This action might not be possible to undo. Are you sure you want to continue?
by Paul Vella (Senior Consultant – Oakton Ltd).
The Oracle Discoverer reporting solution can now be tightly integrated into your E-Business suite application. The level of integration provided allows you to utilise the existing user and security information that already exists within your Oracle E-Business suite implementation. This includes the existing User and Responsibility information within the Oracle database. This presentation will look at the implementation of a Corporate Reporting System within the University of Melbourne based upon Oracle Discoverer. It will look at some of the decision processes and issues that were addressed during this implementation project as well as the anticipated benefits that the University expects to derive from the implementation of Discoverer. The University of Melbourne made a decision in the year 2000 to start a project to change the University's administration systems. A project was established and the need was identified for an integrated solution that would facilitate moving to an accrual accounting system while enabling the University to deploy key business applications over the Internet and improve operational effectiveness. This project was called the “University Systems Project” or USP. The project incorporated the Finance systems as well as Students, Human Resources, Payroll, and Research systems. The initial project to implement a new Finance system went live on 1st January 2003. The Finance implementation within the University has been named “Themis”.
The University has more than 30,000 students and 5,500 staff, and a very mixed environment in terms of using a variety of PCs and Macs. There are currently over one thousand users of the Finance system alone, with between 80 to 100 concurrent users logging into the system. It is anticipated that a Corporate Reporting solution would need to cater for about 25 – 40 concurrent users. This number is expected to grow once other administrative systems are also integrated into the solution. Themis Financials has replaced the former finance system - MUFAS - and went live in January 2003. During 2002, business case analyses on the most appropriate student system solution and research system solution for the University were undertaken. A business case analysis and recommendation on the suitability of implementing an Oracle HR/Payroll solution will also be completed soon. Reporting has been identified in User Group Meetings as well as executive steering group meetings as a critical success factor of the recently implemented 11i solution at the University of Melbourne. Although the Oracle E-Business suite comes with thousands of existing standard reports, and numerous Financial Statements had been developed using the FSG tool, there still existed a significant reporting requirements gap. This became increasingly evident about eight months after the implementation of the system and was identified by key users and Management Teams as a key issue arising from the implementation of the new system. There are several areas in which the existing reports do not adequately meet the University requirements. These include: • • • • • • Reports required to facilitate the reconciliation of interfaces to legacy applications, Linkage reports for purchases and payables, Consolidation reporting, Specialised taxation requirements including Goods and Services Tax (GST) and Fringe Benefits Tax (FBT), Salary Analysis Reporting, Reporting of Internal Orders and Charges,
• • • •
Key Performance Indicator (KPI) reporting, Reporting on dependant segments of the chart of accounts, Reports based on the Descriptive Flexfields established in the system, And Research Reporting.
While some of the reporting shortfall could be overcome by the implementation of the Discoverer Client Server tool for key administrative staff, which were centrally located, it became apparent that the Client Server solution could not be implemented to the wider university without significant costs and considerable maintenance issues. Specifically the following problems were identified with the Client Server Discoverer tool: • The Oracle Discoverer client software does not operate on the Apple Macintosh environment, for which there is a significant installed based within the University of Melbourne, especially within the various faculties. The client installation requires that an additional port needs to open on the network firewall to allow TCP/IP traffic directly between the database server and the Personal Computer that is running the software. This has proved to be time consuming, difficult to maintain, problematic and represents an additional security threat to the Production environment. The Oracle Discoverer client software does not operate as well across a Wide Area Network (WAN) and has significant bandwidth requirements per client, due the client server architecture of the software. The Oracle Discoverer client software itself has proved to be problematic and difficult to install and maintain. This is due in part to the variety of machines and operating systems in existence within the University. The software requires additional components and patches to be installed before it can become fully operational.
