Advanced Security

Advanced Security

Overview

Advanced Security

System References

Distribution

Job Title*

Ownership

The Job Title [?Subject=EDUxxxxx] is responsible for ensuring that this document is necessary and that it reflects actual practice.

Advanced Security

Objectives

Data Access Security for Legal Entities and Ledgers

Data Access Security for Legal Entities and Ledgers

Data Access Sets are a security feature that enables you to grant and secure access to ledgers, or portions of the ledger, by its balancing segment values or management segment values.

•If a balancing segment value is assigned to a ledger, then you can secure access to specific balancing segment values.

•Furthermore, if you have balancing segment values assigned to a legal entity, then you can secure access to specific legal entities.

Data Access Set Types:

•Full Ledger Access means you have access to the entire ledger.

-For example, this could mean read-only access to the entire ledger or both read and write access.

•Specific BSVs means you can only access one or more balancing segment values for that ledger.

-You can specify read-only, read and write access, or a combination of the two for different balancing segment values.

Notes:

•Segment Value (Flexfield) Security Rules provide similar functionality. A key feature of Segment Value Security is general data access restriction within a responsibility.

•Data Access Sets provide more advanced configurations within a responsibility, because you can now have tailored access rules to multiple ledgers within the same responsibility.

-For example, you can block access to one segment for one ledger and allow access for the same segment in another ledger in the same responsibility for balancing and management segments.

Data Access Security for Legal Entities and Ledgers

Data Access Security for Legal Entities and Ledgers

BSV security adds an important aspect to multi-ledger processing. This aspect of Data Access Sets enables us to maintain more granular control for multi-ledger processing at the responsibility level.

For example, while reviewing ledger sets, you can perform the following GL processes across multiple ledgers simultaneously:

•Opening and closing periods

•Creating period-closing journals, mass allocations, and recurring journals

•Translating balances

•Viewing journals and balances using account inquiry

•Financial Reporting, including both standard reports and FSG reports.

With BSV Data Access Security, you can prevent or limit access to certain processes. For example, you can generate recurring journals for a subset of BSVs for multiple ledgers in a ledger set. For cross-ledger operations, a responsibility with limited access to one BSV in a set of ledgers can still run FSG reports, but can only query data from the segments for which the responsibility has access.

Data Access Security for Legal Entities and Ledgers

Data Access Security for Legal Entities and Ledgers

If you have read and write access to the entire ledger, then you can enter and post journals to all BSVs for the ledger.

If you have read and write access to only some BSVs for the ledger, then you will only be able to enter and post journals for those BSVs.

When viewing a journal, you only need read access to any of the BSVs contained in the journal lines. For journal lines which you do not have BSV access to those lines will not appear in the journal entry, but the credits and debits will still balance.

When modifying a journal batch, you must have write access to all ledgers or BSVs that are used in that batch.

You are allowed to change, reverse, tax, delete, and post a journal if you have write access to all of the ledger/BSV combinations in the batch.

You can only update, approve, delete, or post a batch if you have write access to all of the ledger/BSV combinations in the batch.

Data Access Security for Legal Entities and Ledgers

Data Access Security for Legal Entities and Ledgers

A key point to keep in mind as we view the next few examples is that access is granted at the responsibility-level.

Here is an example of a Data Access Set having full ledger access to a ledger. The ledger called US Corporate has three balancing segment values assigned to it that represent each of the three different legal entities for this ledger, US East, US West, and US South.

Here we have specified read-only access on this ledger, so you will only be able to view existing journals, view balances, and view reports for all balancing segment values.

Data Access Security for Legal Entities and Ledgers

Data Access Security for Legal Entities and Ledgers

This example shows a Data Access Set that secures access by BSVs. The same ledger called US Corporate is assigned to this Data Access Set. You can specify read-only access to BSV 01 that represents the US East Legal Entity, and you can specify read and write access to the other two balancing segment values for legal entities, US West and US South.

