Homepage 5 Tag: Oracle
Accessing EBS APIs from APEX - HR_SECURITY

Accessing EBS APIs from APEX - HR_SECURITY

by | May 6, 2024 | Techblog

Johannes Michler PROMATIS Horus Oracle


Executive Vice President – Head of Platforms & Development

As you're probably aware, Oracle APEX is a great tool to extend Oracle E-Business Suite. When doing so recently for a customer where I wanted to provide a way to add lines to existing orders using the OE_ORDER_PUB API I ran into a very strange situation. While my own tests worked great, the business users were not able to use the extension and got quite obscure errors as follows:

The item specified is invalid or does not exist in the warehouse you specified. Please enter a valid item-warehouse combination.

The very same test case worked for my own user.

Let's have a look how we analyzed and finally solved that problem.

Overview on extending EBS with APEX

Oracle provides a comprehensive whitepaper on how to use APEX to extend E-Business Suite: Extending Oracle E-Business Suite Release 12.2 using Oracle APEX

Recommended Database Configuration (as of mentioned Oracle Whitepaper)

The procedure suggests having a xx_apex_global package in the APPS schema that itself has an apps_initialize procedure that calls the E-Business Suite built-in function to initialize a session context for a given user, responsibility, and application.

Finding the cause of the API error

When calling OE_ORDER_PUB after doing such a context initialization for some users produced an error (OE_INVALID_ITEM_WHSE) as follows:

The item specified is invalid or does not exist in the warehouse you specified. Please enter a valid item-warehouse combination.

Analyzing this further gave, that there were no values in mtl_organizations - even though the context was properly initialized.

create or replace PROCEDURE APPS.xxis_mtl_param_test (p_user_id NUMBER)
AUTHID definer
AS
  l_tmp VARCHAR2(2000);
BEGIN
  dbms_output.put_line('starting; DB-User is:' || user);
  fnd_global.apps_initialize(p_user_id , 52203, 660);
  dbms_output.put_line('user is now: ' || fnd_global.user_id);


  SELECT
    LISTAGG(hao.organization_code, ';')
  INTO l_tmp
  FROM
    mtl_organizations hao;

  dbms_output.put_line('mtl_organizations: ' || l_tmp);
END;

To make things worse, the values that we got when calling xxis_mtl_param_test where different for the following situations:

  • when called in a SQL Developer session as the APPS database user initializing for a user IT_GUY, that is allowed to access all inventory organizations according to its security profile, everything is working fine.
  • when called in a APEX session, with both a real application or from the APEX Workbench (so technically as the APEX_PUBLIC_USER) initializing for a user IT_GUY, that is allowed to access all inventory organizations according to its security profile, everything is working fine.
  • when called in a SQL Developer session as the APPS database user initializing for a user BUSINESS_GUY, that is allowed to access only specific inventory organizations according to its security profile, everything is working fine. The list of accessible inventory organizations is filtered as expected:

    Accessing mtl_organizations as the Business User connected through APPS: Working
  • when called in a APEX session, with both a real application or from the APEX Workbench (so technically as the APEX_PUBLIC_USER) initializing for a user BUSINESS_GUY, that is allowed to access only specific inventory organizations according to its security profile, no records are shown up in mtl_organizations.

    Accessing mtl_organizations as the Business User connected through APEX_PUBLIC_USER: No accessible mtl_organizations

Debugging the code executed further brought up the HR_SECURITY package as the problematic part, since the mtl_parameters query contains a predicate as follows:

hr_security.show_record('HR_ALL_ORGANIZATION_UNITS',organization_id)='TRUE'

 Looking into the package I found the following code as the root cause:

 CURSOR csr_get_schema_mode
IS
SELECT DECODE(READ_ONLY_FLAG,'U', 'Y'
,'M', 'Y'
,'K', 'Y'
,'N') schema_mode,
DECODE(SUBSTRB(USERENV('CLIENT_INFO'), 1, 1),' ', NULL,
SUBSTRB(USERENV('CLIENT_INFO'),1, 10))
FROM FND_ORACLE_USERID
WHERE ORACLE_USERNAME = user;

That package obviously goes for the connecting user and classifies that into "real/good" users (such as the APPS user) and read-only-users (such as any custom schema - be it registered with adsplice or not.

