Implementing Report Data Security (MOAC and VPD)

Customer April 1, 2022 at 8:11 pm

We need to ensure that our Payables reports only show data relevant to the Operating Units (OUs) the user is currently authorized for via MOAC security. What is the recommended best practice for data access security in Blitz Report—using Oracle’s VPD-secured synonyms (like `ap_invoices`) or the base `_all` tables?

Viewing 8 reply threads

Author
Replies
- Support April 3, 2022 at 10:48 pm
  For maximum flexibility and maintainability, the recommendation is to use the unrestricted base tables, such as `ap_invoices_all` (the `_all` tables), rather than relying on Oracle’s VPD-secured synonyms , . Security is then enforced by making the Operating Unit a required parameter in the Blitz Report . The List of Values (LOV) for this parameter is explicitly limited to include only the operating units accessible through the user’s current login responsibility and security profile .
- Customer April 4, 2022 at 6:52 pm
  What is the main benefit of securing data through a required LOV parameter instead of using the standard secured views?
- Support April 5, 2022 at 1:11 am
  The key advantage of using the required LOV parameter approach is enhanced flexibility . It allows your developers to test SQL queries directly using database tools without needing to initialize the full application user session context, which simplifies debugging . Furthermore, this method supports use cases like shared service centers, where a specific user might need elevated access to see all data across the system .
- Customer April 6, 2022 at 11:15 pm
  We also have highly sensitive HR data (payroll). If we use VPD directly in Oracle to restrict access to the underlying tables, will that protection apply when users run reports via Blitz Report?
- Support April 8, 2022 at 2:38 pm
  You can absolutely use Oracle Virtual Private Database (VPD) with Blitz Report to control access to sensitive data at the column or row level . VPD policies are set up on the database objects to automatically add restrictions before SQL execution . However, it is important to note that VPD policies implemented this way only secure data access through the Blitz Report concurrent program and not through direct access via database tools or standard Oracle EBS processes .
- Customer April 9, 2022 at 6:34 pm
  If we decide to use VPD, what is the prerequisite setup needed specifically within Blitz Report, besides configuring the Oracle database policy?
- Support April 10, 2022 at 7:11 am
  To secure data via VPD through Blitz Report, you must set up the specific tables or column names you wish to protect in the lookup `XXEN_REPORT_VPD_POLICY_TABLES` . You navigate to Application Developer > Application > Lookups > Application Object Library, query the lookup type, and enter a unique lookup code for each table or column, including the owner, table, and optional column name as the lookup meaning .
- Customer April 10, 2022 at 6:01 pm
  If we activate VPD security, is there a way to deactivate ledger security for reports where only inventory org security is required?
- Support April 10, 2022 at 11:09 pm
  Yes, control over security features like Ledger and Operating Unit is managed through specific profile options , . The profile option ‘Blitz Report Use Ledger Security’ controls activation of ledger security . Many Cost Accounting (CAC) reports, for example, default to using only inventory organization security, but setting this profile to ‘Yes’ would enforce restriction by ledger access set . Conversely, setting it to ‘No’ (or its default value) would deactivate that layer of security.
Author
Replies

Viewing 8 reply threads

You must be logged in to reply to this post.