As you know, Oracle Product Information Management Data Hub is an enterprise data management solution that enables customers to centralize and master all product information from heterogeneous systems, creating a single view of product information that can be leveraged across all functional departments.

Following is a list of APIs/Web Services provided by Oracle Product Hub

There was a requirement to provide a particular BU user to access to other BU PO’s for approval. Normally such kinds of requirement always happen in today’s complex business model . To implement this requirement a best we can do it is to use of new profile option which was introduced in Oracle 11i called HR: Cross Business Group , which need to switched on (i.e. set to “Yes”) can be used .This new profile option makes it possible for Oracle Application users to view and modify certain specific areas of data across all business groups.

From 11.5.9 onward in HRMS there are two Security Models as:

• Standard HRMS Security
• Security Groups

The first one is Standard HRMS security which normally requires defining a security profile, and defining a responsibility for use by application users, whereas security groups means whereby you can reuse a responsibility and assign it to different security profiles in different business groups if required.

Typically Multi-national Companies would be benefited from security as they normally have concept of service centres using multiple business groups and security profiles.

The good and bad in new Security Group Model

The Standard Security Model on Oracle HRMS forces a responsibility to be tied to only one business group/security profile. This means that when new business groups are added a brand new set of responsibilities must be set up for the business group, even if the new set of responsibilities is identical in every respect to existing responsibilities assigned to another business group.

The new security group model can cut down dramatically on the number of responsibilities required as it allows responsibilities to be reused by many different business groups.

Here are the key points of how the new security group functionality works.

• Every time a business group is created a new security group of the same name is also created.
• Security profiles are defined the same way they are now. There is no change in this functionality.
• Form Assign Security Profile is activated under the new security model. This form allows a user to be linked to a security profile, responsibility, security group (business group) combination.
• Profile option HR: Business Group is no longer set manually for HRMS responsibilities. This profile option will be set dynamically when a user selects a responsibility/security group combination at logon.
• Profile option HR: Security Profile is no longer set manually for HRMS responsibilities. This profile option will be set dynamically when a user selects a responsibility/security group combination at logon.
• The \Security\User Define Screen in the System Administrator responsibility is no longer user to assign HRMS responsibilities to users as this is now done in the new Assign Security Profile screen.

Please note, that although it is possible in the new security group model to access many business groups through the same responsibility, because of the way users are now assigned to responsibility/security group combinations, an HRMS user can only access the data in one business group at any one time.This can be best understood in next section.

Overview of Standard Security Model versus new Security Group Model

Lets try to understand by a simple diagram below, what is here is 3 BU defined in global instance representing three BU X-Singapore, X- Australia and third one X-UK. The simple diagram below shows the difference in responsibility set-ups associated with each model.

In the standard security model when a user logs on or decides to change responsibility the list of responsibility names they have access to are presented to them to select from. In the security group model when a user logs on or decides to change responsibility the list of responsibility names and the associated security group (i.e. business group) assigned to the user are presented to the user to select from. This difference can be best described as:

3 steps away to switching to the new security model

The steps required to switch to the new security model are as follows;

• Profile option HR: Cross Business Group should be set to “Yes”.
• Profile option Enable Security Groups must be set to “Service Bureau”
• Concurrent request Enable Multiple Security Groups must be run.

Not to Forget

Once the new security model is switched on, it cannot be switched off.

Suggested Reading

• Enhancements in Oracle HRMS Security in R11.5: Note:202478.1
• How Does the Cross Business Group Profile Option Impact the Application :Note:224822.1
• Understanding and Using HRMS Security in Oracle HRMS :Note:394083.1

Other related post in Security

• Know the “Security by Book” in Fixed Asset
• Understanding Security in : Oracle Financials and Manufacturing
• MOAC : From Multi-Org….To Multi-Access

Read this

Diagnostics Made Easy : Oracle Diagnostic Tool

In earlier post we have seen how Oracle Diagnotics tool makes life easy for everyone. Lets take some intresting stuff inside the tool.

Applications Collection Tool (ACT)

The Applications Collection Tool (ACT) is a test collecting information about apps technical environment and setup of a given product. This tool is executable via Oracle Diagnostics framework under the tab ‘Advanced’. Oracle Diagnostics framework is launch able via OAM.

