Overview
This document will describe how Security is handled in Fusion Payables, through Oracle Identity Manager (OIM) and Authorization Policy Manager (APM). It will detail troubleshooting steps and methodologies for security related issues relating to Fusion Payables Setup tasks.
It is not intended to cover the functionality or purpose of any setup task unless it is explicitly related to Security.
It is expected that the Reader will have a firm grasp of Oracle Fusion Payables Setup Concepts, Terminology, Navigation and Functionality.
Fusion Payables implements Set ID and Business Unit (BU) data security.
Definitions
Definitions
Set ID enables you to share a set of reference data (eg, payment terms) across many organizations. By dividing the reference data into partitions (Sets) appropriate to the organizational entities that will use the data, Set ID enables you to share control table information and processing options among business units. The goal is to minimize redundant data and system maintenance tasks. Set ID data security is to secure application data access based on Set ID. User is granted access to one or more Set IDs based on the roles he/she is assigned.
Business Unit data security is to secure application data access based on business units. User is granted access to one or more business units based on the roles he/she is assigned.
Business Unit data security is to secure application data access based on business units. User is granted access to one or more business units based on the roles he/she is assigned.
The steps to grant Set ID and BU access to a user can be found in the attached document
.
BU specific setups are accessible only if the user has been granted access to the BU.
Initially, the Financials Options setup tasks should be completed for the BU before creating any other BU related setups (Distribution Sets, Reporting Entitles, Withholding modules).
Financials Options will create the Payables System Options (Manage Invoice Options, Manage Payment Options, Manage Tax Options) for the BU internally with default payment term as ‘Immediate’.
Payables System Options can not be created separately.
Since payment term ‘Immediate’ is used as a default, the set assignment must be completed before Financials Options can be created.
Prerequisites to create the Financials and Payables Options for a new BU
• The BU should be assigned to a SET.
• The BU assignment should be successful for ‘Payables Payment Terms’ reference data object.
• Setup user should have access to the SET.
• Flex deployment should be successful for ‘Payment Terms’ task. * A precautionary step as unexpected behaviour can be seen if flex deployment is not done. Status verification of the flex deployment can be done from FSM:
Initially, the Financials Options setup tasks should be completed for the BU before creating any other BU related setups (Distribution Sets, Reporting Entitles, Withholding modules).
Financials Options will create the Payables System Options (Manage Invoice Options, Manage Payment Options, Manage Tax Options) for the BU internally with default payment term as ‘Immediate’.
Payables System Options can not be created separately.
Since payment term ‘Immediate’ is used as a default, the set assignment must be completed before Financials Options can be created.
Prerequisites to create the Financials and Payables Options for a new BU
• The BU should be assigned to a SET.
• The BU assignment should be successful for ‘Payables Payment Terms’ reference data object.
• Setup user should have access to the SET.
• Flex deployment should be successful for ‘Payment Terms’ task. * A precautionary step as unexpected behaviour can be seen if flex deployment is not done. Status verification of the flex deployment can be done from FSM:
a. Open the task - 'Manage Descriptive Flexfields '.
b. Search for Flexfield code 'AP_TERMS%' and Module 'Payables'.
c. The Deployment Status for both AP_TERMS_B and AP_TERMS_LINES should be 'Deployed'.
b. Search for Flexfield code 'AP_TERMS%' and Module 'Payables'.
c. The Deployment Status for both AP_TERMS_B and AP_TERMS_LINES should be 'Deployed'.
Verification can also be done by querying a Payment Term to ensure that everything is ok.
• The Seeded Payment Term, ’Immediate’ should be assigned to the set.
• Setup user should have access to the BU.
Set and Set assignments for a BU
• Go to ‘Manage Business Unit’ task.
• Search for the BU and edit it. We can find the Set Code assigned to the BU.
• In the search results, select the business unit and Actions menu->manage set assignments. Verify for the ‘Reference data set code’ against ‘Payables Payment Terms’ reference data object.
Scope based UI's (Manage Common Options for Payables and Procurement, Manage Invoice Options, Manage Payment Options, Manage Tax Reporting and Withholding Tax Options) are accessible from ‘Manage Implementation Projects’ and ‘Assigned Implementation Tasks’. Do not access them from ‘All Tasks’ tab as scope option won’t be available. All other Tasks are accessible from ‘All Tasks’ tab also.
