and usr.user_id (+) = v.level_value
  52. and rsp.application_id (+) = v.level_value_application_id
  53. and rsp.responsibility_id (+) = v.level_value
  54. and app.application_id (+) = v.level_value
  55. and svr.node_id (+) = v.level_value
  56. and org.organization_id (+) = v.level_value
  57. order BY  short_name, user_profile_option_name, level_id, level_set;

    set long 10000
    set pagesize 500
    set linesize 160
    column SHORT_NAME format a30
    column NAME format a40
    column LEVEL_SET format a15
    column CONTEXT format a30
    column VALUE format a40
    select p.profile_option_name SHORT_NAME,
    n.user_profile_option_name NAME,
    decode(v.level_id,
    10001, ‘Site‘,
    10002, ‘Application‘,
    10003, ‘Responsibility‘,
    10004, ‘User‘,
    10005, ‘Server‘,
    10006, ‘Org‘,
    10007, decode(to_char(v.level_value2), ‘-1‘, ‘Responsibility‘,
    decode(to_char(v.level_value), ‘-1‘, ‘Server‘,
    ‘Server+Resp‘)),
    ‘UnDef‘) LEVEL_SET,
    decode(to_char(v.level_id),
    ‘10001‘, ‘‘,
    ‘10002‘, app.application_short_name,
    ‘10003‘, rsp.responsibility_key,
    ‘10004‘, usr.user_name,
    ‘10005‘, svr.node_name,
    ‘10006‘, org.name,
    ‘10007‘, decode(to_char(v.level_value2), ‘-1‘, rsp.responsibility_key,
    decode(to_char(v.level_value), ‘-1‘,
    (select node_name from fnd_nodes
    where node_id = v.level_value2),
    (select node_name from fnd_nodes
    where node_id = v.level_value2)||‘-‘||rsp.responsibility_key)),
    ‘UnDef‘) "CONTEXT",
    v.profile_option_value VALUE
    from fnd_profile_options p,
    fnd_profile_option_values v,
    fnd_profile_options_tl n,
    fnd_user usr,
    fnd_application app,
    fnd_responsibility rsp,
    fnd_nodes svr,
    hr_operating_units org
    where p.profile_option_id = v.profile_option_id (+)
    and p.profile_option_name = n.profile_option_name
    and upper(p.profile_option_name) in ( select profile_option_name
    from fnd_profile_options_tl
    where upper(user_profile_option_name)
    like upper(‘%MO: Security Profile%‘))
    and usr.user_id (+) = v.level_value
    and rsp.application_id (+) = v.level_value_application_id
    and rsp.responsibility_id (+) = v.level_value
    and app.application_id (+) = v.level_value
    and svr.node_id (+) = v.level_value
    and org.organization_id (+) = v.level_value
    order BY  short_name, user_profile_option_name, level_id, level_set;  

支持MOAC功能的Form开发步骤

这部分摘自:http://bbs.erp100.com/thread-103395-1-1.html

在R12版本中,OU的控制采取了MOAC的方式,使用户的操作得到了改善。 而如果客户化的Form能够支持MOAC的功能,需要在界面上提供当前用户可以选择的OU字段供用户选择。
功能展示如下图:

这样在Form的开发过程中需要如下的开发步骤:

1,PRE-FORM 触发器初始化MOAC配置环境

添加如下代码:

MO_GLOBAL.init(‘ONT’);

— global.mo_ou_count

— global.mo_default_org_id

— global.mo_default_ou_name

IF l_default_org_id IS NOT NULL THEN

— default org id not null

MO_GLOBAL.SET_POLICY_CONTEXT(‘S’,l_default_org_id);

ELSE

MO_GLOBAL.SET_POLICY_CONTEXT(‘M’,null);

END IF;

— default org id not null

这段代码的作用是根据预制文件的设置,初始化OU的信息,将用户可以访问的OU信息插入到mo_glob_org_access_tmp表中,

同时将默认的OU ID、OU Name和OU Count分别写到global.mo_default_org_id, global.mo_default_org_id, global.mo_default_ou_name   具体细节可以查看数据库包:mo_global
2,WHEN-CREATE-RECORD触发器中拷贝OU默认值

在此触发器中将默认的OU ID和OU Name拷贝给Form界面上对应的字段,实现创建记录的时候默认带出默认OU信息。

copy(name_in(‘global.mo_default_org_id’),’’);   copy(name_in(‘global.mo_default_ou_name’),’’);
3,创建OU的LOV

Form界面上的OU 名称字段创建一个LOV,LOV对应记录组的SQL语句如下:

SELECT hr.organization_id organization_id, hr.NAME organization_name

FROM hr_operating_units hr

WHERE mo_global.check_access(hr.organization_id) = ‘Y’

ORDER BY organization_name
其它没有特殊的步骤。

MindMap

参考:

Oracle Applications Multiple Organizations Implementation Guide

EBS R12 MOAC(Multi-Org Access Control)原理探索

MO_GLOBAL-Dive into R12 Multi Org Design

FAQ - Multiple Organizations Architechure (Multi-Org) (Doc ID 165042.1)

•Note: 420787.1 Oracle Applications Multiple Organizations Access Control for Custom Code

•Note: 462383.1 SQL Queries and Multi-Org Architecture in Release 12

•Note: 396750.1 Oracle Applications Multiple Organizations Release 12 Roadmap Document

Note 745420.1 -How To Setup And Check MO / MOAC Setup In APPS Instance At R12 Level - Precedence of MO - MOAC Profile Options Best Practices for Securing the E-Business Suite [ID 189367.1] Best Practices For Securing Oracle E-Business Suite Release 12 [ID 403537.1] Understanding and Using HRMS Security in Oracle HRMS [ID 394083.1] Security List Maintenance for All Profiles Is Excluding Employees [ID 755410.1] Effect Of Security List Maintenance Concurrent Request within the Oracle HRMS Module [ID 457629.1]

