Flexfield Value Set Security

Introduction

Separation of Duties (SoD) is one of the key concepts of internal controls, and it is a requirement for many regulations including Sarbanes-Oxley (SOX) Act, the Health Insurance Portability and Accountability Act (HIPAA), and the European Union Data Protection Directive. Its primary intent is to put barriers in place to prevent fraud or theft by an individual acting alone. Implementing Separation of Duties requires an initial evaluation of the privileges required for the various roles involved in administering applications. These roles should be chosen to minimize the possibility that users could modify data across application functions where the users should not normally have access. For flexfields and report parameters in Oracle E-Business Suite, values in independent and dependent value sets can ultimately affect functionality such as the rollup of accounting data, job grades used at a company, and so on. Controlling access to the creation or modification of value set values can thus be an important piece of implementing Separation of Duties in an organization.

Value Set Security

Flexfield value set security allows system administrators to restrict users from viewing, adding or updating values in specific value sets. Value set security enables role-based separation of duties for key flexfields, descriptive flexfields, and report parameters. For example, you can set up value set security such that certain users can view or insert values for any value set used by the Accounting Flexfield but no other value sets, while other users can view and update values for value sets used for any flexfields in the Oracle Human Capital Management applications. You can also segregate access by Operating Unit as well as by role or responsibility.

Value set security uses a combination of data security and role-based access control in Oracle User Management. Flexfield value set security provides a level of security that is different from the previously-existing function security and flexfield value security features in Oracle E-Business Suite:

• Function security controls whether a user has access to a specific page or form, as well as what operations the user can do in that screen.

• Flexfield value security controls what values a user can enter into a flexfield segment or report parameter (by responsibility) during routine data entry in many transaction screens across Oracle E-Business Suite.

• Flexfield value set security (this feature, new in Release 12.2) controls who can view, insert, or update values for a particular value set (by flexfield, report, or value set) in the Segment Values form (FNDFFMSV). Flexfield value set security affects independent and dependent value sets for flexfields and report parameters, including Independent, Translatable Independent, Dependent, and Translatable Dependent value set types. Flexfield value set security also affects parent values for Table Validated value sets where the "Allow Parent Values" flag is checked for the value set.

The effect of flexfield value set security is that a user of the Segment Values form will only be able to view those value sets for which the user has been granted access. Further, the user will be able to insert or update/disable values in that value set if the user has been granted privileges to do so.

Note that where a value set is being used by multiple flexfield segments or report parameters, any changes made to a value set affect all segments or parameters that use the same value set, even if access is not explicitly granted for the flexfield that shares the value set.

Note: Flexfield value set security is not currently supported by the Account Hierarchy Manager in Oracle General Ledger, though the Account Hierarchy Manager only provides access to value sets that are used for the Accounting Flexfield. Flexfield value set security is also not currently supported by the Setup Workbench in the Oracle Product Information Management product. For both of these products, you should maintain tight control over who has access to these pages on their menus.

Initial State of the Feature upon Upgrade

When you initially install or upgrade to Release 12.2, no users are allowed to view, insert or update any value set values. You must explicitly set up access for specific users by enabling appropriate grants and roles for those users.

We recommend using flexfield value set security as part of a comprehensive Separation of Duties strategy. However, if you choose not to implement flexfield value set security upon upgrading to or installing Release 12.2, you have two simple options to give users access to all value sets for backwards compatibility:

1. Assign the seeded unlimited-access role ("Flexfield and Report Values: All privileges") directly to users, responsibilities, or other roles. With this option, users who have function security access to the Segment Values form and have this role either directly or indirectly can see, insert, and update values for any value set.

2. Create an "all-value-sets, all-privileges, all-users" grant (complete backwards compatibility, described later). With this option, any users who have function security access to the Segment Values form can view, insert, and update values for any value set. This option is very easy to set up, but it is not recommended because it defeats the purpose of the Separation of Duties feature.

If you decide later that you want to implement flexfield value set security as part of your Separation of Duties controls, you can delete such grants (revoke privileges) or end-date the role assignments or the grants.

