1: PACKAGE BODY gl_access_set_security_pkg AS
2: /* $Header: gluasecb.pls 120.9 2005/08/19 20:34:41 ticheng ship $ */
3:
4: --
5: -- PRIVATE VARIABLES
89: --
90: FUNCTION build_privilege_clause(access_privilege_code VARCHAR2) RETURN VARCHAR2 IS
91: BEGIN
92: IF (access_privilege_code =
93: gl_access_set_security_pkg.READ_ONLY_ACCESS) THEN
94: RETURN ('');
95: ELSIF (access_privilege_code =
96: gl_access_set_security_pkg.WRITE_ACCESS) THEN
97: RETURN ('AND acc.access_privilege_code IN (''B'', ''F'') ');
92: IF (access_privilege_code =
93: gl_access_set_security_pkg.READ_ONLY_ACCESS) THEN
94: RETURN ('');
95: ELSIF (access_privilege_code =
96: gl_access_set_security_pkg.WRITE_ACCESS) THEN
97: RETURN ('AND acc.access_privilege_code IN (''B'', ''F'') ');
98: ELSIF (access_privilege_code =
99: gl_access_set_security_pkg.FULL_ACCESS) THEN
100: RETURN ('AND acc.access_privilege_code = ''F'' ');
95: ELSIF (access_privilege_code =
96: gl_access_set_security_pkg.WRITE_ACCESS) THEN
97: RETURN ('AND acc.access_privilege_code IN (''B'', ''F'') ');
98: ELSIF (access_privilege_code =
99: gl_access_set_security_pkg.FULL_ACCESS) THEN
100: RETURN ('AND acc.access_privilege_code = ''F'' ');
101: ELSE
102: fnd_message.set_name('SQLGL', 'GL_INVALID_PARAM');
103: fnd_message.set_token('VALUE', access_privilege_code);
196:
197: dum_num NUMBER(15);
198: BEGIN
199:
200: IF (segval_mode = gl_access_set_security_pkg.CHECK_SEGVALS) THEN
201: security_col := get_security_column(access_set_id);
202:
203: -- If the security column is null (Ledger Only access set), then segment
204: -- values will not be validated.
202:
203: -- If the security column is null (Ledger Only access set), then segment
204: -- values will not be validated.
205: IF (security_col IS NULL) THEN
206: segval_mode := gl_access_set_security_pkg.NO_SEG_VALIDATION;
207: END IF;
208: END IF;
209:
210: IF (ledger_table_alias IS NOT NULL) THEN
218: ELSE
219: segval_table := '';
220: END IF;
221:
222: IF (ledger_check_mode = gl_access_set_security_pkg.CHECK_LEDGER_COLUMN) THEN
223:
224: IF (ledger_context IS NULL) THEN
225: fnd_message.set_name('SQLGL', 'GL_INVALID_PARAM');
226: fnd_message.set_token('VALUE', ledger_context);
227: fnd_message.set_token('PARAM', 'ledger_context');
228: RAISE INVALID_PARAM;
229: END IF;
230:
231: IF (segval_mode = gl_access_set_security_pkg.NO_SEG_VALIDATION) THEN
232: RETURN (ledger_table || ledger_context || ' IN ( ' ||
233: 'SELECT acc.ledger_id ' ||
234: 'FROM gl_access_set_ledgers acc ' ||
235: 'WHERE acc.access_set_id = ' || to_char(access_set_id) || ' '||
232: RETURN (ledger_table || ledger_context || ' IN ( ' ||
233: 'SELECT acc.ledger_id ' ||
234: 'FROM gl_access_set_ledgers acc ' ||
235: 'WHERE acc.access_set_id = ' || to_char(access_set_id) || ' '||
236: gl_access_set_security_pkg.build_privilege_clause(access_privilege_code) ||
237: gl_access_set_security_pkg.build_date_clause(edate) || ')' );
238: ELSIF (segval_mode = gl_access_set_security_pkg.CHECK_SEGVALS) THEN
239: RETURN ('(' || ledger_table || ledger_context || ', ' ||
240: segval_table || security_col || ') IN ( ' ||
233: 'SELECT acc.ledger_id ' ||
234: 'FROM gl_access_set_ledgers acc ' ||
235: 'WHERE acc.access_set_id = ' || to_char(access_set_id) || ' '||
236: gl_access_set_security_pkg.build_privilege_clause(access_privilege_code) ||
237: gl_access_set_security_pkg.build_date_clause(edate) || ')' );