Many time you will get this message “No Groups have been registered for the Advance Test”? What is meant?

You get this message because there are no currently available diagnostics tools for that particular product. So you haven’t missed any step… It is correct behavior. Information of all currently available diagnostics tools you can find in the Diagnostic Tests Catalog for E-Business Suite.

Is some things Changed from Security side?

Yes,from Jan-07 Support diagnostics (IZU) patch, diagnostics have now role-based security . It means:

• Is can be assigned to the current user belongs to one of the valid applications internally defined in the test.
• The Diagnostic Test available are specific to an EBS module.
• Each Module’s test are organized into a group of related test called “test Group”
• These grouping are based on what the test scripts have in common from data security standpoint.
• By having the tests divided into groups, you are able to easily control access, these test groups have a ‘sensitivity’ assigned as:
  • Low
  • Medium
  • High
• Role Diagnostic: roles determine the set of operations that can be performed on test groups, based on the sensitivity of the test group. The sensitivity of the test group (high, medium or low) is determined by the developer of the test. The diagnostic roles and tests authorized are as follows.
  
  • Super User – User such as SYSADMIN and responsibility like CRM HTML Administration ,Has permission to execute tests, perform configuration, view reports and set up security
  • Application Super User Medium/Low Sensitivity ,All applications – Has permission to execute tests, configure results and view reports Authorized applications – Has permission to execute tests, perform configuration, view reports, and set up security
  • End User those with low Sensitivity , most of the applications has permission to execute tests and configure results.
• A particular user’s access to the diagnostic test is determined by
  • responsibly that he/she is accessing
  • what role are granted to those responsibility
• If we take a example for BOM module, you will find 5 “test group” , which is listed as:
  • items –Diagnostic test related to Items setup
  • Item Categories—Diagnostic test related to Items Category setup
  • Bills -Diagnostic test related to Bills
  • Routings -Diagnostic test related to Routing
  • ECOs — Diagnostic test related to ECOs
  • Data Collection – Diagnostic test related to data collection

When should go for Batch Processing?

This option is good when diagnostic test taking too long to execute.This option, located on the home page of the diagnostics framework, allows you to select one or more tests within one or more products for execution in batch mode. It means you can do setup for Period end Close setup in GL as well as Auto invoice setup in AR.

So, this is all about for the Oracle tools diagnostic capability. Now time for comment, question, clarification.:)

Do you know in Oracle eBusiness Suite Diagnostics is a free tool provided by Oracle to ease the gathering and analyzing of information from your eBusiness Suite specific to a existing issue or setup.

Oracle Diagnostic Tool Responsibility

The Oracle Diagnostic Tool is provided by Oracle to ease the gathering and analyzing of information from your eBusiness suite when diagnosis an existing data issue, transactional problem or setup error through a complete set up responsibility.

Oracle Support Diagnostics benefits

Problem Avoidance: Identify and solve potential issues before suffering their symptoms

Formatted Output: Conveniently display the information gathered, the finding of the analysis and appropriate action to take if necessary

Ease to use: This tool is easy to use and is designed for both the functional and technical user. Identify and solve existing issues without external assistance

Self Services Resolution: Resolving Problem without the need to contact oracle support

Reduction in resolution time: minimizing the time spent to resolve an issue by increasing support engineer as well as end user efficiency

No Technical skill required: No special SQL*Plus/operating system access required.

Testing Hub: Because of Central location of all tests, it is the hub for all Diagnostic testing.

Important Points

• The diagnostic tool does not alter the data or setup in your system i.e. no updates, inserts, or deletes happen.
• Sensitive customer information is not collected or displayed.
• The diagnostic tool are organized into one of the following groups

Read the rest of this entry »

Understanding the data access implications at all organization levels is an important factor in designing your responsibility matrix. As we know whenever a user signs in to Oracle Applications, the first thing application enforce you is to select a responsibility. That chosen responsibility allows them access to a menu of screens and a list of reports and processes they wish to run, as well as the ability to view and/or update specific data. We can define your own responsibilities.

