Understanding Security in : Oracle Financials and Manufacturing

Posted on October 28th, 2007 by Sanjit Anand | Print This Post | Email This Post

Understanding the data access implications at all organization levels is an important factor in designing your responsibility matrix. As we know whenever a user signs in to Oracle Applications, the first thing application enforce you is to select a responsibility. That chosen responsibility allows them access to a menu of screens and a list of reports and processes they wish to run, as well as the ability to view and/or update specific data. We can define your own responsibilities.

In real time scenario , normally these kind of implementions take place:

1. Financial with HRMS (Shared Mode)
2. Financial plus manufacturing
3. Financial and HRMS(Full mode)
4. Financial and Manufacturing & HRMS(Full mode)

I haven’ consider CRM modules in discussion here as they hardly requires any Extra security rule to understand. For the sake of understanding we would categorize my discussion into Financial & manufacturing and HRMS.Lets start first with financial and manufacturing.

Depending on the Oracle module accessed, a responsibility allows the user to view and process data associated with a set of books, operating unit , or inventory organization as follows:

• GL responsibilities allow access to one financial set of books via the GL Set of Books Name profile option.

Take a note if there is only one set of books, you can set this profile option at the site level, meaning it applies to the entire database instance. Those who is still using 10.7 and want to drilldown from GL to operating unit sub ledgers ,then you need to setup GL responsibilities by operating unit and assign the MO: Operating Unit profile option to these responsibilities.The biggest enhancement in recent years is in 11, you do not need operating unit specific GL responsibilities for drilldown.

• In PO, AP, OE, AR, and other operating unit modules, setup a separate responsibility for each operating unit.

You cannot access more than one operating unit in a particular responsibility. This is achieved by setting the MO: Operating Unit profile option at the responsibility level. If there is only one operating unit, you can set this profile option at the site level.

• before multiorg , Fixed Assets data was not partitioned at all in terms of security but In 11i we can assign the profile option FA: Security Profile to responsibilities giving them access to one or more FA books.

For details do refer my old post for security in FA.

• In the Manufacturing and Inventory modules, you can restrict a responsibility to one or more inventory organizations using the Organization Access setup form.

Take a note if you do not setup any responsibilities in this form,users will access to all inventory orgs. When a user signs in to any manufacturing or Inventory responsibility, the first screen displays a list of accessible inventory organizations and the user must select one.

Generally users can run reports only within the responsibility’s organization

• Set of books
• Operating unit
• Inventory org

Beginning in 11i you can run some reports across operating units within a set of books. You control this by setting the MO: Top Reporting Level profile option to set of books, legal entity, or operating unit, typically assigning the profile option to responsibilities.

* If the MO: Top Reporting Level profile option is set to Set of Books, you can run your reports at the set of books level, legal entity, or
operating unit level.

* If the MO: Top Reporting Level profile option is set to Legal Entity, you can run your reports at the legal entity, or operating unit level.

* If the MO: Top Reporting Level profile option is set to Operating Unit, you can run your reports at the operating unit level only. You are
only allowed to view data in the operating unit assigned to your responsibility.

Users can then enter as a report parameter a Reporting Level of set of books or legal entity to report across operating units in their set of books.

Typical Reports that allow and uses the above functionality includes:

• Payable
  • Accounts Payable Trial Balance
  • Posted Invoice Register
  • Posted Payment Register
  • Unaccounted Transactions
  • Tax Audit Trail
  • Use Tax Liability
• Accounts Receivables
  • Aging 7 & 4 Bucket Reports
  • Aging Reports- Executable
  • Bills Receivable By Status Report
  • Bills Receivable Summary Report
  • Credit Hold Report
  • Customer Credit Snapshot Report
  • Tax Register
  • Tax Reconciliation
• Report Exchange (RXi)
  • RXi for GL, AP, AR: Financial Tax Register
• Various localizations and region-specific reports

What is the MO:Operating Unit profile option used for?

The MO:Operating Unit profile option must be set to the appropriate value at either the Responsibility or User level.This profile option is used to distinguish which Operating Unit will be used by the users that login into Oracle Applications.

Will continue with discussion..:)