17
Using Discoverer with Oracle Applications

This chapter explains how Discoverer supports access to Oracle Applications databases using Oracle Applications security.

This chapter consists of the following sections:

• 17.1 Supported Features

• 17.2 Prerequisites

• 17.3 Configuring the Connect dialog for Administration Edition and Discoverer Plus (for Windows)

• 17.4 Configuring the Connect dialog for Discoverer 4i Plus and Discoverer 4i Viewer

• 17.5 How to use Discoverer Administration Edition in Applications Mode

• 17.6 Create an Applications Mode EUL

• 17.7 Connect to an Applications Mode EUL

• 17.8 Granting Access Permission for Business Areas

• 17.9 Granting Task Privileges

17.1 Supported Features

The following Oracle Applications features are supported by Discoverer:

• Access to Oracle Applications databases using Applications user names, passwords and responsibilities

• Oracle Applications Multiple Organizations

These features are only available when Discoverer is running in Applications mode against an Oracle Applications mode EUL against an Oracle Applications database (Applications Mode).

17.2 Prerequisites

The following need to be satisfied for Discoverer to function when connecting as an Oracle Applications user (Applications Mode):

17.2.1 Oracle Applications installed

• Oracle Applications must be installed before Discoverer can be used in Applications Mode.

17.2.2 Oracle Applications versions supported by Discoverer

The following Oracle Applications versions are supported by Discoverer:

• Release 10.7 (SmartClient and Character mode)

• Release 11

• Release 11i

17.2.3 For Oracle Applications users to launch Discoverer 4i Plus via a link on an Oracle Applications page.

Oracle Applications users can launch Discoverer 4i Plus and view Discoverer worksheets directly through a link on an Oracle Applications page.

The following prerequisites apply:

• JInitiator must be installed.

• With Solaris installations, the plugin must be installed.

• If the language is to be set other than English (usually selected in the start pages) it can be done on the URL.

17.3 Configuring the Connect dialog for Administration Edition and Discoverer Plus (for Windows)

This section explains how to configure the Connect dialog for Oracle Applications users of Discoverer Administration Edition and Discoverer Plus (for Windows).

Before you connect to Oracle Discoverer as an Oracle Applications User, you can configure the Oracle Discoverer Connect dialog to expect Oracle Applications users, as follows:

1. Select Tools | Options from the main menu to display the following dialog:

Figure 17-1 The Options dialog

2. Select one of the following radio buttons:
   • Connect to standard EULs
     The Oracle Applications User check box is not displayed in the Connect dialog and Discoverer expects standard database users.

   • Connect to applications EULs
     The Oracle Applications User check box is not displayed in the Connect dialog but Discoverer expects users to connect using an Applications user id/password and Oracle Applications database connect string.

   • Connect to both standard and applications EULs
     The Oracle Applications User check box is displayed in the Connect dialog and (depending on whether the check box is cleared or selected) you can connect to either standard or Oracle Applications database EULs.

17.3.1 Entering Details into the fields GWYUID/Password and FNDNAM

If you select either the Connect to applications EULs or Connect to both standard and applications EULs radio button, further details can be entered into the following fields:

• Gateway User ID (GWYUID)/Password
  This field enables you to record your Gateway User ID and Password (the default value `applsyspub/pub' will be used if nothing is entered here).

• Foundation Name (FNDNAM)
  This field enables you to enter the Foundation Name (Default value `apps' will be used if nothing is entered here).

If you do not know what the above values are contact your Oracle Applications system administrator.

17.4 Configuring the Connect dialog for Discoverer 4i Plus and Discoverer 4i Viewer

This section explains how to configure the Connect dialog for Oracle Applications users of Discoverer 4i Plus and Discoverer 4i Viewer.

Oracle Discoverer 4i Plus and Oracle Discoverer 4i Viewer can be configured to validate Oracle Applications usernames and passwords during the connect process.

For further details please refer to Oracle Discoverer 4i Configuration Guide for Oracle 9i Application Server.

17.5 How to use Discoverer Administration Edition in Applications Mode

17.5.1 Enable Discoverer Applications Mode

In order to run Discoverer in Applications mode you first need to start Discoverer Administration Edition in Applications mode then create an Applications mode EUL.

This section describes the how you start Discoverer Administration Edition in Applications Mode.

1. Create an Applications Mode EUL.

   This EUL has special features that provide support for use with Oracle Applications.

   For more information, see Section 17.6, "Create an Applications Mode EUL."

2. Connect to Discoverer Administration Edition using an Applications User Name and Responsibility.

   For more information, see Section 17.7, "Connect to an Applications Mode EUL."