In real time scenario , normally these kind of implementions take place:

1. Financial with HRMS (Shared Mode)
2. Financial plus manufacturing
3. Financial and HRMS(Full mode)
4. Financial and Manufacturing & HRMS(Full mode)

I haven’ consider CRM modules in discussion here as they hardly requires any Extra security rule to understand. For the sake of understanding we would categorize my discussion into Financial & manufacturing and HRMS.Lets start first with financial and manufacturing.

Depending on the Oracle module accessed, a responsibility allows the user to view and process data associated with a set of books, operating unit , or inventory organization as follows:

• GL responsibilities allow access to one financial set of books via the GL Set of Books Name profile option.

Take a note if there is only one set of books, you can set this profile option at the site level, meaning it applies to the entire database instance. Those who is still using 10.7 and want to drilldown from GL to operating unit sub ledgers ,then you need to setup GL responsibilities by operating unit and assign the MO: Operating Unit profile option to these responsibilities.The biggest enhancement in recent years is in 11, you do not need operating unit specific GL responsibilities for drilldown.

• In PO, AP, OE, AR, and other operating unit modules, setup a separate responsibility for each operating unit.

You cannot access more than one operating unit in a particular responsibility. This is achieved by setting the MO: Operating Unit profile option at the responsibility level. If there is only one operating unit, you can set this profile option at the site level.

• before multiorg , Fixed Assets data was not partitioned at all in terms of security but In 11i we can assign the profile option FA: Security Profile to responsibilities giving them access to one or more FA books.

For details do refer my old post for security in FA.

• In the Manufacturing and Inventory modules, you can restrict a responsibility to one or more inventory organizations using the Organization Access setup form.

Take a note if you do not setup any responsibilities in this form,users will access to all inventory orgs. When a user signs in to any manufacturing or Inventory responsibility, the first screen displays a list of accessible inventory organizations and the user must select one.

Generally users can run reports only within the responsibility’s organization

• Set of books
• Operating unit
• Inventory org

Beginning in 11i you can run some reports across operating units within a set of books. You control this by setting the MO: Top Reporting Level profile option to set of books, legal entity, or operating unit, typically assigning the profile option to responsibilities.

* If the MO: Top Reporting Level profile option is set to Set of Books, you can run your reports at the set of books level, legal entity, or
operating unit level.

* If the MO: Top Reporting Level profile option is set to Legal Entity, you can run your reports at the legal entity, or operating unit level.

* If the MO: Top Reporting Level profile option is set to Operating Unit, you can run your reports at the operating unit level only. You are
only allowed to view data in the operating unit assigned to your responsibility.

Users can then enter as a report parameter a Reporting Level of set of books or legal entity to report across operating units in their set of books.

Typical Reports that allow and uses the above functionality includes:

• Payable
  • Accounts Payable Trial Balance
  • Posted Invoice Register
  • Posted Payment Register
  • Unaccounted Transactions
  • Tax Audit Trail
  • Use Tax Liability
• Accounts Receivables
  • Aging 7 & 4 Bucket Reports
  • Aging Reports- Executable
  • Bills Receivable By Status Report
  • Bills Receivable Summary Report
  • Credit Hold Report
  • Customer Credit Snapshot Report
  • Tax Register
  • Tax Reconciliation
• Report Exchange (RXi)
  • RXi for GL, AP, AR: Financial Tax Register
• Various localizations and region-specific reports

What is the MO:Operating Unit profile option used for?

The MO:Operating Unit profile option must be set to the appropriate value at either the Responsibility or User level.This profile option is used to distinguish which Operating Unit will be used by the users that login into Oracle Applications.

Will continue with discussion..:)

Wide variety of reporting requirements varies from environment to environment and business to business.This Article is going to Focus on the some of reporting tools which is normally used in typical 11i environment.