New Value Sets

No users are allowed to view, insert or update any value set values unless access is explicitly granted. You must explicitly set up access for specific users by enabling appropriate grants and roles for those users. That restriction includes values for value sets created by the same user. For example, if a user creates a new value set definition using the Value Set window and immediately goes to create values for that new value set, the user will not be able to find or enter values for that new set unless:

1. The user has a grant for that specific value set name.

   OR

2. The user has an "all-value-sets" role or grant.

   OR

3. The value set is attached to a flexfield or report segment, and the user has a grant or role that gives access to that segment or report parameter.

Access Path in Segment Values Form

In the Find window for the Segment Values form, you have various ways to find and access a particular value set for defining values, as shown in the following figure: by value set name, by key flexfield, by descriptive flexfield, or by report parameter (parameters for concurrent programs set up to use Standard Request Submission).

Access Paths for a Value Set

In the Find screen of the Segment Values form, the lists of values (LOV) pop-ups will show you only those value set names, flexfields, structures, and so on for which you have been granted access. If you have not been granted access to a particular value set, it will not show up in the LOV. It will appear as if that value set does not exist. If you have no grants to any value sets (either by name or through flexfields or report parameters), you will not see any LOV entries, and you may see a message that “List of Values contains no entries”. You may also see this message if you do not have access to any value sets specified by criteria you have already entered in prior fields in the Find window.

Shared Value Sets

Access to shared value sets can be granted through different "pathways" to the value set name:

• By value set name

• By key flexfield segment

• By descriptive flexfield segment

• By report parameter

Access Pathways to A Shared Value Set

If you have a grant to access a particular value set, you must access that value set through the path for which it was granted, such as through a particular key flexfield segment, even if it is shared by other segments. For example, if you have a grant to the "Company" segment of the Accounting Flexfield, "Vision Operations" structure, you cannot access that value set through the "Parameter A" report parameter for the "Special" report in the Oracle General Ledger application, even if they both use the same value set. However, you can always access the value set by its name. Also, if you have a grant that gives access to the value set by its name, then you can access it by either value set name or through whatever segment or report parameter it is attached to.

Multiple Grants to the Same Value Set

If a user has multiple grants to the same value set (through different pathways), and those grants provide different privileges, the resulting privileges are the union of the privileges of the grants, as shown in the following picture.

Multiple Grants to One Value Set

Roles

We recommend that you create roles and create grants to those roles rather than directly to individual users. While you can create grants directly to individual users or responsibilities, creating roles first and assigning them to users or other roles provides a more powerful and flexible way to control access. You can assign roles to other roles, responsibilities, or individual users as appropriate for your needs.

Related Topics

Overview of Values and Value Sets

Overview of Flexfield Value Security

Oracle E-Business Suite Security Guide

Setting Up Flexfield Value Set Security

Setting up value set security before Release 12.2.6 mostly consists of creating grants using the Functional Administrator or User Management responsibility. For Release 12.2.6 and above, the "Flexfield Value Sets: Security Administration Setup Wizard" makes creating these grants simpler. Here are the overall setup steps:

1. Plan your flexfield value set security (who should have what roles, value sets, privileges, and so on).

2. Create a role (or responsibility).

3. Create one or more grants for the role, either with the Release 12.2.6 setup wizard or using the Grants page, as described below.

4. Assign the role to users.

Creating Grants Using the Setup Wizard

In Oracle E-Business Suite Release 12.2.6 and higher, you can use the "Flexfield Value Sets: Security Administration Setup" wizard to create grants for your role.

1. To access the wizard, create a new role (or responsibility) or search for an existing one using the Roles and Role Inheritance page in the User Management responsibility. For an existing role, click Update for the role. If you are creating a new role, save your changes before proceeding.

2. Select the Security Wizards button.

3. Select the Run Wizard icon for the "Flexfield Value Sets: Security Administration Setup" row in the list of available security wizards.

4. In the Flexfield Value Set Security Wizard page, any existing flexfield value set security grants for the role appear in the Grants table. To create a new grant, select the Create Grant button.

5. Enter a grant name and description. Meaningful names and descriptions will help later for maintenance and auditing.

6. Enter security context if needed. If you are attaching the role to a specific responsibility, you should enter that responsibility name here, and you should create a similar grant for each responsibility to which you attach the role. The responsibility name ensures that the grant applies only when the user is working within the specified responsibility.

7. In the Grant Information section, select the privileges that will be granted to the role (Insert, View Only, and so on).