Import/Export setup data
The configuration packages used to import the setup data should have the objects in the following order.
Proposed sequence:
1. Payables calendar
2. Payment Terms, Invoice Tolerance Set, Income tax Region, Withholding.
3. Payables Financials Option
4. Payables System Option
5. Distribution set, reporting entities
Sequence for following does not matter.
1. Aging period
2.Payables Interest rate
3. Approval Code
• Setup user should have access to the BU.
Set and Set assignments for a BU
• Go to ‘Manage Business Unit’ task.
• Search for the BU and edit it. We can find the Set Code assigned to the BU.
• In the search results, select the business unit and Actions menu->manage set assignments. Verify for the ‘Reference data set code’ against ‘Payables Payment Terms’ reference data object.
Scope based UI's (Manage Common Options for Payables and Procurement, Manage Invoice Options, Manage Payment Options, Manage Tax Reporting and Withholding Tax Options) are accessible from ‘Manage Implementation Projects’ and ‘Assigned Implementation Tasks’. Do not access them from ‘All Tasks’ tab as scope option won’t be available. All other Tasks are accessible from ‘All Tasks’ tab also.
Import/Export setup data
The configuration packages used to import the setup data should have the objects in the following order.
Proposed sequence:
1. Payables calendar
2. Payment Terms, Invoice Tolerance Set, Income tax Region, Withholding.
3. Payables Financials Option
4. Payables System Option
5. Distribution set, reporting entities
Sequence for following does not matter.
1. Aging period
2.Payables Interest rate
3. Approval Code
Diagnostic Tools
Oracle Identity Manager (OIM)
OIM can be used to confirm and assign roles for any particular user. Refer to the 'Oracle® Fusion Middleware User's Guide for Oracle Identity Manager' for detailed steps.
OIM can be used to confirm and assign roles for any particular user. Refer to the 'Oracle® Fusion Middleware User's Guide for Oracle Identity Manager' for detailed steps.
Four Job Roles are delivered/required for AP functionalities
· Accounts Payable Manager
· Accounts Payable Supervisor
· Accounts Payable Specialist (for transactional UIs)
· Financial Application Administrator” (for setup UIs)
Fusion Payables implements Set ID data security on the Payment Terms setup UI and Business Unit (BU) data security on other setup UIs and transactional UIs. A data role carries all the function security privileges inherited by the underlying job role and also the data security privileges for a given Set ID / BU.
To ensure user has access to a Set ID or BU, make sure the correct data role is assigned to the user.
The following table summarizes the data roles required for AP and the security access they grant:
|
Data Role Security
|
Access Granted
|
|
AP_ACCOUNTS_PAYABLE_MANAGER_JOB_<BU>
AP_ACCOUNTS_PAYABLE_SUPERVISOR_JOB_<BU> AP_ACCOUNTS_PAYABLE_SPECIALIST_JOB_<BU> |
Access to AP transactional UIs for the given BU
|
|
FUN_FINANCIAL_APPLICATION_ADMINISTRATOR_JOB_<SETID>
|
Access to Payment Terms setup UI for the given Set ID
|
|
FUN_FINANCIAL_APPLICATION_ADMINISTRATOR_JOB_<BU>
|
Access to all other AP setup UIs for the given BU
|
Authorization Policy Manager (APM)
Three data role templates are applicable to AP
· FinancialsFunSetId This generates the FUN_FINANCIAL_APPLICATION_ADMINISTRATOR_JOB_<SETID> data roles. After a new Set is created, this template should be run manually to generate the data role.
· FinancialsFunBusinessUnit This generates the FUN_FINANCIAL_APPLICATION_ADMINISTRATOR_JOB_<BU> data roles. When a new BU is created, this template is automatically executed to generate the data role.
· PayablesInvoicing This generates the AP_ACCOUNTS_PAYABLE_MANAGER_JOB_<BU>, AP_ACCOUNTS_PAYABLE_SUPERVISOR_JOB_<BU>, AP_ACCOUNTS_PAYABLE_SPECIALIST_JOB_<BU> data roles. When a new BU is created and enabled for ‘Payables Invoicing’ business function, this template is automatically executed to generate the data roles.
