New Grant based Security in AGIS


Managing a large number of responsibilities can become a complex, time consuming and expensive activity. It is also very frustrating for users if they have to constantly switch responsibility if they have a number of roles, this is a big issue in 11i Global Intercompany System as you could only have one Balancing Segment Value (BSV) per GIS responsibility and there can be a large number of BSV often with one person responsible for entering and approving intercompany transactions for many bsv. For example there may be a controller responsible for approving all transactions for the dozens of EMEA subsidiaries.

When we created the new Advanced Global Intercompany Product in R12 we set out to address this issue and came up with a whole new transaction security model. We use a grants based model where a particular user can be granted access to one or more intercompany Organizations (this is the R12 term for the 11i GSI Subsidiaries).

AGIS Security

<Note click on image to see full size>

So now I have been granted access to 3 organizations, what can I do?

I can log in under a single responsibility and see transactions for all many organizations in the same screen, approve them, update them and reject them etc. The screen below shows a number of recipient organizations that I have access to all in the same search results.

AGIS Inbound

<Note click on image to see full size>

If tomorrow I am assigned access to an additional Intercompany organization, then I will see that in the same screen, using the same responsibility, there is no need for me to access any different responsibility. I will those transactions requiring my attention all together in the same UI, using the same responsibility I already use.

We use a feature called FND Grants to implement this security model, that was introduced (I think) in 11.5.9. Without going into the nuts and bolts of it, the model allows you store SQL statements to describe how you determine the access to your objects a user would have. At runtime you call an API that returns a where clause that is appended to your search results to restrict the data a user can access. If you’re building customizations you could use FND Grants too. If there’s sufficient interest I can write up a ‘How to use FND Grants post’ with full details, at least I can add it to my blog post to do list!

Author: David Haimes

I'm Senior Director in the Oracle Research and Development Organization, with close to 20 years working in various roles on the development of the Financial Management product suite.  Since the summer of 2016 my focus is exclusively on working with customers and longer-term design work, particularly around next-generation functional and technical architecture. My task is to figure out NOW what the financial management system of the next 3, 5 or more years should look like and start working toward it.  At the moment the majority of my time is spent working on Blockchain or Distributed Ledger Technologies (DLT), leading the effort for all of SaaS applications.  I'm also interested in AI, Machine Learning and new UX and interaction paradigms such as chat bots. I started out in Oracle UK and found my way out to Oracle's Redwood Shores, California HQ in May 2000.  My previous role was product owner for Fusion Accounting Hub, General Ledger, Intercompany and Legal Entity products in Oracle Fusion Financials and eBusiness Suite General Ledger. I have also worked on EMEA Globalizations, Federal and Public Sector Financials, XML Payments and a variety of projects on other products down the years.

2 thoughts on “New Grant based Security in AGIS”

  1. Can you direct me to documentation regarding fnd grants? How it works, what kind of audit and security features are available, etc.
    thanks, William


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s