Doing a quick hack of that decode (e.g. another decode for APEX_PUBLIC_USER to have schema_mode='Y') solved the above test case and made the OE_ORDER_PUB API call working as well.

Obviously, it is not a good idea to modify an Oracle seeded package. So, I checked (with the great help of Oracle Support) for a better solution.

Workaround for Bug 16914457

A temporary better workaround was to run the following statement:

exec fnd_oracle_user_pkg.load_row('APEX_PUBLIC_USER', 'CUSTOM', 'INVALID', 'Apex Schema Description', 'N', 'K');
commit;

That changed the APEX_PUBLIC_USER (through which ORDS connects for APEX applications in my case) to be classified as 'K' which had no negative side effects in our tests.

Summary

The above workaround allows accessing OE_ORDER_PUB and other APIs form apex without issues. I hope that there will be an official certification of the workaround through My Oracle Support soon.

Oracle Protects Healthcare Customers Against Cyberattacks

by | April 24, 2024 | PROMATIS recommends

Oracle has launched the Autonomous Shield initiative to help customers migrate to a comprehensive EHR and Cloud Infrastructure solution to reduce risk and increase system performance. Oracle Cloud Infrastructure's advanced automation and security is already benefitting more than 1,000 Oracle Health EHR customers.

In the nearly two years since the Cerner acquisition, Oracle has invested tens of thousands of engineering hours and millions of dollars to enhance its core clinical applications and improve cybersecurity for its customers in the healthcare industry. As part of this investment, Oracle has helped more than 1,000 Oracle Health EHR customers dramatically strengthen their defenses against cybercrime by supporting their migration to Oracle Cloud Infrastructure (OCI). Customers that migrated to OCI also reported performance gains of 20 to 60%. Today, Oracle is expanding its commitment to create a safer and more secure healthcare ecosystem by launching the Autonomous Shield initiative to simplify and accelerate Oracle Health EHR migrations to OCI at no additional cost.

Read the full press release here.

PROMATIS continues on its expansion course

PROMATIS continues on its expansion course

by | April 4, 2024 | Press Releases

Global partnership – PROMATIS joins forces to pursue its growth strategies

Ettlingen, 04/04/2024The business process innovator announces that it has joined the International Technology Group B.V. (ITG), a partnership of Oracle service providers whose complementary portfolios are optimally interconnected. Supported by investor IceLake Capital, PROMATIS is thus benefiting from a stronger market position and the implementation of growth strategies in terms of international expansion. This global partnership positions PROMATIS – specialist for intelligent business processes and Oracle digitization solutions – for accelerated growth with global scalability and simultaneous diversification of services. For customers, the new organizational structure offers enormous advantages in terms of future security, innovative strength and, above all, in the Managed Services & Support division.

Seizing new opportunities and preserving the tried and tested was PROMATIS' intention in joining ITG, a holding company of Dutch financial investor IceLake Capital. The previous shareholders of the PROMATIS Group transferred their shares in the company to this internationally active holding company based in Amsterdam, thereby underlining the steady growth of the group of companies. Dr. Frank Schoenthaler, CEO of PROMATIS Group, and the entire executive management will continue to perform their functions in the coming years. Schoenthaler will also be a member of the Executive Committee of the holding company. In this respect, the continuity of PROMATIS' operations, including the organizational structure and all employees, is secured for the coming years.

In addition to innovative digitization expert PROMATIS, two other strong Oracle partners are united under ITG: Quistor and Project Partners. By bringing together three of the most important Oracle solution providers in the international environment, investor IceLake Capital has succeeded in creating a perfect alignment for this market segment. The strategic alliance also identifies and taps into extraordinary synergy potential. This launch into a new era of performance means an extended geographical reach, comprehensive expert know-how in modern business applications and bundled Oracle clout. This Oracle Competence Center of the new dimension is predestined to meet increasing customer requirements and form a leading IT platform. By joining forces, new capacities will be freed up, such as an advanced and outstanding 24/7 managed services offering for functional and technical support around the clock.

“With its new size, PROMATIS is now armed with substantially enhanced capacities compared to previously, establishing a stronger stance that affects both its capability and financial power. Our customers benefit considerably from this, and it opens up completely new ways of establishing process innovations in the company,“ Dr. Frank Schoenthaler says, CEO of PROMATIS Group.