APM can also be used to check whether the data security policy (grant) for a data role is generated correctly. When a user is granted a data role but still cannot access a BU / Set ID, it could be due to the data security policy missing for the data role.
Logging and Tracing
what specific methods of logging and tracing to use and hints of things to look for.
what specific methods of logging and tracing to use and hints of things to look for.
explaining briefly how something works technically at the backend.
includes programs, techstack components, and code artifacts - explaining how they form key parts in the process.
Grants related:
FND_OBJECTS (tables secured with data security)
FND_OBJECT_INSTANCE_SETS (instance sets)
FND_FORM_FUNCTIONS (data privileges)
FND_MENUS (grouping of data privileges to be provisioned to a role)
FND_MENU_ENTRIES (data privileges of a menu)
FND_GRANTS (grants)
Session related:
FND_SESSIONS (appl session)
FND_SESSION_ROLES (roles inherited in an appl session)
FND_OBJECTS (tables secured with data security)
FND_OBJECT_INSTANCE_SETS (instance sets)
FND_FORM_FUNCTIONS (data privileges)
FND_MENUS (grouping of data privileges to be provisioned to a role)
FND_MENU_ENTRIES (data privileges of a menu)
FND_GRANTS (grants)
Session related:
FND_SESSIONS (appl session)
FND_SESSION_ROLES (roles inherited in an appl session)
Useful queries:
When a user does not have access to an UI or to a BU or Set ID, we can verify the roles assigned to the user in OIM as described above. In addition, we can also check the roles actually inherited by the user during run time by running following queries:
select session_id, a.*
select session_id, a.*
from fnd_sessions a
where session_cookie = <browser cookie ID>;
/* to find the appl session id based on the browser cookie */
select * from fnd_session_roles
where session_id = <session_id identified in above query>
order by role_name;
/* find all roles inherited by an appl session */
--To check the data security policies (grants) for a data role
select *
from fnd_grants
where role_name = <data role>;
Setup
UI related:
Manage Aging Periods – AP_AGING_PERIODS, AP_AGING_PERIOD_LINES
Manage Distribution Sets -AP_DISTRIBUTION_SETS_ALL, AP_DISTRIBUTION_SET_LINES_ALL
Manage Invoice Holds and Releases -AP_HOLD_CODES, FND_LOOKUP_VALUES
Manage Invoice Tolerances -AP_TOLERANCE_TEMPLATES
Manage Tax Regions -AP_INCOME_TAX_REGIONS
Manage Payment Terms -AP_TERMS_B, AP_TERMS_LINES, AP_TERMS_VL, AP_TERMS_ST
Manage Reporting Entities -AP_REPORTING_ENTITIES_ALL,AP_REPORTING_ENTITY_LINES_ALL
Manage Interest Rates -AP_INTEREST_PERIODS
Manage Payables Calendars -AP_OTHER_PERIOD_TYPES, AP_OTHER_PERIODS
Manage Common Options for Payables and Procurement -FINANCIALS-SYSTEM_PARAMS_ALL
Manage Invoice Options - AP_SYSTEM_PARAMETERS_ALL
Manage Payment Options - AP_SYSTEM_PARAMETERS_ALL
Manage Tax Reporting and Withholding Tax Options -AP_SYSTEM_PARAMETERS_ALL
Manage Tax Codes -AP_TAX_CODES_ALL, AP_AWT_TAX_RATES_ALL
Manage Withholding Groups -AP_AWT_GROUPS, AP_AWT_GROUP_TAXES_ALL
Manage Withholding Certificates -AP_AWT_TAX_RATES_ALL
Useful queries:
To check whether the set assignment is done for the BU.
