Flexfield Migration in SaaS Environment

In my first post I discussed How to Find DFF and modify it as per the requirements. Now let's say you have defined the DFF in test environment and now you decided to migrate it to other instances. 

Oracle has documented Document 1510288.1 - Guidance for Managing Customizations in Oracle Cloud Application Services: Flexfield Migration the way to migrate DFF in cloud environment. 

Here are the few key points from that document

Special Considerations

• To avoid synchronization issues, migrate flexfield customizations prior to migrating UI and BI customizations. 
• Only flexfields with a deployment status of Deployed or Deployed to Sandbox are eligible to for migration.
• The import process on the target environment automatically submits affected flexfields for redeployment.

Prerequisites

• Ensure source and target OCAS environments (e.g. Test and Production) are at the same patch level.
• Create an implementation project in the Setup and Maintenance (FSM) work area.
• Configure all applicable flexfields in the source environment using the following tasks in the

Setup and Maintenance work area:

• Manage Descriptive Flexfields
• Manage Extensible Flexfields
• Manage Key Flexfields
• Manage Value Sets

Checking with Oracle whether it is possible to migrate without creating implementation Projects.

Keep checking for the update

Value Sets & Use Case Part I - Independent Value Set

For Key and Descriptive Flexfields you might need to create Value Sets for restricting values user can enter.
People who are from EBS background knows about this. In EBS you can create value sets for Concurrent Program Parameters also. But here in Fusion Apps you create value sets only for flexfield segments.

So let's get into the details. We create value sets through Manage Value Sets task from FSM [Navigator -> Tools(Setup and Maintenance)]
Once you go the task this is what you will see

You can search existing value sets and edit or you can create a new one. So for this exercise let us create some value sets. Click on the Actions -> Create or directly click on the create sign

The field elements are almost same as EBS. Let us see what are all the validation types available in Fusion Apps.






The following types of validation are available for value sets.

• Format Only, where end users enter data rather than selecting values from a list
• Independent, a list of values consisting of valid values you specify
• Dependent, a list of values where a valid value derives from the independent value of another segment
• Subset, where the list of values is a subset of the values in an existing independent value set
• Table, where the values derive from a column in an application table and the list of values is limited by a WHERE clause

In the above example I created XXCUSTOM_COMPANY value set with Validation Type Independent and Value Data Type Character in General Ledger Module. Once you have specified the details click on Save and Close. It will go back to the Manage Value Sets screen. Search the value set and click on Manage Values to enter the values

Select the row and click on Manage Values button or Select Manage Values from Actions menu.

This is what you see in the Manage Values screen. You can search existing Values or can create new ones. Select Actions -> Create

In the Create Value sreen specify the Value, Description and optionally specify the Start Date, End Date and Sort Order.

Click and Save and Close. In this way you can create all the required values.

Let's associate this Value Set in one of the segments in the Descriptive Flexfield I setup in the previous post.

So Search the Manage Descriptive Flexfields in FSM and Click on Go to Task. In the following screen search Job Attributes DFF and then click on Actions -->Edit

This is what you will see in the following screen. Let us associate our Value Set XXCUSTOM_COMPANY with DFF Global Segment External Job Title. Click on Actions --> Edit

In the Edit Segment Screen select the Combobox and then select Search

Search XXCUSTOM_COMPANY and then select it and then then click Ok. In the Edit Segments screen click Save and Close. And then in Edit Descriptive Flexfields screen click Save and Close again.Then finally in Manage Descriptive Flexfields screen select the DFF and click on Deploy Flexfield.

Now let's see whether our value set is working or not. Go to Navigator --> Workforce Management --> Workforce Structures

Go To Manage Jobs Tab and search or Create a Job and then Click on External Job Title Combobox. The list will show you the values you defined in the value sets

This screen confirms the same.

Few more things about Value Sets. This is what Oracle Common Implementation Guide talks about Value set security

Security

Value set security only works in conjunction with usage within flexfield segments. If a value set is used standalone, meaning outside a flexfield, value set security is not applied, but Oracle Fusion data security is enforced.

You can specify that data security be applied to the values in flexfield segments that use a value set. Based on the roles provisioned to users, data security policies determine which values of the flexfield segment end users can view or modify.