238: ELSIF (segval_mode = gl_access_set_security_pkg.CHECK_SEGVALS) THEN
239: RETURN ('(' || ledger_table || ledger_context || ', ' ||
240: segval_table || security_col || ') IN ( ' ||
241: 'SELECT acc.ledger_id, acc.segment_value ' ||
234: 'FROM gl_access_set_ledgers acc ' ||
235: 'WHERE acc.access_set_id = ' || to_char(access_set_id) || ' '||
236: gl_access_set_security_pkg.build_privilege_clause(access_privilege_code) ||
237: gl_access_set_security_pkg.build_date_clause(edate) || ')' );
238: ELSIF (segval_mode = gl_access_set_security_pkg.CHECK_SEGVALS) THEN
239: RETURN ('(' || ledger_table || ledger_context || ', ' ||
240: segval_table || security_col || ') IN ( ' ||
241: 'SELECT acc.ledger_id, acc.segment_value ' ||
242: 'FROM gl_access_set_assignments acc ' ||
240: segval_table || security_col || ') IN ( ' ||
241: 'SELECT acc.ledger_id, acc.segment_value ' ||
242: 'FROM gl_access_set_assignments acc ' ||
243: 'WHERE acc.access_set_id = ' || to_char(access_set_id) || ' '||
244: gl_access_set_security_pkg.build_privilege_clause(access_privilege_code) ||
245: gl_access_set_security_pkg.build_date_clause(edate) || ')' );
246: END IF;
247:
248: ELSIF (ledger_check_mode = gl_access_set_security_pkg.CHECK_LEDGER_ID) THEN
241: 'SELECT acc.ledger_id, acc.segment_value ' ||
242: 'FROM gl_access_set_assignments acc ' ||
243: 'WHERE acc.access_set_id = ' || to_char(access_set_id) || ' '||
244: gl_access_set_security_pkg.build_privilege_clause(access_privilege_code) ||
245: gl_access_set_security_pkg.build_date_clause(edate) || ')' );
246: END IF;
247:
248: ELSIF (ledger_check_mode = gl_access_set_security_pkg.CHECK_LEDGER_ID) THEN
249:
244: gl_access_set_security_pkg.build_privilege_clause(access_privilege_code) ||
245: gl_access_set_security_pkg.build_date_clause(edate) || ')' );
246: END IF;
247:
248: ELSIF (ledger_check_mode = gl_access_set_security_pkg.CHECK_LEDGER_ID) THEN
249:
250: BEGIN
251: SELECT to_number(ledger_context)
252: INTO dum_num
264: RAISE INVALID_PARAM;
265:
266: END;
267:
268: IF (segval_mode = gl_access_set_security_pkg.NO_SEG_VALIDATION) THEN
269: RETURN ('');
270: ELSIF (segval_mode = gl_access_set_security_pkg.CHECK_SEGVALS) THEN
271: RETURN (segval_table || security_col || ' IN ( ' ||
272: 'SELECT acc.segment_value ' ||
266: END;
267:
268: IF (segval_mode = gl_access_set_security_pkg.NO_SEG_VALIDATION) THEN
269: RETURN ('');
270: ELSIF (segval_mode = gl_access_set_security_pkg.CHECK_SEGVALS) THEN
271: RETURN (segval_table || security_col || ' IN ( ' ||
272: 'SELECT acc.segment_value ' ||
273: 'FROM gl_access_set_assignments acc ' ||
274: 'WHERE acc.access_set_id = ' || to_char(access_set_id) || ' '||
272: 'SELECT acc.segment_value ' ||
273: 'FROM gl_access_set_assignments acc ' ||
274: 'WHERE acc.access_set_id = ' || to_char(access_set_id) || ' '||
275: 'AND acc.ledger_id = ' || ledger_context || ' ' ||
276: gl_access_set_security_pkg.build_privilege_clause(access_privilege_code) ||
277: gl_access_set_security_pkg.build_date_clause(edate) || ')' );
278: END IF;
279:
280: ELSIF (ledger_check_mode = gl_access_set_security_pkg.NO_LEDGER) THEN
273: 'FROM gl_access_set_assignments acc ' ||
274: 'WHERE acc.access_set_id = ' || to_char(access_set_id) || ' '||
275: 'AND acc.ledger_id = ' || ledger_context || ' ' ||
276: gl_access_set_security_pkg.build_privilege_clause(access_privilege_code) ||
