R12:How MOAC enviornment is setup programmatically

Pre-requisites for understanding how MOAC works in R12 are (Although these are not mandatory but knowledge of these would definitely help),

1. Setting ORG context prior to R12 version
Prior to R12, if you want to set ORG context in Oracle apps on any multi org table then following need to be done,

a. Create the table
b. Create a view on the table with following condition

WHERE NVL (org_id,
NVL (TO_NUMBER (DECODE (SUBSTRB (USERENV ('CLIENT_INFO'), 1, 1),
' ', NULL,
SUBSTRB (USERENV ('CLIENT_INFO'), 1,
10)
)
),
-99
)
) =
NVL (TO_NUMBER (DECODE (SUBSTRB (USERENV ('CLIENT_INFO'), 1, 1),
' ', NULL,
SUBSTRB (USERENV ('CLIENT_INFO'), 1, 10)
)
),
-99
);

As an example, let us consider the PO_HEADERS_ALL table. This is owned by PO schema having records for every operating unit. To implement Org security, a view has been created on top of it i.e. PO_HEADERS and is being owned by APPS schema.

If you see the content of this view, you would see the view has been created by accessing the value of CLIENT_INFO session field value which is being set by respective applications like PO, AP using DBMS_APPLICATION_INFO.SET_CLIENT_INFO API.

So, if you want to give the access only for US operating unit (lets assume the ORG_ID to be 100) then you set

begin
dbms_application_info.set_client_info(100);
end;

If you query PO_HEADERS after the above statement is executed in your session then you would see all the POs only for operating unit 100. This is to secure the data as per the user access,

You can also use FND_CLIENT_INFO.SET_ORG_CONTEXT API to set the ORG context which ultimately uses the above to set the ORG context.

begin
fnd_client_info.set_org_context(100);
end;

This is how all the applications (PO, AP etc) set the CLIENT_INFO field and set the ORG_CONTEXT prior to R12.


2. RLS (Row level security)

RLS feature was introduced in Oracle since Oracle 8i. The prime feature of RLS is implementing row level security while reading / inserting / deleting the data from the Database. In brief, you can use RLS to restrict data based on user permissions / privileges.


How MOAC works in R12
In R12, Oracle applications use RLS feature to implement MOAC.

Now going back to our same example- PO_HEADERS_ALL table.
In R12 these tables are still owned by PO schema but what changed is the view now no longer exist in R12. In R12, the multi org based views have been replaced with SYNONYMS in APPS.
So, for PO_HEADERS_ALL you now would see PO_HEADERS synonym in APPS schema pointing to APPS.PO_HEADERS_ALL table.

Now if you query the following in R12 APPS DB,

SELECT * FROM DBA_POLICIES WHERE OBJECT_NAME='PO_HEADERS'

You would see the following,

As seen in the picture above, whenever you query PO_HEADERS in R12, the DB is going to apply the policy defined on this synonym which in turn would call MO_GLOBAL.ORG_SECURITY API. This API returns the predicates which would be automatically applied to the query by Oracle DB.
If you check the content of this API, you would see that it basically prepares the where condition for the ORG_ID to which user has access to, which is being read from the TEMP table MO_GLOB_ORG_ACCESS_TMP.
MO_GLOBAL.INIT API is there in "prior to R12" releases but it was not being used in the RLS and there is no policy defined on the multi-org enabled tables / views.

The temp table is populated when you set user / org context.

Prior to R12, FND_CLIENT_INFO.SET_ORG_CONTEXT is used to set the ORG context
This would set the ORG Context and then the multi org related views can be accessed which would return records only for that operating unit.


But from R12, following is used to set the org context

--Use FND_GLOBAL.APPS_INITIALIZE API to set the user environment
--Use MO_GLOBAL.INIT to populate the temp table MO_GLOB_ORG_ACCESS_TMP based on the responsibilities to which the user has access to and which would then be used by the RLS security policy.

After you set these up, if you query PO_HEADERS synonym then Oracle DB would automatically add the predicate (the list of operating units to which user has access to) to the query and would only return rows for the operating units to which user has access to.

For e.g. run the following in R12,
(Refer my earlier post on "how to setup MOAC in R12" to see the operating units that OPERATIONS user has access to)

begin

FND_GLOBAL.APPS_INITIALIZE(1318 ---user 'OPERATIONS'
,20639 ---responsibility "Payables Manager"
,200 ---Application "Oracle Payable"
);

MO_GLOBAL.INIT('SQLAP');


end;

Then query the temp table,
select * from MO_GLOB_ORG_ACCESS_TMP

Now the query returns the list of operating units to which OPERATIONS user has access to. And if you query from PO_HEADERS, you would see result from these operating units.

Summary:
A. Oracle uses RLS to implement MOAC in R12
B. All multi-org tables now have synonym in APPS
C. The synonyms now have a policy defined which can be found in DBA_POLICIES
D. To setup multi-org context in R12 from the back end programmatically,
1. Call FND_GLOBAL.APPS_INITIALIZE
2. Call MO_GLOBAL.INIT