8. For the "Authorize Value Sets by" field, select the choice you need. For example, you could authorize a role user to insert values for the value set for any segment of a specified key flexfield, or just for a single segment of a specific descriptive flexfield.

9. Based on what you selected for the "Authorize Value Sets by" field, you see appropriate parameters for that choice. Select the specific flexfield, parameter, value set name and so on as appropriate for the grant. If you selected "All Value Sets", you will not see any parameters.

10. Select Apply to apply the changes to the grant.

11. Select OK for the confirmation message.

12. Select Apply in the Flexfield Value Set Security Wizard page to exit the wizard.

13. Select Apply in the Update Role page to apply your changes to the role (adding the grant to the role).

Creating Grants using the Grants Page

The grant has three basic parts that we assign when we create the grant using the Grants page (accessed through the Functional Administrator responsibility).

1. Grantee and security context (who gets privileges and the context where privileges are available)

2. Data security object “Flexfield Value Set Security Object”, object instance set, and parameter values if needed (what data is affected by the grant)

3. Permission set (what privileges are allowed on the object)

The grant is where you associate a grantee (a single user or a group of users who have a specific role or responsibility) with the object instance set and parameter values that identify the correct value sets for the grantee. You set which specific flexfields, value set names, and so on can be accessed as part of the grant. These are the specific parameter values that correspond to parameters in the object instance set predicate (WHERE clauses). The grant is tied to the data security object. The grant is also where you associate the appropriate seeded permission set with the grantee. See the “Seed Data Reference Information” section for lists of the available object instance sets and permission sets.

Maintaining Flexfield Value Set Security

The Grants page does not allow you to change parameter values, although it is possible to change parameter values through the setup wizard. The setup wizard allows you to modify parameter values of flexfield value set security grants that were created using the Grants page or the wizard (using the readable names, rather than the ID numbers).

As time passes, you will find that you need to change your flexfield value set security grants and roles. We recommend that instead of deleting or updating existing grants, you should provide an end date for the old grants and then create new grants. This will make auditing easier in the future.

Examples

Here are several examples of setting up flexfield value set security. In these examples we will show steps for both styles of creating grants: using the Release 12.2.6 setup wizard and using the Grants page. Steps other than actually creating the grants, such as planning and creating the roles, are the same in both cases.

The wizard hides some of the complexity of creating grants with the Grants page. For example, if you are using the wizard you do not need to find the hidden ID numbers for value sets, flexfield structures, and so on. However, understanding that information is still useful because the Grants page will show ID numbers as grant parameters, even if you created those grants with the wizard. Conversely, the wizard will show the non-ID values, such as flexfield structure names, for flexfield value set security grants that have been created using the Grants page.

The following examples use the information in the section Flexfield Value Set Security Reference Information, which includes predefined object instance sets and the parameters they require, predefined permission sets, and so on.

Example of Setting Up a Role with Access to a Specific Value Set

We want to create a new role, “Vision Operations: Company Segment Value Maintenance” that can be assigned to certain users who are allowed to create and modify Company segment values. The Company segment is the balancing segment, so we want to keep strict controls on who can insert and update values for it. There are two main ways we could grant authorization for this segment: by value set or by a key flexfield plus the flexfield structure and segment. For this example, we authorize access by a specific value set.

1. Planning: Find the Value Set

   First we determine which value set we need to authorize. In the Key Flexfield Segments form, we query our flexfield structure and see what value set is attached to the Company segment. We want the “Operations Company” value set, as shown in the following picture:

   Choosing the "Operations Company" Value Set

   

   If you are using the Grants page instead of the wizard to set up your flexfield value set security, you also need to find the value set ID number for the value set. There are two ways to find the value set ID number once you have the value set name:

   • Use the Examine feature from this row

   • Use a SQL query

   If you have access to the Examine feature (part of the Help > Diagnostics menu), place your cursor in the Value Set field (or in any field in the same row for the segment you want). Select the Help menu, then Diagnostics, and then Examine.

   Selecting the Examine Option

   

   Examine displays the name of the value set, but we want the underlying ID for the value set. Select the List of Values for the "Field" field in the Examine window, as shown in the following picture:

   Selecting the List of Values for the "Field" Field

   

   We enter flex% in the Find field of the list of values to shorten the list, select FLEX_VALUE_SET_ID from the list, and select OK, as shown in the following picture:

   Choosing 'FLEX_VALUE_SET_ID'

   

   We see an ID number in the Value field of the Examine window. We copy this value set ID number and save it to use in our grant.