Value set security applies at the value set level. If a value set is secured, every usage of it in any flexfield is secured. It is not possible to disable security for individual usages of the same value set.

Value set security applies to independent, dependent or table-validated value sets.

Value set security applies mainly when data is being created or updated, and to key flexfield combinations tables for query purposes. Value set security does not determine which descriptive flexfield data is shown upon querying.

Security conditions defined on value sets will always use table aliases. When filters are used, table aliases are always used by default. When predicates are defined for data security conditions, make sure that the predicates will also use table aliases.

For key flexfields, the attributes in the view object that correspond to the code combination ID (CCID), structure instance number (SIN) and data set number (DSN) cannot be transient. They must exist in the database table. For key flexfields, the SIN segment is the discriminator attribute, and the CCID segment is the common attribute.

Value Sets for Context Segments

When assigning a value set to a context segment, you can only use table-validated or independent value sets. The data type must be character and the maximum length of the values being stored must not be larger than column length of the context.

Cheers......

How to Find and Edit Descriptive Flexfield (DFF) on a Page???

Like many others I am also from Oracle EBS background. While trying to find ways to extend existing application many of you will be wondering to see whether Flexfield has been incorporated into Fusion Applications. Flexfield is a way of capturing business data which has not been captured in the pages. In reality it is not possible to create an application to satisfy every possible data a particular Product in a particular business operates. This is why Oracle came up with idea of Flexfield. In EBS we have seen two flavors of Flexfield

• Key Flexfield (KFF)
• Descriptive Flexfield (DFF)

In Fusion Applications Oracle has introduced one more category and it is termed as Extensible Flexfiled (EFF)

Key Flexfield is something which has been introduced to capture the structure of business data like your Ledger Accounting, System Items, Jobs etc. You have to set up these in order to make the application work as designed. Descriptive Flexfield on the other hand has been introduced to capture additional business data which are required for the business but no standard UI region has been put in the pages. You may set them up as per gap analysis done by Functional Consultant. You need to see what has been provided by Oracle and what is your present as-is business. 

Now let's say you have found that some information are not captured in the page e.g Create Job Page and you want to enter additional information. So you need to create/configure DFF for that. To do that you need to first find out whether DFF is at all present in the page. There are two ways to do that use

1. Highlight Flexfield
2. Customize <Page name> under Administration Link as shown

Highlight Flexfield from Administration Link

Click on the Information button to see the DFF details

This picture shows DFF details from Page Composer. Click on Customize <Page Name> and if asked select the appropriate Level. Select the main body region and Confirm Edit confirmation message and then from the source view at the Left Side (View--> Source Position--> Left) search word flexfield. Then Click Edit from the Top

That will show the component properties for the Descriptive Flexfield as shown above. Now you have got the DFF name e.g. Job Attributes.

Now go to FSM and search Manage Descriptive Flexfields task and then click on Go to Task. Search Job Attributes Descriptive Flexfield

Click on Edit Link

Add Global and Context Sensitive Segments and then Save

Once everything is done, come back to Flexfield Screen and Click Deploy. This is same like Compile Flexfield in EBS. Once it is deployed successfully go back to Create Job Page and see that segments are now appearing.

This Completes finding and setting DFF in a Page. I will discuss in the following post 'How to Migrate Flexfields in Cloud Environment'..

Fusion Apps Security Vs EBS Security Part I

There is a wonderful blog on Fusion Security by Jani Rautiainen. People who are from EBS background will be able to connect EBS security with FA security. Only thing they have to know which terminology maps to what.

If you are from EBS background you know that security is handled through Functions, Menus, Responsibilities, Users and Profile Values, Request Groups, Data Groups and in some cases (Purchasing, Shipping etc) the inbuilt logic.



Where as in Fusion the access is fully controlled by RBAC (Role Based Access Control). The concept is very simple 'WHO can do WHAT on WHICH set of data'

Here WHO is user who has been assigned a set of roles, e.g. SHEIKHM is the user who has been assigned roles

You can log on to OIM with your user to access Oracle Identity Manager - Self Service Page. Click on My roles and you will see the list of roles assigned to you. If you have OIMADMIN privileges which is basically the IDM Administrators role, then you can add remove roles from users.