In order to alleviate these problems, a web-based Corporate Reporting solution was required, which could deliver reports swiftly and efficiently throughout the varied locations and operating environments within the University. Some of the key requirements of such a solution are; • • The ability to launch reports directly from within the Oracle Financials system, in order to minimise the amount of re-training effort required for the existing user base. Integrated security including user and responsibility information already existing within the Oracle Applications database. In addition, the existing security rules that have been defined for those responsibilities needed to be able to limit the records returned to only the records that users already had access to. i.e. limit the records returned based upon the Company and Cost Centre records that they have access to based upon the rules that have already been defined at the responsibility level. This was deemed to be a critical requirement, because of the sensitivity of information across cost centres and also to minimise the amount of additional security administration required to maintain the security. The ability to drill down from a report on GL Balances information down to the Journal lines information and further to the AP Invoices and Payments, AR Invoices and Receipts, and Purchase Order information for the originating entries.
This paper addresses the key components of implementation of the Corporate Reporting Solution that is being currently deployed throughout the University of Melbourne. It addresses the key customer issues identified, as well as the features of the solution implemented and the implementation method that has been adopted.
2 Importance of Security
2.1 Hypothetically Without Security!!!
Imagine you have just set up your Corporate Reporting System, which accesses a Data Warehouse and utilises Metadata to make the generation of reports a relatively straightforward task. Not only that, within minutes you can publish that information to the most remote corners of your organization in a matter of minutes. The new Corporate Reporting System allows your users to access corporate data in a predetermined format, whenever they want. This provides the information necessary to enable them to solve the most complicated business problems and make informed decisions. Your users no longer feel frustrated with the inability of the ITS and Administrative staff to respond quickly to your reporting requirements. Your managers are empowered with information at their fingertips and your own Manager could not be happier. This may be a good time to talk to management about that salary bonus you MUST be entitled to!!! After a while you start to realise that your users may now have access to TOO much information. You made no effort to classify, and restrict access to this newfound store of information. Your Departmental Managers are using the information, they can now access so easily, to look at other Departmental managers information and compare budgets and expenditure. This is causing concern as some Managers are asking why their budget is lower than other parts of the organization, when they consider themselves to be “Just as Important”. One clever bookkeeper looks at your Executive Manager’s travel expenses and finds some information there that he thinks would be very interesting to the local paper. Everywhere you look people are accessing information that they shouldn’t have access to and using it for political and non-productive purposes. This information may have already been available in summary format, or via query screens, but never available so readily, or with the ability to drill down, make comparisons and categorise information. You even have a look around yourself and discover that you can easily issue complex queries, which consume considerable system resources and put undue strain on the entire system, which results in a “Please Explain what you are doing” query from the DBA. What’s worse someone has worked out how to get the salary, address and contact numbers for anyone in the University and has sold that information to an international spamming agency. The new Corporate Reporting system is causing you major stress. Maybe this is NOT the time to talk to Management about your salary!!! The problem is that your implementation did not consider that security was a priority during the development of Corporate Reporting Solution. Driven by the need to implement a solution on time and within budget, you did not give security requirements any analysis at all. No consideration was made about what information could be considered sensitive or confidential and the impact that access to information would have on the organization as a whole.
A Considered Approach
Firstly you will need to identify all of the data that will be placed within the Data Warehouse or Metadata upon which you will base the Corporate Reporting Solution. This means that you will need a complete inventory of all the data that will be available. Within Discoverer there is a pre-built EUL that will report on all the business areas, folders, columns, and profiles of data residing in the End User Layer. Next you will need to classify the data in the Repository to satisfy security requirements for data confidentiality. You will need to take into account any legal requirements for confidentiality of information. Finally, information will need to be classified on the basis of criticality or sensitivity to disclosure, modification, and destruction. The sensitivity of corporate data can be classified as: • PUBLIC: For data that is less sensitive than confidential corporate data. Data in this category is usually unclassified and subject to public disclosure by laws, common business practices, or company policies. All users can access this information and it may in fact be published information to the wider community.