   Copying the Value Set ID Number

   

   If you do not have access to Examine, you must use a SQL query in the database to find the ID value from the value set name. You may need to contact your system administrator or database administrator to run the SQL query. See the section Flexfield Value Set Security Reference Information for recommended SQL queries.

2. Create the Role

   First we create a role using the User Management responsibility. We navigate to the Roles and Role Inheritance page and click the Create Role button.

   Navigating to the Roles and Role Inheritance Page

   

   We enter the role code “UMX|VIS_OPS_AFF_COMPANY_SEG_MAINT”, the display name “Vision Operations: Company Segment Value Maintenance”, and other information about our role:

   Creating a Role

   

   We save our changes to the role at this point and then click on the Security Wizards button or the Create Grant button. We then create the grant as appropriate for our choice.

3. Create the Grant using the Setup Wizard

   Once we select the Security Wizards button, we see a list of available wizards. The list of available wizards may vary. We select the Run Wizard icon for the "Flexfield Value Sets: Security Administration Setup" row.

   Creating a Grant using the Setup Wizard

   

   Now we see the Role Details page of the setup wizard. If there are any existing grants for our role, we see them in the Grants section at the bottom of the page. We select the Create Grant button in the Grants section.

   Adding Role Details

   

   Now we can create our grant using the wizard. We specify a descriptive name and description of our grant. If you want this grant to apply within a particular responsibility (for example, to authorize the user to define Company values from within only a particular responsibility) or operating unit, you can specify a responsibility or operating unit, but we leave them blank for our example.

   Defining a Grant using the Value Set Security Wizard

   

   In the Grant Information region we select Insert/Update for Value Set Privileges and Value Set Name in the "Authorize Value Sets by" field. Once we have chosen values for these two fields, the "Select Parameters" section shows that we should choose a value set name. We click on the "Add Row" icon at the top of the parameters table, and then we choose Operations Company as our value set name. If we wanted our grant to authorize the role for multiple value sets, we would click "Add Row" again for each additional value set we want.

   We select Apply to save our grant. We click on OK to acknowledge the Confirmation message, and then we see the role information with our grant information. Then we click Apply to exit the wizard.

   Finally, we select Apply in the Update Role page to get back to the Roles and Role Inheritance page.

   Applying Changes to the Role

   

4. Create the Grant using the Grants Page

   If we cannot create the grant using the wizard, we create it using the Grants page instead. Once we click Create Grant, we can define our grant. Because we started from our role, the Grantee Type and Grantee fields are already set to our role. If you want this grant to apply within a particular responsibility (for example, to authorize the user to define Company values from within only a particular responsibility) or operating unit, you can specify a responsibility or operating unit, but we leave them blank for our example. We specify “Flexfield Value Set Security Object” in the Object field and select Next.

   Defining a Grant in the Grants Page

   

   Now we select “Instance Set” for the Data Context Type. Because we want to specify a particular value set, we specify the “Value set” instance set and click Next.

   Specifying the "Value Set" Instance Set

   

   Next we specify parameter values that specify exactly which value set we want. This object instance set allows us to specify ID numbers for up to 10 value sets as parameters. We just specify the ID number for our single value set. Note that the parameter values in the grant are literal values, so the parameter value we enter must exactly match the value set ID (1002470 in our example).

   At the bottom of the page we enter “Flexfield Value Set Security Insert/Update Set” as the permission set because we want privileges to view/insert/update/disable values. We click Next.

   Specify the Value Set ID Number as a Parameter Value

   

   Now we review our grant and then click Finish. We get a confirmation message, click OK, and then click Apply to save our grant and role.

5. Assign the Role to a User

   Now we need to assign our new role and grant to a user. We navigate to the Users page in the User Management responsibility and search for the OPERATIONS user. We click the Update icon.

   Navigating to the User Maintenance Page

   

   We click the Assign Roles button.

   Selecting "Assign Roles" in the Update User Page

   

   We search for the “Vision Operations: Company Segment Value Maintenance” role we just created and select it:

   Searching for the Newly-Created Role

   

   Finally, we provide a justification for adding the role to the OPERATIONS user and click Apply.