Reporting Tool Functionalities

Data is totally useless until it does come in presentation layer, with proper security . Hence its is important to have such tool with great capability, and tools must have these features:

Reporting Tool overview with respect to EBS Suites

• Brio ONE
  The Brio ONE solution is specifically designed to enable everyone in the extended enterprise to fully realize the promise of e-business by delivering dynamic, reliable, easy access to real-time business information, regardless of where that information is stored or of the user’s location. The Brio ONE solution enables your organization to build and deliver business intelligence, enterprise reporting, self-service information exchange, and analytic applications to the broadest possible range of users in client/server, Web-based, and hosted application environments-all with unmatched ease of experience and scalability.
• Business Objects
  Streamlining operations, reducing costs, increasing revenues, improving customer satisfaction… These are just some of the measurable benefits that customers of Business Objects have realized directly by implementing e-business intelligence (e-BI) solutions from Business Objects.
  Whether they need to access prepared information via a wireless portal or perform sophisticated analysis on a networked PC, BusinessObjects can help you offer your employees, customers, partners, and suppliers a set of easy-to-use tools to turn information into knowledge into profit.
• NoetixViews
  NoetixViews enables super-users to develop ad hoc reports from Oracle Applications data. NoetixViews takes the information in your Oracle Applications database and repackages it in a set of user-friendly, plug-and-play business views that provide relevant information on a given business topic. With these views, users can query their data using common business terms and client/server query and reporting tools, without dealing with raw tables. With typical installations requiring less than one day of training, NoetixViews dramatically reduces specialized consulting costs and IT involvement.
• Oracle Discoverer
  Oracle Discoverer is an intuitive ad hoc reporting tool. It enables a developer or knowledgeable end user to create reports with impressive formatting and attractive exporting and publishing functionality. Oracle Discoverer empowers your user population by placing business and decision critical data at their fingertips.
• Business Intelligence System (BI)

Oracle BI tools is a set of tools to provide high level information for the managers (decision makers) to run their business. The information this tool provides helps managers to take the right decision with the daily data that is upload on their systems.

• Hyperion

Hyperion is a Business Intelligence (BI) and Business Performance Management (BPM ) Tool. Its a market leader in Financial, Operational and Strategic Planning. It is having applications for Planning, consolidation, scorecarding, reporting, dashboards, Analysis, Workspace, Master Data Management and Foundation.

• GL wand

Gl wand is a formula driven approach to reporting on Oracle General Ledger data using Microsoft productive tool like Excel.GL Wand will be used for monthly Balance Sheet reconciliations and account balance checks,i.e. Trial Balance. This tool is bit popular in UK.

For more information, adviced to look at the product company website for latest updated info.

1. Brio ONE http://www.brio.com
2. Business Objects http://www.businessobjects.com
3. NoetixViews – http://www.noetix.com
4. Information gathered from http://www.oracle.com
5. Hyperion – www.hyperion.com
6. Glwand – http://www.excel4apps.com

No, Not yet at least similar to sub ledger accounting as introduced in R12..lets hope this must be in future ..:)

Why Reporting is Must in ERP?

The more important is to understand the objective of an accounting system is to summarize transactional data into useful management reports that management can use to manage the business. Hence need for Reporting can’t be denied in any ERP accounting system. In oracle application also there are different ways to fulfill reporting requirement.

If we consider EBS as a transparent box, we can see there are number of reporting options available.The need can be changing time to time and business with cases. Typical reporting options can be best described as:

The reporting need can be classified as

• Financial Reporting
• Transactional Reporting
• Ad Hoc Reporting

These reporting does have there own limitation and uniqueness thus , on the top of technology it is important to understand when and where it is required.Broadly such reporting requirement can be categorize into:

• Oracle seeded reports
• End User Reports

Let’s take some of reporting options in Oracle application:

