關(guān)于R12的新特性Multi-Org Access Control(MOAC).Oracle宣傳的好處主要有:
1.enable users to access to secured data in one or more Operating Units from a single responsibility
2.End-Users can access/transact data within several operating units based on Security Profile attached to a responsibility.
-
3.Profile 'MO:Security Profile' will ensure access to multiple operating units from single responsibility
具體為什么會(huì)改成這樣的原因可以從R12的宣傳語(yǔ)看出:"The Global Business Release" "R12 Enables You To Think Globally,Work Globally,Manage Systems Globally "
從技術(shù)角度的一些拾零記錄
1.在R12之前的版本中,組織控制是通過(guò)View來(lái)實(shí)現(xiàn),比如說(shuō)AP_INVOICES是定義在AP_INVOICES_ALL上面的View,而View一般都是通過(guò)在ORG_ID加條件來(lái)限制數(shù)據(jù)訪問(wèn).
從R12開始,這樣的View被取消了,取而代之的是同義詞(synonyms),www.linuxidc.com比如說(shuō)AP_INVOICES就是AP_INVOICES_ALL的同義詞(synonyms).
在R12里可以通過(guò)下面的SQL語(yǔ)句來(lái)查詢有這樣關(guān)系的表
---
select *
from dba_synonyms syn
where syn.synonym_name || '_ALL' = syn.table_name
---
2.R12中的組織訪問(wèn)限制是如何實(shí)現(xiàn)的呢?
是通過(guò)數(shù)據(jù)庫(kù)安全方面的新特性virtual private database (VPD) policy來(lái)實(shí)現(xiàn)的,具體就是給_ALL表的同義詞(比如說(shuō)AP_INVOICES),添加對(duì)應(yīng)的Policy.
這樣在在查詢的時(shí)候,數(shù)據(jù)庫(kù)會(huì)根據(jù)Policy的來(lái)生成對(duì)應(yīng)的條件(where)語(yǔ)句,來(lái)限制我們對(duì)數(shù)據(jù)的訪問(wèn).
通過(guò)select * from dba_policies where policy_name = 'ORG_SEC'我們可以查詢到那些表添加了Policy,以及是通過(guò)那個(gè)具體的Function來(lái)生成要添加的where條件
我們通過(guò)查詢可以發(fā)現(xiàn),比較具體的一個(gè)例子
Policy_name: ORG_SEC
Policy_group: SYS_DEFAULT
Package: MO_GLOBAL
Function: ORG_SECURITY
通過(guò)查看MO_GLOBAL.MO_GLOBAL,我們可以看到具體的生成限制語(yǔ)句的邏輯.其中Multiple OU Access是通過(guò)GLOBAL TEMPORARY TABLE MO_GLOB_ORG_ACCESS_TMP來(lái)實(shí)現(xiàn)的.
可以參看Note462383.1來(lái)看具體的每種情況會(huì)生成什么樣的Where條件(a WHERE clause).
3.可以通過(guò)表FND_MO_PRODUCT_INIT中的STATUS來(lái)判斷具體的某個(gè)Application是否支持MOAC.
4.通過(guò)表FND_MO_SP_PREFERENCES的User_ID, Resp_ID, Security_Profile_ID可以查看缺省的組織(Default Org_ID).相關(guān)聯(lián)的Profile是MO: Default OU
5.MOAC定義的步驟
1.Define Operating Units(Optional)
2.Define Security Profile Enter the Operating Units for which you want access
3.Run concurrent program "Security List Maintenance Program"
4.Assign the security profile to MO: Security Profile profile option for your responsibility or user
5.Assign MO: Default Operating Unit(Optional)
6.Assign MO: Operating Unit(Mandatory for only Single Org or if MO: Security Profile is not defined)
6.MOAC在應(yīng)用中初始化的基本流程
1.MO_GLOBAL.init
2.Set_Org_Access -- MO_GLOB_ORG_ACCESS_TMP
3.Check FND_MO_PRODUCT_INIT
4.If MO: Security Profile Else MO: Operating Unit
5.Set Policy Context "A", "S", "M" and org_id
注:這里的Policy Context的含義如下
Restrict the data to eliminate only seed data rows is the access mode is All
Restrict the data to a single operating unit if the access mode is Single
Restrict the data to multiple operating units if the access mode is Multiple
Restrict the data to not return any rows if the access mode is None
Reference:
Doc ID:462383.1 SQL Queries and Multi-Org Architecture in Release 12 本文出自:億恩科技【mszdt.com】
服務(wù)器租用/服務(wù)器托管中國(guó)五強(qiáng)!虛擬主機(jī)域名注冊(cè)頂級(jí)提供商!15年品質(zhì)保障!--億恩科技[ENKJ.COM]
|