Thus, for US East (BSV 01), you will only be able to view journals, view balances and view reports. You will not be able to enter journals or update balances for BSV 01.

On the other hand, for BSVs 02 and 03, in which you have full read and write access, you can enter and post journals, view and update balances, and view and run reports for those balancing segment values.

Data Access Security for Legal Entities and Ledgers

Data Access Security for Legal Entities and Ledgers

By assigning more than one ledger to a Data Access Set, you can access multiple ledgers from a single responsibility.

Here, we have assigned two ledgers to the Data Access Set, the EMEA ledger and the APAC ledger. By assigning read and write privileges to both ledgers, you will be able to view, enter and post journals, view and update balances, and view and run reports for both ledgers.

You can also secure each ledger by assigning read-only or read and write access to different ledgers assigned to the same Data Access Set.

The emphasis here is that we can specify both broader access to multiple ledgers and more granular access by restricting access to specific BSVs.

Setup and Process

Data Access Security for Legal Entities and Ledgers Setup and Process

Data Access Security for Legal Entities and Ledgers

Setup and Process

The setup for the security aspect of Data Access Sets is the same as we saw earlier.

You manually define a Data Access Set and tailor it to your needs, or use the system-generated Data Access Sets.

Again, if you have more than GL responsibility assigned to a particular user, each responsibility for the particular user has access to the superset of all combined Data Access Sets assigned to the user’s responsibilities.

Data Access Security for Legal Entities and Ledgers Setup - Define Data Access Set

Data Access Security for Legal Entities and Ledgers

Setup - Define Data Access Set

(N) Setup : Financials : Data Access Sets

Notice the Access Set Type field. There are three options:

•Full Ledger

•Balancing Segment Value

•Management Segment Value

Each Data Access Set must be of one of these access set types. Depending on the Access Set Type, you can assign more specific access restrictions, such as to specific business segment or management segment values.

To specify BSV levels of data access granularity, the Access Set Type must be set accordingly and the corresponding BSVs specified in the Specific column under Access Details > Values.

Management Reporting and Security

Management Reporting and Security

In Release 12, a new type of segment qualifier has been added, a management segment qualifier. You can assign this to a segment in which you want to perform management reporting and analysis. For example, you can include a Cost Center, a Line of Business, or a Product Line because they tend to have managers assigned to them.

If you choose a management segment, you can use data access sets to limit access to specific management segment values.

Management Reporting and Security

Management Reporting and Security

Above is an example of how the management segment may be used. This is the cost center organizational hierarchy. Director A has cost center OU97, Director B has OS69 and Director C has OX53.

Assume Director A and his counterparts are very competitive with each other and they’re always competing on who has the lowest expenses and who gets the higher budgets, etc.

By assigning the cost center segment as the management segment, we can secure read and write access to certain management segment values based on cost center manager.

•For example, Director A may have read and write access to only his cost center enabling him to modify budget amounts or expense items and view his results in management reports.

•Director A would not have access to Director B or Director C’s cost center or to Vice President's cost center (which most likely is a parent value of all of his direct reports).

Management Reporting and Security

Management Reporting and Security

On the other hand, the Vice President would have full read and write access to his cost center 0683 which is the parent of his direct reports Child cost center:

•Director A OU97

•Director B OS69

•Director C OX53

The VP has full access to all of his direct reports’ data. Having access to the parent account will allow access to child data.

Management Reporting and Security

Management Reporting and Security Setup

Management Reporting and Security Setup

•Select a segment of your chart of accounts to designate as your management segment.

•Define a data access set secured by management segment values within a ledger or across ledgers in a ledger set.

•Assign the data access set to a responsibility, and the security will take effect for that responsibility.

•This is available in all applications that use data access sets.

Note: The management segment can be any segment except the balancing segment, natural account segment or intercompany segment.

Summary

Copyright © Oracle, 2007. All rights reserved.

Advanced SecurityEDU3FB3Y.DOC

Effective mm/dd/yyPage 1 of 20Rev 1