Multi-Org Access Control

Written by David Haimes

accesscontrol.jpgMultiple Organizations Access Control or MOAC (pronounced MOW-ACK) to use the seemingly obligatory acronym, is a powerful, yet simple to implement feature available in R12.

Implementors spend a lot of time figuring out how to configure their Legal Entities, Ledgers and Operating Units. There are a number of options some restrictions, depending on what features you want to implement and where you are. See my earlier posts on Legal Entities and Operating Units for details on that. However it is worth remembering that change is the Status Quo (No, not the band of rocking all over the world fame – it’s latin, look it up) and flexibility is important, what was the optimal way to organize your transaction processing yesterday may not be right today. Many companies are creating shared service centers to centralize processing of financial transactions and a single user may process transactions on behalf of many different Operating Units(OU).

So MOAC allows you to create a security group which can contain many operating units and assign that to the User’s responsibility. All the forms that process OU striped data now allow you to pick an OU to work in from a list that contains all the OU you have access to. You will also find all the OU based reports have a parameter added for OU.

The Set Up is straighforward. You can define a security profile in the HR Security Profile form, adding Operating Units to it, then you must run Security List Maintenance program before you can assign the security profile to the profile option MO: Security Profile for a responsibility.

When considering R12 this is one of the quick wins that can be achieved after upgrade and I also noticed it mentioned by the PPM team in an interview on itssafeature too which prompted me to get a post out about it.

Author: David Haimes

I'm Senior Director in the Oracle Research and Development Organization, with close to 20 years working in various roles on the development of the Financial Management product suite.  Since the summer of 2016 my focus is exclusively on working with customers and longer-term design work, particularly around next-generation functional and technical architecture. My task is to figure out NOW what the financial management system of the next 3, 5 or more years should look like and start working toward it.  At the moment the majority of my time is spent working on Blockchain or Distributed Ledger Technologies (DLT), leading the effort for all of SaaS applications.  I'm also interested in AI, Machine Learning and new UX and interaction paradigms such as chat bots. I started out in Oracle UK and found my way out to Oracle's Redwood Shores, California HQ in May 2000.  My previous role was product owner for Fusion Accounting Hub, General Ledger, Intercompany and Legal Entity products in Oracle Fusion Financials and eBusiness Suite General Ledger. I have also worked on EMEA Globalizations, Federal and Public Sector Financials, XML Payments and a variety of projects on other products down the years.

9 thoughts on “Multi-Org Access Control”

  1. David, please delete the above post as it has some grammatical errors.

    David has given a fantastic overview of MOAC in Release 12. Let me add some technical aspects, from the developer’s perspective.

    As pointed out by David, the most important feature that MOAC provides in Release 12 is the ability to handle multiple operating units within the same responsibility. This is beneficial as users don’t have to switch responsibilities in order to change the operating unit. Often people ask me whether its possible to use the 11i single organization behavior in Release 12. Or more importantly whether its possible to use a mixture of both.

    Yes, this is possible. Before telling you how to do that, let me explain how MOAC works in Release 12. MOAC is initialized when you open a Form, OA page or a Report. The first MOAC call checks if the profile “MO: Security Profile” has a value. If Yes, then the list of operations units to which access is allowed is fetched and the list of values (LOV) is populated. Then default value of the LOV is set to the operating unit specified in “MO: Default Operating Unit”. This is how MOAC works in Release 12 when the value of “MO: Security Profile” is set.

    When the profile “MO: Security Profile” does not have a value MOAC switches to the 11i single organization mode. As in 11i, the profile “MO: Operating Unit” is checked and the operating unit is initialized to the one defined in it.

    The important point to note here is that the profile “MO: Operating Unit” is ignored when the profile “MO: Security Profile” is set. This enables us to use both both Release 12 MOAC behavior and 11i behavior simultaneously in Release 12. You can also choose to completely use one of them.


  2. David and Venkat,

    This is great functionality for Release 12. Mo: Security Profile has been around for a while as it is used for example for some subsidiary ledgers and for DBI example.

    With that being the case, do you think development might create patch to rollout MOAC functionality for GL in 11.5.10?


  3. Even if I knew the answer to that I would not be able to comment on future functionality.

    However I will say, the effort involved in adding a profile option is minimal – which may explain why they are so extensively used.


  4. I can’t comment on the future functionality and also don’t know what is in store. However, from the technical point of view, MOAC not only requires addition of new profile option, but also requires changes to every operating unit dependent form/report/OA page.


  5. David,
    I had emailed you before that I had some questions on intercompany, however, my question is not related to your most recent blog posting.

    Working with intercompany, if a company is global and has legal entities all over the globe, do you recommend that a “corporate rate – one rate for each currency” is given to all foreign entities to use?

    I’m just trying to understand how GIS would work if multiple rates were used for the same currency type – If for example, a London site was using a different pound rate than someone in the US.

    How does Oracle GIS ensure that the elimination of the intercompanies between global companies is zero? There is always a difference in rates when you enter in two different currencies. Also, when the intercompany is cleared/paid the rates will change too?

    thanks for your help,


  6. dave

    For Intercompany currency you have two choices

    1) Use corporate rate – these rates need to triangulate so when you consolidate they will all come to the same amount.

    2) Use the local rates in each ledger/legal entity and then revaluate before you consolidate.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s