select set_id, set_code, set_name
Manage Aging Periods – AP_AGING_PERIODS, AP_AGING_PERIOD_LINES
Manage Distribution Sets -AP_DISTRIBUTION_SETS_ALL, AP_DISTRIBUTION_SET_LINES_ALL
Manage Invoice Holds and Releases -AP_HOLD_CODES, FND_LOOKUP_VALUES
Manage Invoice Tolerances -AP_TOLERANCE_TEMPLATES
Manage Tax Regions -AP_INCOME_TAX_REGIONS
Manage Payment Terms -AP_TERMS_B, AP_TERMS_LINES, AP_TERMS_VL, AP_TERMS_ST
Manage Reporting Entities -AP_REPORTING_ENTITIES_ALL,AP_REPORTING_ENTITY_LINES_ALL
Manage Interest Rates -AP_INTEREST_PERIODS
Manage Payables Calendars -AP_OTHER_PERIOD_TYPES, AP_OTHER_PERIODS
Manage Common Options for Payables and Procurement -FINANCIALS-SYSTEM_PARAMS_ALL
Manage Invoice Options - AP_SYSTEM_PARAMETERS_ALL
Manage Payment Options - AP_SYSTEM_PARAMETERS_ALL
Manage Tax Reporting and Withholding Tax Options -AP_SYSTEM_PARAMETERS_ALL
Manage Tax Codes -AP_TAX_CODES_ALL, AP_AWT_TAX_RATES_ALL
Manage Withholding Groups -AP_AWT_GROUPS, AP_AWT_GROUP_TAXES_ALL
Manage Withholding Certificates -AP_AWT_TAX_RATES_ALL
Useful queries:
To check whether the set assignment is done for the BU.
select set_id, set_code, set_name
from fnd_setid_sets
where set_code like '<set code>%';
select determinant_type, determinant_value
from fnd_setid_assignments
where reference_group_name = 'AP_PAYMENT_TERMS'
AND SETID= <SETID>;
Common Issues and Troubleshooting Steps
1. Error
· “You do not have permission to access this information”
UI / Task
· Accessing “Manage Common Options for Payables and Procurement”, “Manage Invoice Options” or “Manage Payment Options” UI for a selected BU
Troubleshooting steps:
Make sure the “Payables Invoicing” business function is enabled for the BU on the “Assign Business Functions” UI.
In OIM, check that the FUN_FINANCIAL_APPLICATION_ADMINISTRATOR_JOB_<BU> data role is assigned to the user.
In APM, search for the external role FUN_FINANCIAL_APPLICATION_ADMINISTRATOR_JOB_<BU>. Click “Find Global Policies” and check that the data security policy exists for the data role.
Make sure that the ‘Manage Common Options for Payables and Procurement’ UI is accessed from within an implementation project or from the ‘Assigned Implementation Tasks’ tab in FSM.
Make sure you access the group level tasks “Define Common Options for Payables and Procurement” or “Define General Payables Options” first and select the correct BU, before accessing the child level task.
Make sure the “Payables Invoicing” business function is enabled for the BU on the “Assign Business Functions” UI.
In OIM, check that the FUN_FINANCIAL_APPLICATION_ADMINISTRATOR_JOB_<BU> data role is assigned to the user.
In APM, search for the external role FUN_FINANCIAL_APPLICATION_ADMINISTRATOR_JOB_<BU>. Click “Find Global Policies” and check that the data security policy exists for the data role.
Make sure that the ‘Manage Common Options for Payables and Procurement’ UI is accessed from within an implementation project or from the ‘Assigned Implementation Tasks’ tab in FSM.
Make sure you access the group level tasks “Define Common Options for Payables and Procurement” or “Define General Payables Options” first and select the correct BU, before accessing the child level task.
2. Error
· Some fields are read-only
UI / Task
· “Manage Invoice Options” or “Manage Payment Options”
Troubleshooting steps:
Make sure financial options are completed in the “Manage Common Options for Payables and Procurement” UI for the BU.
Make sure financial options are completed in the “Manage Common Options for Payables and Procurement” UI for the BU.
3. Error
· “You cannot create Fianancials options as set assignment for Immediate payment term is not complete”
· "The value for the attribute payment terms is not valid, The set assignment for payment terms Immediate is not complete for this business unit"
UI / Task
· Saving “Manage Common Options for Payables and Procurement”.
Troubleshooting steps:
• The BU should be assigned to a SET.
