Securing Data from Finance Sub-Ledgers
Securing sensitive financial data is crucial in any ERP system. Oracle Fusion Cloud Applications utilises robust Multi-Organization Access Control (MOAC) to safeguard data access for modules like Accounts Payable (AP) and Accounts Receivable (AR). This blog post explores how MOAC enforces row-level security in these modules and ensures users access only the business units relevant to their roles.
What is MOAC?
MOAC stands for Multi-Organization Access Control. It provides fine-grained row-level security on database tables by applying predicates dynamically. This security enforces that users see only the data belonging to business units they are authorised to access.
How Does MOAC Work in AP and AR?
Oracle secures the underlying data tables through Fine-Grained Access Control (FGAC) using secured synonyms. For example, the table AP_INVOICES_ALL has a secure synonym called AP_INVOICES. This synonym has a security predicate applied via the MOAC framework that filters rows dynamically based on user roles. Similarly in Accounts Receivable, the table RA_CUSTOMER_TRX_ALL has a secure synonym called RA_CUSTOMER_TRX.
The foundation of MOAC security is the MO_GLOBAL.Init procedure, which loads the user’s organisation-specific security context into the session. When a SQL query references a secured synonym like AP_INVOICES or RA_CUSTOMER_TRX, only rows for the user’s approved organisations are returned.
Implementation Steps
Here are some highlights from Oracle Financials Cloud 23D:
01.
Procedure Call Data Set for MOAC Initialization
Create a Procedure Call Data Set in BI Publisher that executes the following PL/SQL block, replacing the privilege with the appropriate value for AP or AR:
Accounts Payable
DECLARE
type refcursor is REF CURSOR;
xdo_cursor refcursor;
BEGIN
MO_GLOBAL.Init('AP_MANAGE_PAYABLES_INVOICE_DATA');
OPEN :xdo_cursor FOR
SELECT SYSDATE RUN_DATE
FROM dual;
END;
Accounts Receivable
DECLARE
type refcursor IS REF CURSOR;
xdo_cursor refcursor;
BEGIN
MO_GLOBAL.Init('AR_VIEW_RECEIVABLES_ACTIVITIES_DATA');
OPEN :xdo_cursor FOR
SELECT SYSDATE RUN_DATE
FROM dual;
END;
02.
Main Report Query Using MOAC-Enabled Synonyms
Create a second, standard SQL Data Set that queries the MOAC secured synonyms, not the base tables.
Accounts Payable
SELECT invoice_num,
invoice_amount,
invoice_date
FROM AP_INVOICES --NOT AP_INVOICES_ALL
Accounts Receivable
SELECT trx_number,
trx_date,
complete_flag
FROM RA_CUSTOMER_TRX --NOT RA_CUSTOMER_TRX_ALL
Benefits of MOAC Security
Dynamic Row-Level Security: Data access restrictions are applied transparently at the database synonym level.
Centralized Security Management: User roles and privileges in Fusion Security frameworks control data visibility.
Seamless Reporting Security: Reports referencing MOAC synonyms automatically inherit data access controls, simplifying compliance.
No Code Changes Required for Core Tables: Developers use synonyms instead of base tables, minimizing security gaps.
Summary
By initialising user privileges with MO_GLOBAL.Init and querying MOAC secured synonyms, organisations can build secure, compliant custom reports that show only relevant business unit data to each user enhancing both security and operational efficiency.
Need some assistance?
Ready to bring clarity to customer, supplier and employee communications? With BI Publisher, we specialise in customising customer, supplier, and employee-facing documents such as invoices, purchase orders, payslips, and statements to meet your exact branding, compliance, and operational needs. From layout design to data logic enhancements, we help you deliver clear, consistent, and impactful outputs across your organization. Contact us today to discover how our expertise in BI Publisher can streamline your document processes and elevate your business communications.