277: gl_access_set_security_pkg.build_date_clause(edate) || ')' );
278: END IF;
279:
280: ELSIF (ledger_check_mode = gl_access_set_security_pkg.NO_LEDGER) THEN
281: IF (segval_mode = gl_access_set_security_pkg.NO_SEG_VALIDATION) THEN
276: gl_access_set_security_pkg.build_privilege_clause(access_privilege_code) ||
277: gl_access_set_security_pkg.build_date_clause(edate) || ')' );
278: END IF;
279:
280: ELSIF (ledger_check_mode = gl_access_set_security_pkg.NO_LEDGER) THEN
281: IF (segval_mode = gl_access_set_security_pkg.NO_SEG_VALIDATION) THEN
282: RETURN ('');
283: ELSIF (segval_mode = gl_access_set_security_pkg.CHECK_SEGVALS) THEN
284: RETURN (segval_table || security_col || ' IN ( ' ||
277: gl_access_set_security_pkg.build_date_clause(edate) || ')' );
278: END IF;
279:
280: ELSIF (ledger_check_mode = gl_access_set_security_pkg.NO_LEDGER) THEN
281: IF (segval_mode = gl_access_set_security_pkg.NO_SEG_VALIDATION) THEN
282: RETURN ('');
283: ELSIF (segval_mode = gl_access_set_security_pkg.CHECK_SEGVALS) THEN
284: RETURN (segval_table || security_col || ' IN ( ' ||
285: 'SELECT acc.segment_value ' ||
279:
280: ELSIF (ledger_check_mode = gl_access_set_security_pkg.NO_LEDGER) THEN
281: IF (segval_mode = gl_access_set_security_pkg.NO_SEG_VALIDATION) THEN
282: RETURN ('');
283: ELSIF (segval_mode = gl_access_set_security_pkg.CHECK_SEGVALS) THEN
284: RETURN (segval_table || security_col || ' IN ( ' ||
285: 'SELECT acc.segment_value ' ||
286: 'FROM gl_access_set_assignments acc ' ||
287: 'WHERE acc.access_set_id = ' || to_char(access_set_id) || ' '||
284: RETURN (segval_table || security_col || ' IN ( ' ||
285: 'SELECT acc.segment_value ' ||
286: 'FROM gl_access_set_assignments acc ' ||
287: 'WHERE acc.access_set_id = ' || to_char(access_set_id) || ' '||
288: gl_access_set_security_pkg.build_privilege_clause(access_privilege_code) ||
289: gl_access_set_security_pkg.build_date_clause(edate) || ')' );
290: END IF;
291:
292: ELSE
285: 'SELECT acc.segment_value ' ||
286: 'FROM gl_access_set_assignments acc ' ||
287: 'WHERE acc.access_set_id = ' || to_char(access_set_id) || ' '||
288: gl_access_set_security_pkg.build_privilege_clause(access_privilege_code) ||
289: gl_access_set_security_pkg.build_date_clause(edate) || ')' );
290: END IF;
291:
292: ELSE
293: fnd_message.set_name('SQLGL', 'GL_INVALID_PARAM');
318: edatestr VARCHAR2(500) := null;
319: BEGIN
320:
321: -- First, get an in clause with just ledgers, for efficiency
322: retstring := gl_access_set_security_pkg.get_security_clause(
323: access_set_id,
324: access_privilege_code,
325: gl_access_set_security_pkg.CHECK_LEDGER_COLUMN,
326: 'LEDGER_ID',
321: -- First, get an in clause with just ledgers, for efficiency
322: retstring := gl_access_set_security_pkg.get_security_clause(
323: access_set_id,
324: access_privilege_code,
325: gl_access_set_security_pkg.CHECK_LEDGER_COLUMN,
326: 'LEDGER_ID',
327: journal_table_alias,
328: gl_access_set_security_pkg.NO_SEG_VALIDATION,
329: NULL,
324: access_privilege_code,
325: gl_access_set_security_pkg.CHECK_LEDGER_COLUMN,
326: 'LEDGER_ID',
327: journal_table_alias,
328: gl_access_set_security_pkg.NO_SEG_VALIDATION,
329: NULL,
330: NULL,
331: NULL);
332:
338: -- See if we really need to check dates. We only need to check dates
339: -- for implicitly created access sets that were created for ledgers.