17.5.2 Enable Multiple Organizations Support in Discoverer

This section describes the prerequisites required for you to use Discoverer in conjunction with the Oracle Applications Multiple Organizations Support feature.

Using Discoverer with Oracle Applications Multiple Organizations Support enables you to to work with data from more than one Organization. Users can query and analyze data from a set of Organizations to which they have been granted access.

To use Discoverer Administration Edition in conjunction with the Oracle Applications Multiple Organizations Support feature the following prerequisites must be met:

• Discoverer Administration Edition must be running in Applications mode.

• The Folders in the EUL you are connecting to must be based on Oracle Business Views (available in Oracle Applications 11i).

• You must have an Applications mode EUL

17.5.3 Changes in Behavior

This section describes the noticeable changes in behavior that occur when Discoverer Administration Edition is running in Applications mode.

17.5.3.1 Privileges and security

The Privileges and Security dialogs display Oracle Applications user names and responsibilities instead of native Oracle Users and database Roles. Privileges and security are assigned to Oracle Applications Usernames and Responsibilities. To learn more about granting privileges via the Public user see Section 17.7.1.1.1, "Grant Task privileges to all Oracle Applications users via the Public user".

For more general information about Discoverer Access Privileges and Security see Chapter 8, "Access Privileges and Security".

17.5.3.2 Managed Summaries

Some Applications Database Views contain row level security and return differing result sets depending upon the currently active responsibility. This means that the Summary Table or Materialized View (MV) (8.1.6+ databases) would contain different data depending on the responsibility of the user that refreshed the table.

If a user performs a query against the detail data associated with such a Managed Summary Folder, and Summary Redirection is performed, the user will be told that no rows satisfy this criteria (this ensures that the user does not see data they should not have access to). As an administrator, you should ensure that Summary Folders that are based on Applications Secure Views or Applications Business Views are created as External (rather than Managed).

Managed Summaries Folders on data without Applications row level security are completely unaffected. Users can continue to use External Summary Tables. If the External Summary Table is registered against an object with Applications row level security, it is the responsibility of the administrator to make sure the External Summary Table provides secure access.

Some views with row-level security, support "public" rows (particularly the Apps Human Resources). So sometimes Managed Summary Tables or MVs contain small amounts of data.

17.5.3.3 Secure Views and Language Settings

When Discoverer Plus or Discoverer 4i users access Workbooks accessing Secure Views, they may get different results on different machines, even when using the same Connect details. A possible cause is that the machines have different local language (NLS) settings.

When using Secure Views, machines' local language settings affect the data retrieved by Discoverer. To change a machines local language setting, on Windows NT, choose Start\Settings\Control Panel\Regional Settings and change the language value. Discoverer will then display data consistently across machines with the same language setting.

For more information on Secure Views refer to Chapter C.4, "Running queries against Secure Views and making Query Prediction faster".

You can also define a language setting (NLS) for a User/Responsibility/Application/Site using the Profiles setting in Oracle APPS application. Refer to your Oracle Applications documentation for more information.

17.6 Create an Applications Mode EUL

This section describes how you create an Applications Mode EUL (including and new Oracle Applications user) using the Create EUL dialog.

An Applications Mode EUL can also be created via the command line (see Section D.9.6, "Creating an Applications Mode EUL" for details).

The only native-Oracle user that can connect to an Applications Mode EUL is the EUL owner.

1. Start Discoverer Administration Edition

2. Connect as the dba entering the username/password and database connect string in order to create an Oracle Applications user.
   For example, dba/dbapassword@oracleappsdb
   The EUL owner must be a database user and not an Oracle Applications user.

Figure 17-2 Connect to an Oracle Applications database as dba

3. If the Oracle Applications User check box is displayed beneath the Connect dialog, make sure that you select the Oracle Applications User option.

4. Click Connect to display the following dialog:

Figure 17-3 Choose whether to create an EUL now

5. Click Yes to display the EUL Manager dialog:

Figure 17-4 EUL Manager (create EUL)

6. Click Create an EUL to start the Create EUL Wizard where you create a new database schema/user and Oracle Applications EUL:

Figure 17-5 Create EUL Wizard (Create Apps user and Apps EUL)

7. Select the Create a new user radio button.
   This enables you to create a new Oracle Applications EUL user/schema.
   (If there is an existing user/schema select the Select an existing user radio button you can choose that user as the owner of the new Oracle Applications EUL).

8. Select the Grant access to PUBLIC check box.
   We recommend that you select this check box, however if you wish to explicitly give access to your EUL then do not check this box. But you will need to grant access to your EUL tables manually.