About PROMATIS:
The global solution provider PROMATIS is based in Germany in the Karlsruhe TechnologyRegion with branches in Hamburg and Muenster (Westphalia), as well as country offices in Austria (Vienna), Switzerland (Zurich), Croatia (Zagreb) and the USA (Denver, CO). A lively network of partners in business and research guarantees implementation strength and a high level of innovation.
Our experience includes Oracle Cloud Applications (incl. Fusion), NetSuite ERP and Oracle E-Business Suite as well as the Oracle Technology Stack on Prem, Cloud and hybrid. With proven process models, project tools and country- and industry-specific Best Practice solutions, we ensure that our customer solutions are cost-effective and future-proof. You can find more information about PROMATIS at www.promatis.com

About IceLake:
IceLake Capital is a private equity firm that invests in exceptional companies and focuses on helping mid-sized companies become international market leaders in their respective industries. These companies have a strong market position and benefit from support in the effective implementation of their global growth ambitions, such as buy & builds and international expansion. You can find more information at www.icelakecapital.com

About Quistor:
Founded in 2005, Quistor is known for its profound experience in JD Edwards, Oracle Infrastructure as a Service, Oracle Platform as a Service, Oracle Autonomous Data Warehouse and Oracle Analytics Cloud technology. The company’s mission is to deliver outstanding Consultancy & Managed Services. Quistor currently serves over 250+ clients globally and staffs around 250 people with offices in the Netherlands, Spain, Czech Republic, France, Mexico, United Kingdom and the Philippines.. Quistor has won several awards for its Oracle Autonomous Datawarehouse, Oracle ERP and Oracle Cloud expertise. For more information about Quistor, visit its website at www.quistor.com

About Project Partners:
Project Partners is dedicated to project-centric organizations around the globe since1997. As a full-service project technology and management consulting agency they are helping organizations across many industries deliver excellence in their project technology lifecycles from start to finish, on time, and within budget. Project Partners specializes in Oracle ERP Applications (on prem and Cloud) and a variety of Project Management and Execution Solutions. 78+ global consultants incl. 20+ experienced partners support multi-geographical operations in 19+ countries and execute implementations for organizations that manage 10,000+ projects with thousands of users who utilize multiple languages and currencies. Project Partners experience spans project modules of Primavera, Kahua, E-Business Suite, Fusion ERP, JD Edwards. You can find more information at www.projectp.com

 

Oracle Announces Fiscal 2024 Third Quarter Financial Results

by | March 14, 2024 | PROMATIS recommends

A few days ago, Oracle Corporation announced its results for the third quarter of the 2024 financial year.

Oracle Corporation (NYSE: ORCL) today announced fiscal 2024 Q3 results. Total quarterly revenues were up 7% year-over-year in both USD and constant currency to $13.3 billion. Cloud services and license support revenues were up 12% in USD and up 11% in constant currency to $10.0 billion. Cloud license and on-premise license revenues were down 3% in both USD and constant currency to $1.3 billion.

Read the full press release here

Accessing EBS APIs from APEX - HR_SECURITY

Accessing E-Business Suite Cloud Manager APIs - IDCS Token Management

by | March 4, 2024 | Techblog

Johannes Michler PROMATIS Horus Oracle


Executive Vice President – Head of Platforms & Development

Previously (https://promatis.com/hr/en/fully-automating-cloning-with-e-business-suite-cloud-manager-rest-api/), I described how you can use (unofficial) APIs to fully automate E-Business Suite environments hosted with Cloud Manager on Oracle Cloud Infrastructure (OCI). As you can see there, the actual call to trigger a clone or also the termination of an environment is rather simple. I've recently used that a lot when I worked on my clone scripts. In that process, I had to create ~10 clones, and doing so with a simple REST call saved me a lot of time.

In said post, we got hold of a "OAuth Bearer Token" that is needed to call those APIs in a very manual way "through the browser". In real life, this does not really come in handy. This blog post will describe how a bearer token (including a refresh token) can be received through the command line.