   Assigning the Role

   

   Once the “Workflow Background Engine” process has run, the OPERATIONS user will be able to insert and update values for the Company segment in the Segment Values form.

Example of Setting Up Accounting Flexfield Value Set Access for a Specific Structure

In this example, we want to give users with a specific responsibility (“Belgium, Payables, Operations”) access to insert and modify values for all value sets used for a particular structure of the Accounting Flexfield key flexfield. For this example, we use the “Vision Belgium Accounting Flex” key flexfield structure. In the Grants page, the object instance set that selects a single key flexfield structure is “Key flexfield structure”. For the wizard, we would select Key Flexfield Structure for the "Authorize Value Sets by" field. Because we want the user to be able to view/insert/update/disable values, we will use the “Flexfield Value Set Security Insert/Update Set” permission set in the Grants page, or Insert/Update for the Value Set Privileges field using the wizard.

Here is the "Belgium Accounting Flex" structure we plan to use for our grant, along with the names of its segments and value sets:

Setting Up Accounting Flexfield Value Set Access for the "Belgium Accounting Flex" structure

If we are using the Grants page, we use Examine again to get the hidden values for application_id (always 101 for General Ledger), flexfield code (always GL# for the Accounting Flexfield), and structure ID (from the field called ID_FLEX_NUM). The structure ID for the Belgium Accounting Flex structure is 50714, as shown in the following picture.

Examine Field and Variable Values Window

1. Create the Grant Using the Wizard

   In this case, we will create a grant to a responsibility directly instead of using a role. In the Roles and Role Inheritance page we search for the “Belgium, Payables, Operations” responsibility and select the Update icon. Then we select the Security Wizards button to get into the wizard.

   Now we can create our grant using the wizard. We specify a descriptive name and description for our grant.

   For the Security Context, we are assigning our grant to a group of users, in this case, all users who have the “Belgium, Payables, Operations” responsibility. We specify the same responsibility name in the Responsibility field so that the grant will only take effect when the user is in that particular responsibility. So in our case, the user would have access to our value sets while in the “Belgium, Payables, Operations” responsibility but not while in the “System Administrator” responsibility, for example.

   In the Grant Information region we select Insert/Update for Value Set Privileges and Key Flexfield Structure in the "Authorize Value Sets by" field. Once we have chosen values for these two fields, the "Select Parameters" section shows that we should choose an application, a key flexfield name, and a structure. We choose General Ledger for the Application field, Accounting Flexfield for the Key Flexfield Name field, and Belgium Accounting Flex for the Structure Name field.

   We select Apply to save our grant. We click on OK to acknowledge the Confirmation message, and then we see the responsibility information with our grant information. Then we click Apply to exit the wizard.

   Finally, we select Apply in the Update Role page to get back to the Roles and Role Inheritance page.

   Value Set Security Wizard Page

   

2. Create the Grant Using the Grants Page

   If we cannot create the grant using the wizard, we create it using the Grants page instead. In this case, we will create a grant to a responsibility directly instead of using a role. In the Functional Administrator responsibility, we navigate to the Grants page and click Create Grant.

   Grants Page

   

   We enter a name and description for our grant.

   For the Security Context, we assign our grant to a group of users, in this case, all users who have the “Belgium, Payables, Operations” responsibility. We specify the same responsibility name in the Responsibility field so that the grant will only take effect when the user is in that particular responsibility. So in our case, the user would have access to our value sets while in the “Belgium, Payables, Operations” responsibility but not while in the “System Administrator” responsibility, for example.

   For Data Security, we select “Flexfield Value Set Security Object” for the Object.

   Define Grant Page

   

   In the next page, we select the “Key flexfield structure” object instance set because we want to restrict users to value sets used for a particular structure of a key flexfield:

   Select Object Data Context Page

   

   The following picture shows the specific parameter values we specify as part of creating the grant:

   • Parameter 1: 101 for the General Ledger application ID

   • Parameter 2: GL# for the Accounting Flexfield

   • Parameter 3: 50714 for the Belgium Accounting Flex structure ID

   Note that these parameter values in the grant are literal values, so the parameter values we enter must exactly match the values for the flexfield, and the values are case sensitive. To make our job easier, we first created a small text document and copied the values we needed to and from the text document.

