SOLUTION: Implementing Operating Unit Org Security Without EBS Integration

Hi all,
Thank you for taking the time to review this post.
Environment
Oracle BI Applications 7.9.6 (Financial & Project Analytics)
Oracle E-Business Suite 11.5.10
Question
I have implemented BI Applications and am using LDAP Authentication (OID/MSAD) to authenticate the BI Apps users. This is authenticating successfully. I also require to implement GROUP authorisation and OU_ORG security, however as I am not implementing the documented EBS integration (as per Metalink Note ID 555254.1) I am looking at a custom solution.
To achieve this I have created a custom database table in the BAW that contains the USER, GROUP and OU_ORG information. Then I have created separate Initialization Blocks for the GROUP and OU_ORG security that are being triggered after the LDAP Authentication. These SQL queries are based on returning data to a row-wise initialization Variable. I am aligning the GROUP values to the OOTB Presentation Groups and am able to get that Initialization Block to work as anticipated - the User only has the privileges to see Dashboard and Application links as I have configured in the Web Catalog.
However, they can see all data across all orgs. The OU_ORG security is returning the correct org_ids into the row-wise variable, but I appear to be missing how OBIEE utilises this for data security.
If you are able to assist with a possible solution, that would be greatly appreciated. Also, if it relates to a change at the Dashboard, Answers or RPD level, if you were able to include where specifically in these components that would also be very beneficial.
Many thanks,
Gary.

Here is another approach with ‘external database authentication’ where the EBS database provides the user information.
1. Create a table with the mapping of the EBS responsibilities and OBI Apps Groups
Ex: Create a new table “xx_resp_group_mapping” which contains the mapping between the EBS responsibility and OBI Apps groups.
Essentially, a one-time mapping of the BI apps groups needs to be done with the EBS groups so that the corresponding default access of these BI Apps groups can be passed on to the custom groups
2. Modify the authentication initialization block to validate the user against EBS
3. Modify the authorization initialization block to fetch the respective OBI Apps groups using the EBS user and the mapping table created in point 1
4. Enable the standard OU based security initialization block.
5. Add all the OBI Apps groups under the Operating Unity Security Group
6. Modify the permissions in the Operating Unity Security Group to put a filter on the Sales Org OU. Other filters on fact tables are not modified.
7. By default OBI Apps applies data level filters on fact tables. If dimension tables need explicit data level security it would need customization.
8. Any users who are not in EBS but need exclusive access only to BI Apps data can be granted exclusive access by adding those users directly in the OBI repository. They would directly be validated against the OBI server.
However, this approach is not suitable if the number of users are high in numbers.

Similar Messages

  • OBIEE EBS R12 Operating Unit security

    Hi all,
    Previously I have integrated OBIEE 10.1.3.4.1 with EBS 11.5.10 and I have created 3 initialization blocks EBS Single Sign on Integration, Get EBS Security Context, Group EBS responsibility and 2 static repository variables ORA_EBS_OLTP_DSN,ORA_EBS_OLTP_USER and finally configured the connection pools from repository side. I have set the execute on connect query to call the 'app_initialize' function from EBS.
    Now I am trying to set up the integration with EBS R12 and have Operating Unit based security. For this I have created an additional initialization block to populate the OU_ORG variable. Is this additional block enough to set the Operating unit security in R12. As I am being able to login from EBS R12 into answers, but the session doesn't seem to get initialized and the data in the reports doesn't show up. I have follwoed the metalink document to set the integration for EBS 11.5.10. Is it the same for R12 or any other steps have to be done?
    Thx!
    RK

    R12 is different in terms of org security.
    You need to call mo_global.init('S') or similar.
    Regards,
    Gareth
    Blog: http://garethroberts.blogspot.com
    Web: http://www.virtuate.com

  • MO Operating Unit Query

    Hi Experts
    I am working on Oracle EBS R12 .
    I have a query regarding Multi org valueset for assigning the report parameter.
    My Case is
    MO Operating Unit ORG ID bydefault set in SITE Level
    *If ORG ID assign in responsibility level then my report parameter LOV shows that org id which is assigned in responsibility level otherwise MO Security Operating Unit ORG ID shows which could be multiple"
    how can i cater this scenerio in my report to show parameter according to this scenerio
    Please Help

    Did you ever figure this out? I'm encountering the same issue.
    Thanks.