Preparations

In preparation for using the scripts shown below, we have to enable the usage of "Device Codes" for the Cloud Manager application in IDCS:


Definition of Cloud Manager application in IDCS

Furthermore you should take note of the client_id, the client_secret and the IDCS url. All 3 have also been used during Cloud Manager setup.

A piece of Code

First of all, the following shell script does all the magic needed. You have to replace XXXXX, YYYYY and ZZZZZ with values from your environment:

#!/bin/sh
CLIENT_ID="XXXXX" # as in IDCS
CLIENT_SECRET="YYYYY" # as in IDCS
CLOUDMGR_URL=https://ebsoci.intern.dns
IDCS_BASE_URL=https://idcs-ZZZZZ.identity.oraclecloud.com/oauth2/v1
IDCS_TOKEN_URL=${IDCS_BASE_URL}/token
IDCS_DEVICE_URL=${IDCS_BASE_URL}/device

PASS_ENC=`echo -n "$CLIENT_ID:$CLIENT_SECRET" | base64 -w 0`

#echo PASS_ENC $PASS_ENC

if [ -f "mytoken" ]; then
REFRESH_TOKEN=`cat mytoken | jq '.refresh_token'| tr -d '"'`
echo refresh token: $REFRESH_TOKEN
BEARER_TOKEN=`curl -K -i -H 'Authorization: Basic '"$PASS_ENC"'' -H 'Content-Type: application/x-www-form-urlencoded;charset=UTF-8' --request POST $IDCS_TOKEN_URL -d 'grant_type=refresh_token&refresh_token='"$REFRESH_TOKEN"`
cp mytoken mytoken.old
else
DEVICE_INFO=`curl -K -i -H 'Authorization: Basic '"$PASS_ENC"'' -H 'Content-Type: application/x-www-form-urlencoded;charset=UTF-8' --request POST $IDCS_DEVICE_URL -d 'response_type=device_code&scope=urn:opc:idm:t.user.me%20offline_access&client_id='"$CLIENT_ID"`
echo $DEVICE_INFO
DEVICE_CODE=`echo $DEVICE_INFO | jq '.device_code'|tr -d '"'`
echo identified DEVICE_CODE $DEVICE_CODE press enter when done
read HAS_FINISHED
BEARER_TOKEN=`curl -K -i -H 'Authorization: Basic '"$PASS_ENC"'' -H 'Content-Type: application/x-www-form-urlencoded;charset=UTF-8' --request POST $IDCS_TOKEN_URL -d 'grant_type=urn:ietf:params:oauth:grant-type:device_code&device_code='"$DEVICE_CODE"`
fi

echo $BEARER_TOKEN
echo $BEARER_TOKEN > mytoken
ACCESS_TOKEN=`echo $BEARER_TOKEN| jq '.access_token'| tr -d '"'`
echo ACCESS_TOKEN: $ACCESS_TOKEN

# call the rest api to get shapes
#

curl -k -X GET $CLOUDMGR_URL/ebs/shapes/networkProfile/MY_AD2 -H 'Authorization: Bearer '"$ACCESS_TOKEN"''

First running the script

When you call this script for the first time, it gives an output as follows:

{"device_code":"xxxxxx","user_code":"CTHJNLAM","verification_uri":"https://idcs-ZZZZZ.identity.oraclecloud.com:443/ui/v1/device","expires_in":300}

identified DEVICE_CODE 483150ce7704487da495593d1c97c2a4 press enter when done

Just open the verification URI provided in a browser, sign in to IDCS and pass the user_code CTHJNLAM.

Then, return to the shell script and press return. This will allow the script to get a Bearer Token including a Refresh token.

Subsequent runs

On every subsequent run, the "previous" refresh token (stored in the file mytoken) is exchanged for an access token and a new refresh token. That new refresh token is saved (each refresh token is a one-time-use token) and can then be used for the next run.

Using the access token we received through that way, we can conveniently access the Cloud Manager APIs.

Summary

With the above way, you can get a token that is valid for at least a week. For most operations this should be sufficient; if not, these timings can be extended in IDCS. See https://docs.oracle.com/en/cloud/paas/identity-cloud/rest-api/TokenExpiryTable.html for more details on that (OAuth Refresh Token Expiry).

The combination of the procedure described in this and the previous blog post allow a simple and complete end-to-end automation of clones - e.g. on a nightly basis.