'WHAT' is Duties/Privileges under the Roles

What also determines what menu items will appear under Navigator and what Tasks the user will be able see from the Task Panes.










'WHICH' is basically Data Security and it determines what data you will see on the screen.

In EBS we setup users from System Administrator Responsibility - > Security - > Users
There we create user credentials and assign list of responsibilities. In Fusion this is done in OID and the same is managed through OIM (if customer has not used any other third party LDAP store for identity).
To do this navigate to Oracle Identity Manager - Delegated Administration and then click on Administration link placed at the top right hand side and  click on Create User

Once you have entered the user details and clicked Save, the Role Provisioning screen will appear where you will specify roles the user will be provided. In EBS we have Function or Menu exclusion provisions. But here in Fusion I believe we don't have that till now. Though it is not recommended to create Application Users from OIM except for initial implementation users, but still we need to know how these Middleware Components fit into overall architecture. Use HCM Role Mapping Rules to automatically assign roles when they are created through any interface like FBL or HR2HR.

In EBS the menu, the user will see is determined by Responsibility Definition. There we specify the menus and their sequences. The menus consist of Sub-menus or Functions. The function may call Oracle Form, SRS screen or OAF page. Where as in Fusion the Applications UI has been built using ADF and the security has been incorporated there itself. The pages, regions, Task Flows, menus, Dashboards etc are protected using Security Context. The Security Context  is provided by Oracle Platform Security Services(OPSS).

Oracle Fusion Applications designers leverage the Oracle Platform Security Services (OPSS) framework through Oracle JDeveloper security wizards.
As shown in Figure OPSS is the security foundation for Oracle Fusion Middleware: all Oracle Fusion Middleware components and Oracle Fusion Applications “consume” the OPSS framework’s services.

OPSS is a self-contained, portable environment that runs on an application server such as Oracle WebLogic Server. If you are familiar with ADF you know  that at development time, OPSS services are directly invoked from the development environment (Oracle JDeveloper) through wizards. When the application is deployed to the runtime environment, systems and security administrators can access OPSS services for configuration purposes through Oracle Enterprise Manager Fusion Middleware (FMW) Control, command line tools such as WebLogic Scripting Tool (WLST), and more specifically Oracle Authorization Policy Manager (APM).

This figure shows you design time OPSS and Run Time OPSS. Let me go to one step down to show you how security is configured in ADF

Some Application Roles are created in ADF because the framework Supports security for Resource Type as Task Flow, Pages, Regions, ADF Methods etc.  Some of them are incorporated in the logic itself. now the question is How will I know what are the roles that are shipped with the respective applications



Let's see them for HcmPayrollApp under HCM Product Family.
Log on to you HCM Domain Enterprise Manager Fusion Applications Control.

Expand Oracle Fusion Human Capital Management --> Fusion Applications --> HcmPayrollApp
Then select HcmPayrollApp

This is the screen which you will see after the selection. Now to see the Shipped Application Roles. To get that navigate to the pages as shown in the next picture

One you do that the next screen will show you all the application roles and their associated external role mapping

Once you do that you will see the location of the policy store provider and the list of application roles (These are basically duty roles).
If you select any of the roles and click on edit you will see the mapping with other Application or External Roles as shown in the next picture

Now if you log on to Oracle Authorization Policy Manager (APM) to see the list of entitlements and associated grants for the Roles you will have the clear understanding. APM is a graphical user-interface console for managing OPSS-based authorization policies. APM was specifically designed to support Oracle Fusion Applications’ security policies using a centrally managed approach. APM is designed for customers relying on Oracle Fusion Middleware products consuming OPSS services, such as Oracle Fusion Applications, or OPSS used by in-house custom applications.
Here our aim will be to see how the ADF resources are secured and how to view this configuration. So let's take BEN_BENEFITS_SETUP_DUTY for this case study. In APM when you log on you will see the screen as below

At the Top Left you will see a section called Search. Select For Application Roles in hcm and search for BEN_BENEFITS_SETUP_DUTY
and click GO

This is what you will see when you search. Click on Open. It you show the details of the Application Role - Application Role Hierarchy, External Role Mapping & External User Mapping. As you can see from the next screen that BEN_BENIFITS_SETUP_DUTY role has been mapped to Benefits Administrator and Benefits Manager Roles created in your LDAP Identity store. The next picture from OIM confirms that