9. Select the New EUL is for Oracle Applications users ONLY check box.
   This creates an Oracle Applications EUL in the user's Oracle schema (displayed in the User field).

10. Either enter a name and password for the new Oracle Applications user.
    Or
    Select the previously created user as the owner of the new Oracle Applications EUL.

11. Click Next to display the Create EUL Wizard Step 2 where you select the Oracle Applications schema and enter the schema password:

Figure 17-6 Create EUL Wizard Step 2 (select Apps schema)

12. Use the drop down list to select the Oracle Applications schema containing the Oracle Applications FND tables.

13. Enter the password for the Oracle Applications schema.

14. Click Next to display Step 3 of the wizard where you select the Default and Temporary Tablespaces for the new database user/schema:

Figure 17-7 Create EUL Wizard Step 3 (Select default and Temporary Tablespace for new Apps user)

15. Highlight the required Default and Temporary Tablespaces you want to use for the new Oracle Applications user.

16. Click Finish
    This creates the tables and views for the new Oracle Applications EUL and populates them with default data. The following message is displayed:

Figure 17-8 Create EUL wizard - Success (create Oracle Applications EUL/user)

17. Click OK to display the following dialog:

Figure 17-9 Install tutorial data into new EUL?

18. Click No unless you want to install the tutorial data
    The following dialog is displayed:

Figure 17-10 Do you want to connect as the owner of the EUL you have just created?

19. Click Yes to connect as the owner of the EUL you have just created
    Or click No to remain connected as the dba using the current database connection.

If you clicked Yes at the previous step, you are now connected to the Oracle Applications EUL just created (as the EUL owner).

You can now grant Task Privileges to an Oracle Applications user so that they can now administer this Oracle Applications EUL. See Section 17.9, "Granting Task Privileges".

You could also create a new Business Area using the Oracle Applications tables. See Chapter 7, "Business Areas" for further information on creating Business Areas.

17.7 Connect to an Applications Mode EUL

This section describes how you connect to an Applications Mode EUL using Discoverer Administration Edition and includes the following sections:

• Connect as the EUL Owner to grant permissions and task privileges to other Oracle Applications users

• Connect as an Applications user

• Oracle Applications Responsibilities

17.7.1 Connect as the EUL Owner to grant permissions and task privileges to other Oracle Applications users

17.7.1.1 Grant permissions to Oracle Applications users

The only native-Oracle user that can connect to an Applications Mode EUL is the EUL owner. However the EUL owner can grant administration privileges to Oracle Applications users. The authorized Oracle Applications users can then connect to the Applications Mode EUL using Discoverer Administration Edition. See Section 8.2, "Granting Access Permission for Business Areas" for details.

17.7.1.1.1 Grant Task privileges to all Oracle Applications users via the Public user

You can grant task privileges to all users in one action by using the Public user in the following way:

If you access the Tools | Privileges option (when connected to Discoverer as an Oracle Applications user), you will see a user called Public. The user Public is not an Oracle Applications user but represents every Oracle Applications user. By giving one or more privileges to the Public user you are in fact giving the privileges to all Oracle Applications users. You can subsequently modify user's privileges by removing them (the privileges) on a per-user basis.

17.7.2 Connect as an Applications user

Once you have been granted Discoverer Plus task privileges (see Section 17.7.1.1, "Grant permissions to Oracle Applications users") you can connect to Discoverer as an Oracle Applications user:

17.7.2.1 Before you start

If Discoverer is not configured to use Oracle Applications EULs, you need to re-configure your Connect dialog, (see Section 17.3, "Configuring the Connect dialog for Administration Edition and Discoverer Plus (for Windows)").

Figure 17-11 An Oracle Discoverer Connect dialog for Applications Users

When you connect to Discoverer as an Oracle Applications User, the Connect dialog prompts you to enter your Oracle Applications connect details (see Status area in Figure 17-11).

17.7.2.2 Connect

Once you have configured Discoverer to use Oracle Applications EULs, (see Section 17.3, "Configuring the Connect dialog for Administration Edition and Discoverer Plus (for Windows)"), connect to Discoverer as follows:

1. Select the Oracle Applications User check box (if displayed) in the Connect dialog.

Figure 17-12 Oracle Discoverer Connect dialog for Applications Users with check box

2. Enter your Oracle Applications username, password and Oracle Applications database connect string

3. Click Connect.
   If you have more than one responsibility the Choose Responsibilities dialog is displayed (if you have only one responsibility, you will automatically be connected as that user):

Figure 17-13 Responsibilities dialog

Once you have chosen a responsibility, Discoverer connects to the applications database and displays the first screen of the Load Wizard (see Figure 3-2, "Using Load Wizard to Open a Business Area").