CONFIDENTIAL: This information is more sensitive than public data, but less sensitive than topsecret data. Data in this category is not subject to public disclosure. The principle of least privilege applies to this data classification category, and access to the data is limited to a need-to-know basis. Users can only access this information if it is needed to perform their work successfully (e.g., department information for departmental managers, personal information, medical history, etc.). TOP SECRET: For data that is more sensitive than confidential data. Data in this category is highly sensitive and mission-critical. The principle of least privilege also applies to this category -- with access requirements much more stringent than those of the confidential data. Only high-level Administrators (e.g., System Administrators) with proper security clearance can access this data (e.g., R&D, trade secrets, business strategy, etc.). Users can access only the data needed to accomplish their critical job duties.
Once information has been classified in this way, you can make informed decisions about what security mechanisms will be required in the implementation of your Reporting Systems. The information stored in the E-Business Suite for the University has been deemed to either be Confidential at the Department Level, apart from central administrative staff. Apart from the reduced risk of people using information inappropriately, an added benefit of the security of data has been the performance of reports produced by the system. Eliminating the records that people do not have access to when reporting has provided a dramatic improvement in performance for many reports that will be generated by the majority of users within the University.
3 Security Integration with Oracle E-Business Suite
So you will probably now agree that the implementation of security has been critical to the success of this implementation. This section of the paper will deal with the actual implementation of that security within the University’s Corporate Reporting Solution.
Discoverer and E-Business Suite Integration
The mechanism to provide this level of security is provided within Oracle Discoverer and the E-Business Suite. Firstly, Oracle Discoverer provides the ability to login using existing Oracle Application Users and Responsibilities. In Discoverer Security access to Business Areas can be assigned to individual responsibilities. This means that depending on what responsibility is chosen, when a person logs in, they will have access to different Business Areas, and Workbooks (Reports). A mechanism is also provided that a list of available reports, or individual reports to be displayed directly from a menu within the Oracle E-Business Suite System. To enable this feature you would have to Create a Custom Function within the Oracle E-Business suite. From a user that has access to the “System Administrator” menu; • • Navigate to Application->Function Create a new record. Next to the “Type” field enter “SSWA PL/SQL”. Next to the “Call” field enter “OracleOASIS.RunDiscoverer”. This would display the entire list of available reports that a user has access to. If you wish to run an actual report itself, find the field “Parameters” and enter the following: “Workbook=WORKBOOK_IDENTIFIER”. You will need to enter the identifier for the workbook you are trying to run.
Row Level Security
The ability also exists within the Oracle Discoverer tools to utilize the security rules that are defined at the responsibility level in order to limit the rows that are displayed to the user. The standard GL_SECURITY_PKG can be used to perform this functionality. At the responsibility level you would need to run the built-in function GL_SECURITY_PKG.INIT when users log in. This can be achieved using the
profile option “Initialization SQL Statement – Custom” set at the responsibility level. Set the profile option at the Responsibility Level to the following value; • begin gl_security_pkg.init; end;
This function call will populate the table “GL_BIS_SEGVAL_INT” with all the segment values, for each segment, that you have access to, whenever a user logs in. You can add the following to the “where clause” of your EUL custom Folders or Database Views to restrict the records users will have access to when they run reports; • …AND GL_SECURITY_PKG.VALIDATE_ACCESS( SET_OF_BOOKS_ID, CODE_COMBINATION_ID ) = 'TRUE'
The following diagram helps to illustrate the integration between Oracle Applications and Oracle Discoverer Viewer.
Login Request Discoverer Product User and Responsibility Oracle E-Business Suite
Call via init profile option -> gl_security_pkg.init
Where clause includes join
Insert rows based upon security rules
Drill Down Implementation
In the Discoverer Web-Based products you have the ability to drill down from one Workbook to an entirely different workbook, passing whatever parameters you wish along the way. This functionality makes it possible to drill down from GL Balances to GL Journals, Payables and other related information. This section of the paper will deal with the implementation details of providing this functionality. Firstly you will need to build a PL/SQL package or function that will accept a number of input parameters, such as the “Period”, “Parameter Names” and “Parameter values”. This function will use these values, and the existing user information to build a URL to can be used to call an existing Discoverer Workbook and Worksheet. The URL will utilise the existing Oracle E-Business Suite security (Browser Based Cookie) so that the user will not have to login again.