I logged on to OIM and searched the Job Role which is nothing but External Role created in OID. Now let's go back to APM and try to see the Authorization Policies for our DUTY Role

So after opening the Application Role click on Find Policies at the top right hand side. This will show the Authorization Policy. Now as can be seen from the picture that there are two tabs Function Security and Data Security Policies.
Function Security decides the access to UI where as Data Security decides the data you will see on the screen. So let's see what the user assigned with this role (though Duty roles are not directly assigned to users but for the sake of understanding let's assume that this has been done).

By default Function Security Tab is automatically selected when you open Authorization Policy.
Here you see that there is one Function Security Policy has been specified and that is basically Entitlement Set. Now click on Open you will see list of Entitlements. Entitlements are nothing but group of Resources and corresponding Actions that can be performed on those. The following picture will show those.

Click on the info button and you will see the Entitlement Name. Now to see what all the resources (UI, Task Flows)  that can be accessed through this role. Let's search this Entitlement.

This screen specifies that the user who has been assigned this role directly or indirectly will be able to access the Task Flows as mentioned, e.g - PlanEnrollmentFlow and Page e.g - PlanDIConfirmationPageDef

In OPSS, the pages are defined as resource and they are specified as shown in the picture.

So this explains the way the UIs are secured in Fusion Applications. I will show how Data Security Policies are specified in the following posts.

Summary

Fusion Applications has been developed using ADF where the security has been introduced decoratively using OPSS APIs which are then deployed in Weblogic Domains and is then configured there by Security Administrator using Graphical Tool APM. At run time ADF delegates authentication and authorization to OPSS which then uses OID or any LDAP Identity and Policy store to get the details of roles and privileges the user has and accordingly access is granted.

Cheers......................

Customization in SaaS Model

Many of the project managers and IT architects will be willing to know what is possible and what is not as far as customization in Fusion Apps are concerned. As in shared Cloud model base artifacts are shared by multiple customers, changing base code is not possible. But any organization who will go for any packaged application will not have everything incorporated into it. They have the options to adopt to the business processes as-is or make customization.

Now question is customer should need to know what are available to customize in SaaS. Customization can be categorized as

• Design Time (DT) - Changing the base artifacts
• Run Time(RT) - Changing the artifacts @ Run Time

Design Time (DT) customization is not at all possible in SaaS model. Following are the Design Time tools available

• Oracle JDeveloper
• Oracle Business Intelligence Publisher (Oracle BI Publisher)
• Oracle Business Process Management Studio (Oracle BPM Studio)
• Oracle BPM Worklist

Oracle has provided Run Time Composer Tools for customizing artifacts. There are 4 composers

• Page Composer - Modifying Pages
• Data Composer - Adding & Modifying business objects
• BI Composer - Adding & Modifying reports and analytics
• Process Composer - For Modifying Business Process

Now these composers are also having limitations. There is a blog Tailoring Fusion Applications in the Cloud Explained by Richard Bingham in Fusion Applications Developer Relations, which gives an overview of 'What is Possible in SaaS'

Following are MOS documents which explain the services provided by SaaS

Document 1471160.1 - Getting Started with Oracle Fusion Applications: Oracle Fusion Human Capital Management Cloud Implementations

Document 1534683.1 - Cloud Service Requests and Fulfillment for Oracle HCM Cloud Service

Document 1510580.1 - Guidance for Managing Customizations in Oracle Cloud Application Services: HCM Extract Definition Migration

Document 1510578.1 - Guidance for Managing Customizations in Oracle Cloud Application Services: Oracle Composer Migration

Document 1510288.1 - Guidance for Managing Customizations in Oracle Cloud Application Services: Flexfield Migration

Document 1510577.1 - Guidance for Managing Customizations in Oracle Cloud Application Services: Business Intelligence Migration

Document 1537461.1 - Managing Fusion HCM Cloud Service Environments

Happy reading..

Cheers

Oracle Transactional Business Intelligence (OTBI) - Technology Overview Part II

In Oracle Transactional Business Intelligence (OTBI) - Technology Overview Part I I explained about OTBI architecture and it's OBIEE connections details. Many of you may be wondering how to get the the RPD file and  then open it in BI Administration Tool.