The above dialog can display two columns if security groups are present (Oracle Applications v11i only).

Discoverer Administration Edition is now running and connected to your applications database, the next step is to either open a business area or create a new one.

17.7.3 Oracle Applications Responsibilities

Oracle Applications users can connect with just one of a number of potential Responsibilities and each Responsibility can have a number of Privileges granted to it.

This means that an Oracle Applications user can decide the Responsibility with which to connect, and by default will assume the Privileges granted to that Responsibility (see Section 17.9, "Granting Task Privileges" for further details). Native Oracle database users (on the other hand) have Roles rather than Responsibilities and can only decide the user with which they want to connect, not the Role. Any Role(s) associated with a native Oracle database user are not selectable at connect time.

17.8 Granting Access Permission for Business Areas

This section describes how to grant (or deny) access permission for business areas to specific users or responsibilities.

The Security dialog box enables you to set access permission for business areas. To open the Security dialog box, choose Tools | Security (or click the Security icon on the toolbar).

The Security dialog box has two pages:

• The Business Area -> User page shows which users have access to a specific business area.

• The Users -> Business Area page shows which business areas a specific user can access.

The two pages provide two ways of looking at the same information. The page you choose depends on the specific task you want to perform.

Before displaying the folders in a business area, Discoverer checks if the user has database access to the tables referenced in the folders. If they don't have the necessary permission, Discoverer does not display the folders. You can override this check by changing a registry setting. For more information, see ObjectsAlwaysAccessible in Chapter E.2, "Registry Settings".

17.8.1 Specifying the Users/Responsibilities who can access a Business Area

This section describes how to specify which users or responsibilities can access a specific business area.

1. Open the Security dialog box.

   There are two ways of doing this.

   • Toolbar Icon
     Click the Security toolbar icon ().

   • Menu
     Choose Tools | Security.

2. Click the Business Area->User tab (see Figure 17-14).

Figure 17-14 Business Area->User Tab

3. Select the business area, to which, you want to grant (or deny) access permission for, from the Business area drop-down list.

4. If you want the lists to include users, tick Users (otherwise, clear it).

5. If you want the lists to include responsibilities, tick Responsibilities (otherwise, clear it).

6. To grant a user or role access to this business area, move it to the Selected users/responsibilities list.

   To select more than one user/responsibility at once, hold down Ctrl while you click on the users/responsibilities.

   The Available User/Responsibility list includes a role called Public. Select this role to view or edit the privileges that Discoverer Administration Edition provides by default for users or roles/responsibilities whose task privileges you have not yet defined.

7. For each new user or responsibility added to the Selected users/responsibilities list, specify whether they have Administration access to the business area. To do this:
   1. Click on the user or responsibility in the Selected users/responsibilities list.

   2. Tick or clear Allow Administration as required.

   The actual administration tasks a user can perform also depends on their Administration privileges. See Section 17.9, "Granting Task Privileges," for more information.

8. To deny a user or responsibility access to this Business Area, move it to the Available users/responsibilities list.

   NOTE: You may also want to ensure the user PUBLIC does not have access to this Business Area.

   9. When you have finished, click Apply or OK.

   17.8.2 Specifying the Business Areas a User/Responsibility can Access

   This section describes how to specify which business areas a specific user or responsibility can access.

   1. Open the Security dialog box.

      There are two ways of doing this.

      • Toolbar Icon
        Click the Security toolbar icon ().

      • Menu
        Choose Tools | Security.

   2. Click the User->Business Area tab (see Figure 17-15).

   Figure 17-15 Users-> Business Area
   

   3. If you want the drop-down list to include users, tick Users (otherwise, clear it).

   4. If you want the drop-down list to include responsibilities, tick Responsibilities (otherwise, clear it).

   5. Select the user or responsibility whose access permissions you want to change.

      The drop-down list for user/responsibility includes a role called Public. Select this role to view or edit the privileges that Discoverer Administration Edition provides by default for users or roles/responsibilities whose task privileges you have not yet defined.

   6. To allow the selected user or responsibility to access a business area, move it to the Selected business areas list.

      To select more than one business area at once, hold down Ctrl while you click on the users/roles.

   7. For each new business area added to the Selected business areas list, specify whether the selected user or role has Administration access. To do this:
      1. Click on the business area in the Selected business area list.