340: need_check_edate := FALSE;
341: -- IF (check_edate) THEN
342: -- IF (gl_access_set_security_pkg.check_dates(access_set_id)) THEN
343: -- need_check_edate := TRUE;
344: -- END IF;
345: -- END IF;
346:
345: -- END IF;
346:
347: -- If the caller doesn't want segment validation or this is a ledger-only
348: -- access set, then only check segment values
349: IF ( (segval_mode = gl_access_set_security_pkg.NO_SEG_VALIDATION)
350: OR (security_col IS NULL)
351: ) THEN
352: IF (access_privilege_code = gl_access_set_security_pkg.READ_ONLY_ACCESS) THEN
353: IF (need_check_edate) THEN
348: -- access set, then only check segment values
349: IF ( (segval_mode = gl_access_set_security_pkg.NO_SEG_VALIDATION)
350: OR (security_col IS NULL)
351: ) THEN
352: IF (access_privilege_code = gl_access_set_security_pkg.READ_ONLY_ACCESS) THEN
353: IF (need_check_edate) THEN
354: -- We know that the ledger is good, we just need to check the date.
355: RETURN(retstring || ' '||
356: 'AND EXISTS ' ||
390: edatestr || '))');
391: END IF;
392: END IF;
393:
394: IF (access_privilege_code = gl_access_set_security_pkg.READ_ONLY_ACCESS) THEN
395: IF (need_check_edate) THEN
396: edatestr :=
397: 'AND '||journal_table_alias||'.default_effective_date ' ||
398: 'BETWEEN nvl(acc.start_date, '||
463:
464: -- See if we really need to check dates. We only need to check dates
465: -- for implicitly created access sets that were created for ledgers.
466: --IF (check_edate) THEN
467: -- IF (gl_access_set_security_pkg.check_dates(access_set_id)) THEN
468: -- edatestr :=
469: -- 'AND jeh.default_effective_date ' ||
470: -- 'BETWEEN nvl(acc.start_date, jeh.default_effective_date-1) '||
471: -- 'AND nvl(acc.end_date, jeh.default_effective_date+1) ';
473: --END IF;
474:
475: -- If the caller doesn't want segment validation or this is a ledger-only
476: -- access set, then build a statement without segment validation
477: IF ( (segval_mode = gl_access_set_security_pkg.NO_SEG_VALIDATION)
478: OR (security_col IS NULL)) THEN
479: IF (access_privilege_code = gl_access_set_security_pkg.READ_ONLY_ACCESS) THEN
480: RETURN(
481: 'EXISTS ' ||
475: -- If the caller doesn't want segment validation or this is a ledger-only
476: -- access set, then build a statement without segment validation
477: IF ( (segval_mode = gl_access_set_security_pkg.NO_SEG_VALIDATION)
478: OR (security_col IS NULL)) THEN
479: IF (access_privilege_code = gl_access_set_security_pkg.READ_ONLY_ACCESS) THEN
480: RETURN(
481: 'EXISTS ' ||
482: '(SELECT ''readable journal'' '||
483: 'FROM gl_je_headers jeh, ' ||
501: edatestr || ')) ');
502: END IF;
503:
504: ELSE -- Need to check segment values
505: IF (access_privilege_code = gl_access_set_security_pkg.READ_ONLY_ACCESS) THEN
506: RETURN(
507: 'EXISTS ' ||
508: '(SELECT ''readable line'' '||
509: 'FROM gl_je_headers jeh, '||
593:
594: EXCEPTION
595: WHEN NO_DATA_FOUND THEN
596: -- Anyone can write to a batch with no journals
597: RETURN(nvl(check_mode,gl_access_set_security_pkg.WRITE_ACCESS));
598: END;
599: END IF;
600:
601: -- Check whether we are to check for write access
598: END;
599: END IF;
600:
601: -- Check whether we are to check for write access
602: IF (nvl(check_mode,gl_access_set_security_pkg.WRITE_ACCESS)
603: <> gl_access_set_security_pkg.READ_ONLY_ACCESS) THEN
604:
605: sqlbuf := 'SELECT ''no write'' '||
606: 'FROM dual ' ||
599: END IF;
600:
601: -- Check whether we are to check for write access
602: IF (nvl(check_mode,gl_access_set_security_pkg.WRITE_ACCESS)
603: <> gl_access_set_security_pkg.READ_ONLY_ACCESS) THEN
604:
605: sqlbuf := 'SELECT ''no write'' '||
606: 'FROM dual ' ||
607: 'WHERE EXISTS ' ||
666: EXCEPTION