  • When trying to setup a new Operating Unit gives an error: FRM-40735: PRE-FORM trigger raised unhandled exception ORA-06502

    EBS - Payables - Version 12.1.3.
    We Have many others Operating Units configured and no errors occurs.
    This error occurs only if we set a new OU.
    All profiles have been configured properly. (MO: Operating Unit, HR: Security Profile, etc..)
    The trace shows:
    SELECT PROFILE_OPTION_VALUE
      FROM FND_PROFILE_OPTION_VALUES
    WHERE PROFILE_OPTION_ID = 5852                           
       AND APPLICATION_ID = 178
       AND LEVEL_ID = 10003
       AND LEVEL_VALUE = 124280
       AND LEVEL_VALUE_APPLICATION_ID = 200        
       AND PROFILE_OPTION_VALUE IS NOT NULL
    The PROFILE_OPTION_ID = 5852   is  "ICX:Session Timeout".
    If I set this profile the error does not occur. But its is very strange to have to configure it for a responsibility level.

    Hi All.
    I discovered what the problem was.
    The size of the name of the responsibility was with many characters.
    Reduced the size and the error stopped occur.
    Tks!

  • Operating Unit is not showing

    Hello Team,
    I have in processing of defining a new inventory organization. While selecting the accounting options, I am not able to find my operating unit in LOV.
    Am I missing any pre-requisite ?
    Application Release:-12.1.3
    Thanks for your help !!
    Cheers
    Abhi

    Abhishek,
    You will get the values in operating unit field of Accountign information/ inv org definition only when there is a operating unit classification already defined that is assinged to same primary ledger which you are trying to use for your inventory org.
    in your case, it looks like operating unit org classifcation that is using the same primary ledger that your are trying to asisign to your new inv org is not already defined. hence you are not gettign values in the LOV.
    You can try defining this Operating unit classification with the same primary ledger first and then go ahead with inv org definition. you should be able to get the vlaues.
    hope this helps,
    Prabhu Chepuri

  • Configuring Legal Entity as Operating Unit without creating new OU

    Hi,
    I have read the doucment "120funmo.pdf" on page 25/60. Eastern operations can be created as Legal entity and identify as Operating Unit and Inventory organization without creating any new OU and INV. ORG.
    How this can be achieved?
    I have created Ledger and "Eastern Operations" as Legal Entity and trying to find a way to identify it as OU and INV. ORG.
    Thanks,
    Narendra
    Edited by: 869369 on Jun 29, 2011 11:51 PM

    Suppliers are across all Operating Units so you see the same set across Operating Units.
    Supplier Sites are partitioned by Operating Unit.
    Regards,
    Gareth

  • MO: Operating Unit Non Usable Operating Unit for Multi-Org Conversion

    Hello Hussein
    I enabled multi org in 11i and mo Operating unit values set as Non Usable Operating Unit for Multi-Org Conversion, is ok to set is value or will that cause any responsibility.
    In R12.1.3 I am getting an error like this
    APP-FND-02902: Multi-Org profile option is required. Please set either MO: Security Profile or MO: Operating Unit profile option.
    Please advice
    Thanks
    Prince

    user12094010 wrote:
    Hello Hussein
    I enabled multi org in 11i and mo Operating unit values set as Non Usable Operating Unit for Multi-Org Conversion, is ok to set is value or will that cause any responsibility.This might cause issues.
    ORA-20001: APP-FND-2902: Multi-Org Profile Option is Required [ID 399910.1]
    How To Prevent the Profile Option MO: Operating Unit being set to NULL at Site Level? [ID 393560.1]
    In R12.1.3 I am getting an error like this
    APP-FND-02902: Multi-Org profile option is required. Please set either MO: Security Profile or MO: Operating Unit profile option.
    Please adviceR12 - Error ORA-20001, APP-FND-02902 Accessing Profile Classes Form With Multi-Org Access Control (MOAC) Enabled [ID 602141.1]
    Unable To Open Customer Account Details, Error :ORA-20001: APP-FND-02902: Multi-Org profile option is required [ID 987165.1]
    Entering to Profile Classes Gets Ora-20001, App-Fnd-02902. Multi Org Profile Option Is Required [ID 465132.1]
    Error 'ORA-20001: APP-FND-02902: Multi-Org Profile Option Is Required' When Open Account Details [ID 1406860.1]
    Some Web Pages Fail To Load After Patch Application [ID 1281328.1]
    You may also search MOS website for APP-FND-02902 and go through the docs.
    Thanks,
    Hussein