• The BU assignment should be successful for ‘Payables Payment Terms’ reference data object.
• The BU should be assigned to a SET.
• The BU assignment should be successful for ‘Payables Payment Terms’ reference data object.
Error 'Connection to server' can be thrown on saving the set assignment which results in it not being saved to the database even though the UI shows the correct value. Reference Note 1438191.1 and run SQL in that note to check the assignment is saved.
• Setup user should have access to the SET.
• Flex deployment should be successful for ‘Payment Terms’ task.
• The Seeded Payment Term, ’Immediate’ should be assigned to the set.
• Setup user should have access to the BU.
• Flex deployment should be successful for ‘Payment Terms’ task.
• The Seeded Payment Term, ’Immediate’ should be assigned to the set.
• Setup user should have access to the BU.
4. Error
· Set ID not visible in the Set ID LOV
UI / Task
· Payment Terms setup UI
Troubleshooting steps:
In OIM, check that the FUN_FINANCIAL_APPLICATION_ADMINISTRATOR_JOB_<SETID> data role is assigned to the user
In APM, search for the external role FUN_FINANCIAL_APPLICATION_ADMINISTRATOR_JOB_<SETID>. Click ‘Find Global Policies’ and check that the data security policy exists for the data role.
In OIM, check that the FUN_FINANCIAL_APPLICATION_ADMINISTRATOR_JOB_<SETID> data role is assigned to the user
In APM, search for the external role FUN_FINANCIAL_APPLICATION_ADMINISTRATOR_JOB_<SETID>. Click ‘Find Global Policies’ and check that the data security policy exists for the data role.
5. Error
· Cannot save payment terms
UI / Task
· Manage Invoicing Options UI
Troubleshooting steps:
In OIM, check that the FUN_FINANCIAL_APPLICATION_ADMINISTRATOR_JOB_<SETID> data role is assigned to the user
In OIM, check that the FUN_FINANCIAL_APPLICATION_ADMINISTRATOR_JOB_<SETID> data role is assigned to the user
6. Error
· Business unit not visible in the BU LOV
UI/Task
· Create Invoice page
Troubleshooting steps:
Make sure financial options and payables options are completed for the BU
In OIM, check that the AP_ACCOUNTS_PAYABLE_SUPERVISOR_JOB_<BU> or
AP_ACCOUNTS_PAYABLE_SPECIALIST_JOB_<BU> data role is assigned to the user
In APM, search for the external role AP_ACCOUNTS_PAYABLE_SUPERVISOR_JOB_<BU> or
AP_ACCOUNTS_PAYABLE_SPECIALIST_JOB_<BU>. Click “Find Global Policies” and check that the data security policy exists for the data role.
Make sure financial options and payables options are completed for the BU
In OIM, check that the AP_ACCOUNTS_PAYABLE_SUPERVISOR_JOB_<BU> or
AP_ACCOUNTS_PAYABLE_SPECIALIST_JOB_<BU> data role is assigned to the user
In APM, search for the external role AP_ACCOUNTS_PAYABLE_SUPERVISOR_JOB_<BU> or
AP_ACCOUNTS_PAYABLE_SPECIALIST_JOB_<BU>. Click “Find Global Policies” and check that the data security policy exists for the data role.
7. Error
· Not able to find any BSV values
UI / Task
· Create/Update Reporting Entity pages.
Troubleshooting steps:
Reporting Entity should be created after creating the Financials options for the business unit as the BSV LOV query has a join with Payables Options.
The login user should have the access to the BSV value.
One BSV value can be assigned to only one Reporting Entity. If all the existing BSVs are assigned to any of the reporting entities with in the BU, then the BSV lov is empty.
Reporting Entity should be created after creating the Financials options for the business unit as the BSV LOV query has a join with Payables Options.
The login user should have the access to the BSV value.
One BSV value can be assigned to only one Reporting Entity. If all the existing BSVs are assigned to any of the reporting entities with in the BU, then the BSV lov is empty.
8. Error
· Not able to find the newly created Location
UI / Task
· Financials Options/Reporting Entity.
Troubleshooting steps:
Check whether the location is assigned to a set to which the user has access. Location LOVs are SetId security enabled as location entity has the following properties.