667: -- If nothing has been returned then we know that we DO
668: -- have write, so return write
669: WHEN NO_DATA_FOUND THEN
670: RETURN(gl_access_set_security_pkg.WRITE_ACCESS);
671: END;
672: END IF;
673:
674: -- Check whether we are to check for read-only access
671: END;
672: END IF;
673:
674: -- Check whether we are to check for read-only access
675: IF (nvl(check_mode, gl_access_set_security_pkg.READ_ONLY_ACCESS)
676: <> gl_access_set_security_pkg.WRITE_ACCESS) THEN
677: sqlbuf := 'SELECT ''has read'' '||
678: 'FROM dual ' ||
679: 'WHERE EXISTS ' ||
672: END IF;
673:
674: -- Check whether we are to check for read-only access
675: IF (nvl(check_mode, gl_access_set_security_pkg.READ_ONLY_ACCESS)
676: <> gl_access_set_security_pkg.WRITE_ACCESS) THEN
677: sqlbuf := 'SELECT ''has read'' '||
678: 'FROM dual ' ||
679: 'WHERE EXISTS ' ||
680: '(SELECT ''has read'' ' ||
729: IN access_set_id;
730: END IF;
731:
732: IF (dummy IS NOT NULL) THEN
733: RETURN(gl_access_set_security_pkg.READ_ONLY_ACCESS);
734: END IF;
735: EXCEPTION
736: WHEN NO_DATA_FOUND THEN
737: NULL;
738: END;
739: END IF;
740:
741: -- We haven't found anything, so return no access
742: RETURN(gl_access_set_security_pkg.NO_ACCESS);
743: END get_journal_access;
744:
745: FUNCTION get_default_ledger_id( x_access_set_id NUMBER,
746: x_access_privilege_code VARCHAR2 )
752: AND asl.ledger_id = (select gas.default_ledger_id
753: from gl_access_sets gas
754: where gas.access_set_id = asl.access_set_id)
755: AND ( ( (x_access_privilege_code
756: = gl_access_set_security_pkg.FULL_ACCESS)
757: AND (asl.access_privilege_code = 'F'))
758: OR ( (x_access_privilege_code
759: = gl_access_set_security_pkg.WRITE_ACCESS)
760: AND (asl.access_privilege_code IN ('F', 'B')))
755: AND ( ( (x_access_privilege_code
756: = gl_access_set_security_pkg.FULL_ACCESS)
757: AND (asl.access_privilege_code = 'F'))
758: OR ( (x_access_privilege_code
759: = gl_access_set_security_pkg.WRITE_ACCESS)
760: AND (asl.access_privilege_code IN ('F', 'B')))
761: OR (x_access_privilege_code = 'R'));
762:
763: CURSOR gdl IS
764: SELECT DISTINCT ledger_id
765: FROM gl_access_set_ledgers
766: WHERE access_set_id = x_access_set_id
767: AND ( ( (x_access_privilege_code
768: = gl_access_set_security_pkg.FULL_ACCESS)
769: AND (access_privilege_code = 'F'))
770: OR ( (x_access_privilege_code
771: = gl_access_set_security_pkg.WRITE_ACCESS)
772: AND (access_privilege_code IN ('F', 'B')))
767: AND ( ( (x_access_privilege_code
768: = gl_access_set_security_pkg.FULL_ACCESS)
769: AND (access_privilege_code = 'F'))
770: OR ( (x_access_privilege_code
771: = gl_access_set_security_pkg.WRITE_ACCESS)
772: AND (access_privilege_code IN ('F', 'B')))
773: OR (x_access_privilege_code = 'R'));
774:
775: x_ledger_id NUMBER;
775: x_ledger_id NUMBER;
776: x_ledger_id2 NUMBER;
777: BEGIN
778: IF (x_access_privilege_code NOT IN
779: (gl_access_set_security_pkg.FULL_ACCESS,
780: gl_access_set_security_pkg.WRITE_ACCESS,
781: gl_access_set_security_pkg.READ_ONLY_ACCESS)) THEN
782: RETURN NULL;
783: END IF;
776: x_ledger_id2 NUMBER;
777: BEGIN
778: IF (x_access_privilege_code NOT IN
779: (gl_access_set_security_pkg.FULL_ACCESS,
780: gl_access_set_security_pkg.WRITE_ACCESS,
781: gl_access_set_security_pkg.READ_ONLY_ACCESS)) THEN
782: RETURN NULL;
783: END IF;
784:
777: BEGIN
778: IF (x_access_privilege_code NOT IN
779: (gl_access_set_security_pkg.FULL_ACCESS,
780: gl_access_set_security_pkg.WRITE_ACCESS,
781: gl_access_set_security_pkg.READ_ONLY_ACCESS)) THEN
782: RETURN NULL;
783: END IF;
784:
785: -- First choice: check if the access set has default ledger assigned that
911:
912: RETURN acc_priv_code;
913: END get_access;
914:
915: END gl_access_set_security_pkg;