  • Setting 'MO: Security Profile or MO: Operating Unit profile option' - Urgen

    All,
    Version: 12.0.4
    Module: Purchasing
    I'm trying to invoke the PO_CHANGE_API1_S.record_acceptance to send the Advance shipment Notice doc to Oracle R12. On invocation I'm getting the following error
    ORA-20001: APP-FND-02902: Multi-Org profile option is required+
    set either MO: Security Profile or MO: Operating Unit profile option+
    1. How do I set this profile option?
    2. Is it required to set both security and OU profile option?
    3. At what level(site,appln,resp,user,ou,...) should I set the profile?
    Please help me.
    Thanks,
    Sen

    Hi,
    You can set those profile options from System Administrator responsibility > Profile > System.
    Please see these docs for details.
    Note: 602141.1 - R12 - Error ORA-20001, APP-FND-02902 Accessing Profile Classes Form With Multi-Org Access Control (MOAC) Enabled
    Note: 338332.1 - App-Fnd:02902: Multi-Org Profile Option Is Required. Ora-20001
    Note: 393560.1 - How To Prevent the Profile Option MO: Operating Unit being set to NULL at Site Level?
    Regards,
    Hussein

  • Is operating unit mandatory for creating an inventory org?

    hi folks,
    on the Define Organization form within Inventory > Setup > Organizations, when we start creating an organization and designate it to be of classification Inventory, on the subsequent Accounting Information form, is it imperative to provide an Operating Unit value?
    the field itself is not required, but since time immemorial, i have always seen it being populated. now, i am being asked a question as to whether this is required, more so since the form field does not force you to fill it.
    what are the benefits and / or shortcomings of either associating or not associating an Operating Unit to an Inventory Organization?
    thanks and regards.

    Hi PS,
    In that case why Oracle has not made that field(Operating Unit) as Mandatory as this is the only way that identifies to which OU that Inv org is attached.
    Thanks,
    Raja

  • Same Org as Business Group and Operating Unit cannot be migrated via isetup

    Hi,
    I have tried to migrate the setup of an organization which is classified as both Business group and Operating unit.
    When it comes to Operating unit API, it errors out with the following Warning message.
    I request the iSetup Team to clarify whether there is any restriction in iSetup that the same org as BG and OU cannot be transferred.
    If yes, then how to migrate the same...
    The above situation happens for the org classified as OU and IO. In this case the INV org API give the warning message.
    Regards,
    Senthil
    Name: HR_OperatingUnit
    Type: BC4J
    Path: oracle.apps.per.isetup.schema.server.OperatingUnitAM
    Time Taken(seconds): 1.0
    Importing rows from xml file, and validating rows ......
    Message not found. Application: AZ, Message Name: AZW_FWK_USER_ROW_EXCEPTION. Tokens: VONAME = Operating Unit; KEY = Name = 'POC Business Group'
    Group Name = 'POC Business Group'
    ; EXCEPTION = The organization 'POC Business Group' is a business group, please use the business group API to handle it
    Transaction rolled back
    Processed API:HR_OperatingUnit
    Generating Deployment Report...
    Generation of Deployment Report process completed.
    Status: WARNING
    ******************************************

    It is a known issue and has been fixed as a part of HRMS 12.0.7. You may apply HRMS 12.0.7 or request for back-port on top specific version.

  • How to secure data by operating unit in oracle payments

    Hello
    We are in the process of setting up to make payments from one single bank account across all operating units to avoid maintenance and number of templates.
    As part of our process we submit the payment process request across all operating units and once the status changes to Invoices pending review, we will inform the business heads to check the invoices and we have given them the access to remove the invocies from the payment run, business leads check the invoices and remove some of them based on the cash flow. At the moment the business leads are able to see the payment information for all the operating units however we want them to see only the information specific to that operating unit. I tried MO and HR security profile options but no luck hence requesting you to share your inputs on the same.
    Thanks in advance
    Regards
    Dilip

    Hello Apps Guru's
    Please let me know your inputs on this. Your help is highly appreciated
    We are in R12.1.2
    Thanks
    Dilip

  • Relation between item master org and operating Unit

    How single item master org can relate to multiple operating Unit so that items defined at Master Org level can be accessed in other operating units ?