Determinant Type: Business Unit (BU)
Setid pattern: Row stripping with common set.
Check whether the location is assigned to a set to which the user has access. Location LOVs are SetId security enabled as location entity has the following properties.
Determinant Type: Business Unit (BU)
Setid pattern: Row stripping with common set.
9. Error
· Not able to find the Newly created BU
UI / Task
· create distribution Set page(BU lov)
Troubleshooting steps:
The Distribution set for a business unit should be created after the options for the business unit are created. Check whether the Financials Options are created or not.
The Distribution set for a business unit should be created after the options for the business unit are created. Check whether the Financials Options are created or not.
10. Error
· Not able to find the payment term value in the ‘Payment Term LOV’
UI / Task
· Manage Invoice Options page.
Troubleshooting steps:
Payment Terms’ LOVs in the ‘Manage Invoice Options’ task/UI are SETID security enabled. Payment Term should be assigned to a set to which the user has the access.
11. Error
· Not able to find business object
UI / Task
· ‘Manage Configuration Packages’ during import/export.
Troubleshooting steps:
Check if the service information is registered for the business object.
Check if the business object is associated to at least one task in the implementation project. Modify the implementation appropriately and recreate the configuration package.
Check if the service information is registered for the business object.
Check if the business object is associated to at least one task in the implementation project. Modify the implementation appropriately and recreate the configuration package.
12. Error
· Migration process completed in error
UI / Task
· Import
Troubleshooting steps:
More than one business object was marked for export/import but the service was not available in the deployed enterprise application were registered. Recommendation: open the migration results to check the details for the business object you are interested in.
The process was completed but the VOs for the corresponding Business Object are not listed in the results. This usually happens when XML file is manually edited and introduced errors such as removing attributes or using some compression while creating zip file
For more debugging/logs, go to ‘Manage Export and Import Processes’, search for the configuration packages, and download the files from the ‘Download’ icon.
More than one business object was marked for export/import but the service was not available in the deployed enterprise application were registered. Recommendation: open the migration results to check the details for the business object you are interested in.
The process was completed but the VOs for the corresponding Business Object are not listed in the results. This usually happens when XML file is manually edited and introduced errors such as removing attributes or using some compression while creating zip file
For more debugging/logs, go to ‘Manage Export and Import Processes’, search for the configuration packages, and download the files from the ‘Download’ icon.
13. Error
· Roles are visible in APM but not in OIM
UI / Task
· APM view roles
Troubleshooting steps:
Login to OIM.
In top right corner, click Advanced link
- Under System Management, click Search Scheduled Jobs link
- In the left pane, enter ‘*LDAP*’ as search criteria
- Open the following jobs and make sure they are scheduled to run regularly to sync up the roles between APM & OIM
Login to OIM.
In top right corner, click Advanced link
- Under System Management, click Search Scheduled Jobs link
- In the left pane, enter ‘*LDAP*’ as search criteria
- Open the following jobs and make sure they are scheduled to run regularly to sync up the roles between APM & OIM
· LDAP Role Create and Update Reconciliation
· LDAP Role Delete Reconciliation
· LDAP Role Hierarchy Reconciliation
· LDAP Role Memebership Reconciliation
If running the above jobs still does not work, run the below full reconciliation jobs once
· LDAP Role Create and Update Full Reconciliation
· LDAP Role Delete Full Reconciliation
· LDAP Role Hierarchy Full Reconciliation
· LDAP Role Memebership Full Reconciliation
1 comment:
Hello,
I have a question related to Reference Data Set, When i was assigning reference data set to Payment Terms, I can see maximum 250 values in Set Code drop down list (Under Set Assignments). I Could not able to see the one (Reference Data Set) which i created. Can any one help me what needs to be done to see the more values.
Do note that the set code drop down list having the values in alphabet order, if i create reference data set starting with A or B or C then i can able to see the value in drop down list. But when i create reference data set starting with S, then I could not able to see...
I know in EBS there is a profile option called "FND: View Object Max Fetch Size" to see the more values in List of values in OAF pages. But don't know how can we achieve in Fusion.
Appreciate your help.
Regards,
Vishnu
Post a Comment