      2. Tick or clear Allow Administration as required.

      The actual administration tasks a user can perform also depends on their Administration privileges. See Section 17.9, "Granting Task Privileges," for more information.

   8. To deny the selected user or responsibility access to a Business Area, move it to the Available users/roles list.

   NOTE: You may also want to ensure the user PUBLIC does not have access to this Business Area.

   9. When you have finished, click Apply or OK.

   17.9 Granting Task Privileges

   This section describes how to grant (or deny) the privilege to perform certain tasks as an Oracle Applications user.

   The Privileges dialog box enables you to set task privileges. To open the Privileges dialog box, choose Tools | Privileges (or click the Privileges icon on the toolbar).

   The Privileges dialog box has four pages, we will focus on the first two which help you specify task privileges:

   • The Privileges page enables you to specify the task privileges granted to a responsibility or user.

   • The User/Responsibilities page enables you to grant task privileges to a user or responsibility.

   These two pages provide two ways of looking at the same information. The page you choose depends on the specific task you want to perform.

   17.9.1 Specifying the Tasks a User/Responsibility can Perform

   This section describes how to specify the tasks a specific user or responsibility can perform.

   See Section 17.7.3, "Oracle Applications Responsibilities" for further information about Responsibilities.

   1. Open the Privileges dialog box.

      There are two ways of doing this.

      • Toolbar Icon
        Click the Privileges toolbar icon ().

      • Menu
        Choose Tools | Privileges.

   2. Click the Privileges tab (see Figure 17-16).

   Figure 17-16 Granting Privileges
   

   3. If you want the drop-down list to include Oracle Applications users, tick Users (otherwise, clear it).

   4. If you want the drop-down list to include Responsibilities, tick Responsibilities (otherwise, clear it).

   5. Select the user or responsibility whose task privileges you want to change (from the drop-down list).

   6. Grant or deny specific task privileges as required. These privileges only apply to the selected user or responsibility.
      • To grant a specific privilege, select the relevant check box in the Privilege list.

      • To deny a specific privilege, clear the relevant check box in the Privilege list.

      To grant a minor privilege (shown indented in the list) you must first grant the corresponding major privilege (the first, non-indented privilege above the minor privilege).

      Deselecting (revoking) a major privilege revokes the subordinate, minor privileges for the selected user/responsibility only. This means that if a major privilege is revoked from an Oracle Applications user alone, subordinate minor privileges may not necessarily be revoked if the user's current responsibility (chosen during login) also has this major privilege. The minor privilege check boxes may remain checked.

      As you move the mouse over a privilege in the Privilege list, a brief description of the privilege appears on the right-hand side of the dialog box.

      The drop-down list for the Privileges tab (on the right hand side of this dialog) includes a responsibility called PUBLIC. Select this Responsibility to view or edit the privileges that Discoverer Administration Edition provides by default for users or responsibility whose task privileges you have not yet defined.

      NOTE: If you wish to grant Administration privileges to a user or responsibility, you must also grant that user Administration access to the business area. For more information, see Section 8.2.1, "Specifying the Users / Roles who can Access a Business Area."

   7. Choose a system profile to apply to the user or responsibility (from the Select a system profile drop-down list.

   8. Click Apply or OK.

   17.9.2 Specifying the Users / Responsibilities who can Perform a Specific Task

   This section describes how to specify the users or responsibilities that can perform a specific task.

   1. Open the Privileges dialog box.

      There are two ways of doing this.

      • Toolbar Icon
        Click the Privileges toolbar icon ().

      • Menu
        Choose Tools | Privileges.

   2. Click the User/Responsibility tab (see Figure 17-17).

   Figure 17-17 Maintaining Assigned Privileges
   

   3. If you want the list to include Oracle Applications users, select the Users check box (otherwise, clear it).

   4. If you want the list to include Oracle Applications Responsibilities, select the Responsibility check box (otherwise, clear it).

      The list is sorted alphabetically, with users at the top and responsibilities next.

   5. Select the task privilege that you want to grant (or deny) to a set of users or responsibilities (from the drop-down list).

      When you select a privilege from the drop-down list, a brief description of the privilege appears on the right-hand side of the dialog box.

   6. Grant or deny the task privilege as required.
      • To grant a user or responsibility the task privilege, tick the relevant check box in the list.

      • To deny a user or responsibility the task privilege, clear the relevant check box in the list.

        NOTE: If you wish to grant (or deny) Administration privileges to a user or responsibility, you must also grant (or deny) that user Administration access to the business area. For more information, see Section 8.2.1, "Specifying the Users / Roles who can Access a Business Area."

   7. Click Apply or OK.