    Hi,
    Item will be accessed in inventory organizations which you assigned the item to.
    To access items from particular Operating Unit in Purchasing module
    define Operating Unit Organization as a Inventory Organization as well.
    Then choose this Organization as a Inventory Organization in Purchasing : Setup>Organizations>Financial Options.
    In Order Management you choose an Operating Unit which items can be accessed.
    Each item assign to Item Master Organization and to Operating Unit Organization and to required Inventory Organizations.
    This works in 11i. I dont know how it is in R12.
    regards,
    Marcin

  • Data Security for single operating unit

    Hi,
    We have only one OU implemented and have two businesses X and Y. Now, Y deals with patient healthcare information so they are subject to HIPAA regulations, but X is not. A business requirement was defined that X users should not have access to Y customer data, but currently the only way we were aware of separating data within Oracle is through operating units. Multiple operating units is not an option so we need some soluion around it.
    All pointers are appreciated.
    Thanks,
    Rahul

    Hello Justin..
    Sorry for the late response...We'll have the data,say for customers, in our database all with the same OU. But at the same time, we need to segregate the data so that X business can't see Y's customers and vice versa. I know this is possible through the OLS but wanted to weigh different and easy to implement options, as we already have a huge set of data that we need to segregate based on business.
    Thanks,
    Rahul

  • Can Two Operating unit share one Inventory Org in Oracle 11i?

    Can Two Operating units share one Inventory Org in Oracle 11i?
    We have business scenario where we need to create multiple Operating unit but both of them uses a single Inventory Org.
    Is this possible in Oracle 11i?

    Thank You Pranit for your response.
    Can you please let me know the reason also?
    We are having only one master inventory Org.
    Thanks
    Vijesh CV

  • Can we apply Security rules at Operating unit level to Segregate the data

    Hello all,
    As per the business requirement , the customer don't want to create a separate Operating unit to segregate the data b/w Legal entity values .
    So leaving vendor restriction , we are trying to achieve security at Invoice and Payment levels.
    So in this Scenarios , as per research I tried to create a Data access Set  for few Le's values and assigned to the Payable's responsibility .
    The following profile options have been assigned :
    a) GL:DATA ACCESS SET
    b) SLA :Enable Data Access Security in subledger
    c) SLA:Additional Data Access Set
    After this expectation was :
    When I enter any invoice for this responsibility it has to restrict all those BSV values except the one in the Data Access Set .
    But it was saving that Invoice ...
    Can any one suggest anything ? If I need to additional Configurations or anything .
    Thanks,
    Deepthi.

    I thing that you need to evaluate access though the responsibility to the AP Functions, in this case if you have granted access to the invoice/invoice batchs, you can perform an invoice, related to your test case, if you was created a invoice in an invalid company (BSV), maybe your Flexfield Value Security are not setup properly.

Maybe you are looking for

  • Windows Service does not start automatically

    Hi I have a .NET 4.5 C# windows service, StartType set to automatic. It is running fine in server. Few days ago, my server has windows update, including security update for .NET framework 4.5.1. Server auto restarted.  However, my service is not star

  • IPad will not restart due to iCloud message on screen.

    Cannot login due to iCloud backup message on screen. Cannot restart due to same reason. What to do?

  • Server Error in '/' Application - 8007007e

    Hi There, Got the error below when trying to create a report document on a hosted server.  Can't figure this on out as it works fine on our development servers. Thanks. Paul O Retrieving the COM class factory for component with CLSID {11BD5260-15B6-4

  • Mac Mini Doesn't boot up unless I unplug and replug

    If I shut down my Mac Mini it will not start up again unless I unplug the machine and plug it back in. I have a hub attached, which has a light that stays on, so I know its still receiving power. Any thoughts?

  • WLC8500 WLC - HA Failure Simulation

    Hi Just running some tests on the 8500 running 7.6.120.0, one of the test was to simulate the HA box failing, by removing the layer 2 connection and shutting down the interface. The test  bed APs were on the primary box and with test clients active,