• XML Publisher: Since last couple of years, this become very popular reporting tool, and also learn to know that Oracle is pushing most of the reporting requirement into XML Publisher . The reason of having popular tool is because it is final outcome is integrated with office productive tool like word and excel, which fits for all kind of user without having much knowledge of technology. We can use XML Publisher to save reports to many different file types including XML, PDF, RTF, and Excel and to publish reports by printing, sending in an e-mail, or posting to web sites or portals. XML Publisher can be applied to both reports and documents.
• ADI Reports: This is one of most useful tool by the end user with the use of office productive tool like Excel. This provides support for creating and summarizing both input and output data in two-dimensional spreadsheets for further analysis.
• RXi Reports : This enable us to design the content and layout of your RXi reports. You can print the same report using different layouts, and you can control the data items included in your report. RXi lets you tailor your reports to meet statutory and other reporting requirements, and to create reports for your own internal use.
• SQL Extracts: This can used for adhoc basis. Your staff can create and run SQL extracts to obtain additional information from the database.
• Oracle Discoverer
  Oracle Discoverer is an intuitive tool for creating reports and performing on-line analysis . Users uses the EUL (End User Layer), a metadata definition can access and analyze data in a company’s database without having to understand difficult database concepts. Users can also view workbooks and integrate database output onto a web site and portal that can be easily customized to conform to a particular web site look and feel, or to build custom Discoverer applications for the web.
• Oracle Portal
  You can use Oracle Portal to create a portal Web interface, publish and manage information, access dynamic data, and customize the portal experience. You can design enterprise portals that are the single entry point to business applications, content,
  collaborative tools, and Web sites.
• FSG (Financial Statement Generator) Reports
  FSG is an inbuilt reporting tool in the General Ledger module using which a functional user can create reports from the front end. It extracts the General ledger balances of the account code combinations and displays the same as an output for the reports defined in FSG. Thus the functionality of FSG is restricted to the General Ledger module.
• Report Manager
  Report Manager is a secure point-in-time report repository offering centralized management and distribution of reports.
  Main Benefits can be summarized as:
  • Access business information from a central site using a standard browser
  • Ensure that reports are protected from unauthorized access
  • Store and distribute any type of report or file
  • Preview reports prior to mass distribution

These above are oracle inbuilt as well as oracle technology based reporting Options.The more important is that the use of above does not cost you any additional cost for licensee fee. Apart from this , there are also some third party tools can be used for reporting purpose. I have seen number of other tools used by various clients, would walk through some of them, in next post.

Couple of options are available in Oracle E Business, where you get use of mailing facility directly from Oracle E Business.

Many times there is similar kind of requirement wherein we need to send the output of a Concurrent Program as an attachment with an mail to a Distribution list, or just a notification by email. Lets explore some of the options :

Read the rest of this entry »

How does one can provide read only access to the oracle applications screens for a particular user?

We need to provide helpdesk and auditor read only access to the oracle applications screens. Is it possible to give read only access to the oracle applications screens?

Do you able to think any clue..

This is one of the question that was asked by a client finance super user while doing SAP migration to Oracle Apps.Oracle does work on responsibility level where SAP product does control at function leval.You can consider function level in the same way , that you are giving access to certain folder to another user in your network domain by write, read or both or same way chmod in Unix.

Lets take a supplier master screen, the same screen can be used for creating, maintaining as well as deleting the supplier.what would be case if you want to give access to a user not a delete any suppliers, then ???

..Custom.pll ..pretty simple approach right…,the good think is that it can be handled but bad thing is that the username needs to be hard coded
in the custom.pll.

So to avoid hard coding the userid in the custom.pll , the other approach should be consist of these steps to make a user with read only privilege:

1. Addding a new function from the System Administrator -> application > function, with the same form name as the original function and with the parameter as QUERY_ONLY=”YES”
2. Create a new menu and add the new function to it.
3. Create a new responsibility with the new menu.
4. Add the responsibility to the user who will have the read only access.

Similarly create and add the other function to the new menu with function parameter as QUERY_ONLY=”YES”

Is this good solutions,what about the change management guys..are they allow this way.. what you think..any comment .I hope DBA must have some other options.[]

Finally a note on user security

Q .Is security defined by user, user group or a combination? Can this be set by ledger/company/module or is it across the system?

In Oracle
Security is defined by user – menus are completely tailor able but can be reused so can use include/exclude functions.
In SAP
A user ID is linked to one or many user profiles which manages the authorizations within the SAP system. More than one user can be attached to a user profile. Ledger, company etc. are entities or authorization objects wherein we can specify that the user is authorized only for specified company codes.

Will you able to tell… who are in TCA? what is TCA ?? Why bank moved in TCA ? Why TCA is becoming a popular model now a days rather than architecture? Taking R12 into action we learn bank and supplier moved into this schema. So its time to recall and list who else in this:

1. Customer
2. Bank and Branch
3. Supplier
4. Student
5. Employee
6. Legal entity & intercompany

Mean a single model cater all the need…everything in one place….sound intresting…:) will take all this into action..

And this can be best represented similar to our solar system.

Will keep posted with some of case study with TCA …keep watching this space.