转载请注明出处:http://blog.csdn.net/pan_tian/article/details/7774715

===EOF===

时间: 2024-10-16 07:53:38

转:Oracle R12 多组织访问的控制 - MOAC(Multi-Org Access Control)的相关文章

Oracle R12 多组织访问的控制 - MOAC(Multi-Org Access Control)

Oracle R12 多组织访问的控制 - MOAC(Multi-Org Access Control) MOAC(Multi-Org Access Control)为多组织访问控制,是Oracle EBS R12的重要新功能,它可以实现在一个Responsibility下对多个Operation Unit(OU)进行操作.MOAC允许用户在不切换responsibility的情况下,在一个responsibility下处理多个OU组织的事务. 这里拿一个应用场景来说明: 某集团公司下边主要分为

Phalcon 訪问控制列表 ACL(Access Control Lists ACL)

Phalcon在权限方面通过 Phalcon\Acl 提供了一个轻量级的 ACL(訪问控制列表). Access Control Lists (ACL) 同意系统对用户的訪问权限进行控制,比方同意訪问某些资源而不同意訪问其他资源等. 这里我们建议开发人员了解一些关于ACL的技术. ACL有两部分组成即角色和资源. 资源即是ACL定义的权限所依附的对象. 角色即是ACL所字义的请求者的身份,ACL决定了角色对资源的訪问权限.同意訪问或拒绝訪问. 创建 ACL(Creating an ACL)? 这

Security Access Control Strategy &amp;&amp; Method And Technology Research - 安全访问控制策略及其方法技术研究

catalog 0. 引言 1. 访问控制策略 2. 访问控制方法.实现技术 0. 引言 访问控制是网络安全防范和客户端安全防御的主要策略,它的主要任务是保证资源不被非法使用.保证网络/客户端安全最重要的核心策略之一.访问控制包括 1. 入网访问控制 2. 网络权限控制 3. 目录级控制 4. 属性控制等多种手段 访问控制相关领域知识是CISSP的重要章节,本文将重点讨论访问控制模型.及其相关的方法和技术 0x0: 访问控制概念组成 访问控制涉及到三个基本概念 1. 主体 是一个主动的实体,它包

Oracle Applications Multiple Organizations Access Control for Custom Code

文档 ID 420787.1 White Paper Oracle Applications Multiple Organizations Access Control for Custom Code Checked for relevance on 12-JAN-2011 See Change Record This document discusses how to update the customization code that is affected by the access co

Java访问权限控制

访问权限控制   java提供了访问权限修饰词,以供类库开发人员向客户端程序员指明哪些是可用的,哪些是不可用的.访问权限控制的等级,从最大权限到最小权限依次是:public.protected.包访问权限(没有关键字).private. 包:库单元 包内有一组类,它们在单一名字空间之下被组织在了一起.如果你向导入某个标准库中的类的话,可以使用import关键字.我们之所以要导入,就是要提供一个管理名字空间的机制.所有类成员的名称都是彼此分离的.所以具有相同方法的不同类在程序运行时不会出现错误的.

数据库防火墙——实现数据库的访问行为控制、危险操作阻断、可疑行为审计

转自百度百科 数据库防火墙系统,串联部署在数据库服务器之前,解决数据库应用侧和运维侧两方面的问题,是一款基于数据库协议分析与控制技术的数据库安全防护系统.DBFirewall基于主动防御机制,实现数据库的访问行为控制.危险操作阻断.可疑行为审计. 数据库安全技术之一,数据库安全技术主要包括:数据库漏扫.数据库加密.数据库防火墙.数据脱敏.数据库安全审计系统. 数据库安全风险包括:刷库.拖库.撞库. 数据库安全攻击手段包括:SQL注入攻击. 简介 数据库防火墙技术是针对关系型数据库保护需求应运而生

浅析Java中的访问权限控制

浅析Java中的访问权限控制 今天我们来一起了解一下Java语言中的访问权限控制.在讨论访问权限控制之前,先来讨论一下为何需要访问权限控制.考虑两个场景: 场景1:工程师A编写了一个类ClassA,但是工程师A并不希望ClassA被该应用中其他所用的类都访问到,那么该如何处理? 场景2:如果工程师A编写了一个类ClassA,其中有两个方法fun1.fun2,工程师只想让fun1对外可见,也就是说,如果别的工程师来调用ClassA,只可以调用方法fun1,那么该怎么处理? 此时,访问权限控制便可以

Thinking In Java笔记(第六章 访问权限控制)

第六章 访问权限控制 简介 Java提供了访问权限修饰词,供类库开发人员向客户端程序员指明哪些是可用的,哪些是不可用的.访问权限控制的等级,从最大权限到最小权限一次为:public.protected.包(library)访问权限(没有关键词)以及private. 6.1 包(library):库单元 包内含有一组类,它们在单一的名字控件之下被组织在一起.例如,在Java的标准发布中有一个工具库,它被组织在java.util名字空间之下.java.util中有一个叫ArrayList的类,使用A

Java编程思想(六、访问权限控制)

访问控制(或隐藏具体实现)与"最初的实现并不恰当"有关.便于未来重构代码,而不必对业务层做过多的改变.因此,Java提供了访问控制修饰词,以供类库开发人员向客户端程序员指明哪些是可用的,哪些是不可用的. 访问控制的等级,从最大权限到最小权限依次为:public.protected.包访问权限(没有关键词).和private. 1.包:类库单元.包内含有一组类,它们在单一的名字空间之下被组织在了一起.比如,在Java的标准发布中有一个工具库.它被组织在java.util名字空间之下.ja