Here is the link where I have explained how to get the latest copy of the RPD file from server. This file is created during installation and is a huge in size. By default this has both OBIA and OTBI. Many customers might not be using all of the product families. Depending on the product family you can trim the RPD and keep only those which you are using or which you have installed. This makes it easy for maintenance. If you use default file then it takes too much time to download to local machine, open it and then upload it in offline mode. It also takes long time to open it on-line mode. Oracle has provided way to trim this file.Here is the link for trimming the RPD. In this example I have not used trimmed file. Use any FTP tool to copy the RPD file to your local m/c.

So now you have the file but you don't have the client tool to open it. You need to install the correct version of the tool to open it. The best way to do is to download it from OBIEE Home Page. Log on to the Oracle BIEE Home using the link http://yourcompany.com:10621/analytics/saw.dll?bieehome   and then click on Download BI Desktop Tools under Get Started 

Select the right installer depending on whether your OS is 32bit or 64bit.
















Once you have installed the client tool, go to Program Files->Oracle Business Intelligence Enterprise Edition Plus Client Tools -> Administration. Copy your file in the folder e.g C:\Program Files\Oracle Business Intelligence Enterprise Edition Plus Client Tools\oraclebi\orainst\bifoundation\OracleBIServerComponent\coreapplication\repository  and then open it from BI Administration Tool. It will prompt for password to open it as the file is password protected. Ask your system administrator or DBA for the same. This is the password specified during installation.

This is what you will see when you open the RPD file.










This covers Opening the RPD file from BI Administration Tool.

Cheers..................

How to Know On Premise RPD File Name and Location?

If you want create new Subject Areas in OBIEE for use in OTBI/OBIA then you have to modify the metadata repository file. To do that you need to know the latest copy of the RPD file and the location of the same.

How to find the latest copy and location?

Log on to BIDomain EM. Here is the link to know the domain details. So if your BIDomain is deployed on http://yourcompany.com:xxxx then EM would be http://yourcompany.com:xxxx/em.

Enter your user id and Password

Once you log on this is you will see. If you don't see this click on Oracle logo.

Expand Business Intelligence Node and select coreapplication. Once you have done this the screen should look like this.

Then click on Deployment and Repository tab. Under BI Server Repository Section you will see Default RPD. In this case the RPD file name is OracleBIApps_BI0008. Note that this is a shared repository and shared path is /u01/app/oracle/fusion/instance/BIShared/OracleBIServerComponent/coreapplication_obis1/repository. If you log in to that path from UNIX box you may find that the RPD file names are not matching with default RPD file mentioned in EM. There is a MOS document OBIEE 11g: How is the Repository File Updated in a Clustered Environment and How To Identify the Latest Repository File in the Publishing Directory [ID 1484831.1]. This document explains why the file names under this folder are different.

So if the RPD file does not match with the file names under shared folder then how will someone get the exact file name?? There is also a MOS document How To View User Permissions in the RPD for Fusion Applications Business Intelligence [ID 1408832.1]. Under this document there is a section called Download the current copy of your RPD file.  There it has been specified the exact location of the rpd file as /APPLTOP/instance/BIInstance/bifoundation/OracleBIServerComponent/coreapplication_obis1/repository. But I could not find the path to be valid one. Generally APPL_TOP is set to /u01/app/oracle/fusion/fusionapps/applications. But inside APPL_TOP this path does not exist. I believe this path would BASEPATH/instance/BIInstance/bifoundation/OracleBIServerComponent/coreapplication_obis1/repository.  Where BASEPATH is the mount point of Fusion Apps.I don't know whether this is typo or our system environment is set like this. Anyway Oracle has to confirm this....

So if I go to the BASEPATH/instance/BIInstance/bifoundation/OracleBIServerComponent/coreapplication_obis1/repository  and do ls -ltr I could see this

Here I could see the OracleBIApps_BI0008.rpd file. Similarly you can follow this and get your latest copy of the RPD file and start modifying.

In the next series I will explain how to verify the connection and the database details to which OTBI report connects.

Keep reading................

Cheers