We will call this function “GLC_BUILD_DISCOVERER_URL”. This function will be used to drill down from one report to another. This function accepts inputs for the worksheet parameter name, a parameter value, period name and workbook and worksheet identifiers as parameters and builds a URL that can be used within your Discoverer EUL folder to provide a drill down to another Discoverer Viewer report. The actual PL/SQL code for this function is included as an Appendix within this paper. Next you will need to log in to Discoverer Administration Edition and register the Function and its arguments.
You can now create a URL calculated field within any of your folders, passing across the required values to this PL/SQL function.
Congratulations, you now have a field that can be used within your Discoverer Reports to drill down to another Worksheet in another Workbook.
FUNCTION glc_build_discoverer_url (I_SEGMENT IN varchar2, I_SEGMENT_VALUE IN varchar2, I_PERIOD IN varchar2, I_WORKBOOK IN varchar2, I_WORKSHEET IN varchar2) RETURN varchar2 --- This function is a generic drill down function to be used to drill from one discoverer workbook -- to another. The arguments that are passed are as follows: -- I_SEGMENT = The name of the segment parameter in the workbook parameters. i.e. Project -- I_SEGMENT_VALUE = The actual value that you want to pass to the drill down workbook. -- I_PERIOD = The period parameter that you want to pass down to the worksheet. -I_WORKBOOK = The identifier for the workbook that you will be calling. i.e. UOM_REVENUE_AND_EXPENSES -- I_WORKSHEET = The identifier for the worksheet to be opened within the Workbook. i.e. 30 -IS V_USERNAME varchar2(20); V_RESPONSIBILITY_NAME varchar2(100); V_RESPONSIBILITY_ID number; V_URL varchar2(500); v_discoverer_viewer_url varchar2(500); v_session_id number; v_sid number; v_expired varchar2(50); v_apps_secure varchar2(100); v_default_eul varchar2(50); v_user_id number(15); v_application_id number(15); v_security_group_id number(15); BEGIN -- Get fnd_global variables V_USERNAME := fnd_global.USER_NAME; V_RESPONSIBILITY_ID := fnd_global.resp_id; v_user_id := fnd_global.user_id; v_application_id := fnd_global.resp_appl_id; v_security_group_id := fnd_global.security_group_id; v_apps_secure := FND_WEB_CONFIG.DATABASE_ID; -- Get the Discoverer Viewer launch profile setting v_discoverer_viewer_url := FND_PROFILE.value('ICX_DISCOVERER_VIEWER_LAUNCHER'); v_default_eul := fnd_profile.value('ICX_DEFAULT_EUL'); V_URL := v_discoverer_viewer_url||v_apps_secure|| chr(38)||'SessionCookieName='||icx_sec.g_session_cookie_name|| chr(38)||'eul='||v_default_eul||'_'||icx_sec.g_language_code|| chr(38)||'FrameDisplayStyle=separate' || chr(38)||'NLS_LANG=AMERICAN_AMERICA'|| chr(38)||'NLS_DATE_FORMAT=DD-MON-RRRR'|| chr(38)||'NLS_NUMERIC_CHARACTERS=.,' || chr(38)||'wbk='||I_WORKBOOK|| chr(38)||'wsk='||I_WORKSHEET|| chr(38)||'pg=1'|| chr(38)||'acf='|| v_application_id || v_responsibility_id || v_security_group_id || chr(38)||'NLS_DATE_LANGUAGE=AMERICAN'|| chr(38)||'NLS_SORT=BINARY'|| chr(38)||'qp_'||I_SEGMENT||'='||I_SEGMENT_VALUE|| chr(38)||'qp_Period='||I_PERIOD|| chr(38)||'_act=Apply~20Parameters'; return (V_URL); END glc_build_discoverer_url;
This action might not be possible to undo. Are you sure you want to continue?
We've moved you to where you read on your other device.
Get the full title to continue listening from where you left off, or restart the preview.