   Define Object Parameters and Select Set Page

   

   At the bottom of the page we enter “Flexfield Value Set Security Insert/Update Set” as the permission set because we want privileges to view/insert/update/disable values. We click Next. Now we review our grant and then click Finish. We get a confirmation message for the grant creation and click OK.

3. Now we assign our responsibility to users as usual.

Creating a Similar Grant (Grant Duplication) Using the Grants Page

When you access the Grants page directly from the Functional Administrator responsibility and search for a specific grant, you can easily duplicate that grant and change parameter values and other details for the duplicate grant. For example, you can make your new grant apply to a different responsibility than the original grant applied to. This duplication feature makes creating similar grants much faster and easier, though you still need to obtain the ID values for the grant parameters as we show in the previous example.

The Release 12.2.6 setup wizard does not have a duplication feature. Because you can only get to the wizard by searching for a specific role or responsibility first, you cannot duplicate an attached grant and then assign it to some other role or responsibility. However, once you have searched for and retrieved the target role or responsibility in the Roles and Role Inheritance page, creating a brand new grant using the wizard is the same as in the previous wizard examples, and the wizard does not require the ID values.

1. Now we want to create a similar grant for a different structure, in this case the “Chile Accounting Flex” structure. The following picture shows the segments for the Chile Accounting Flex structure:

   Creating a Similar Grant for the "Chile Accounting Flex" Structure

   

   This grant will have the same parameter values as the previous grant except for the structure ID, so we use Examine again to obtain that ID (52074).

   Because we have just created a grant for the similar Belgium Accounting Flex structure, we can take a shortcut and duplicate that previous grant. We click the Duplicate icon on the Grants page.

   Duplicating the Previous Grant

   

   Then we modify the values to reflect our Chile structure in the Define Grant page:

   Modifying the Values of the Grant for the Chile Structure

   

   We enter a new name and description for the grant. For the Security Context in this example, we assign our grant to the group of users who have the "Payables, Vision Chile" responsibility. We specify the same responsibility name in the Responsibility field so that the grant will only take effect when the user is in that particular responsibility.

   We use the same object instance set as before, in the Select Object Data Context page:

   Selecting the Same Object Instance Set

   

   Finally, we modify the structure ID in Parameter 3 to be 52074:

   Modifying the Structure ID for the Parameter

   

   After we save our new grant, users of both responsibilities would be authorized to access and modify values in the Operations Department value set, which is used for both the Cost Centre segment in the Belgium structure and the Cost Center segment in the Chile structure. Those users would also be able to modify values for other value sets for their respective flexfield structures.

Flexfield Value Set Security Reference Information

Flexfield value security includes logic in the Segment Values form (FNDFFMSV form, also known as the Flexfield Values Window) that checks that a user is authorized to view, insert, or update (including disabling values) values for a particular value set. Flexfield value security includes seed data that allows administrators to set up the security. For Release 12.2.6 and later, much of this seed data is used behind the scenes rather than being visible as it is in the Grants page.

Do not modify any of the shipped seed data. The seed data includes the following:

Data Security Object

There is one predefined data security object: Flexfield Value Set Security Object (FND_FLEX_VSET_OBJECT). You specify this data security object for grants you create using the Grants page.

Object Instance Sets

The “Flexfield Value Set Security Object” data security object has several predefined object instance sets, where each object instance set includes an appropriate predicate (WHERE clause). The object instance sets specify which value sets a user can access. These seeded object instance sets (also called "access policies") are designed to be reused across many different grants. You specify one object instance set for each grant you create using the Grants page.

Most of these object instance sets require specific parameter values to be specified as part of the grant. These parameters appear in the predicate of the object instance set in the Grants page and in the table below. You must specify values for all of the parameters shown for a given object instance set. The values must exactly match the data.

Warning: Do not modify any of the predefined object instance sets, and do not create additional object instance sets for flexfield value set security.

The seeded object instance sets for the Grants page include those in the following table:

Shipped Object Instance Sets

Object Instance Set Name (Displayed)	Code	Description	Parameters
Key flexfields for an application	FND_FLEX_VSET_ OBJSET_BY_APPK	Value sets used by all key flexfields for a given application ID	Parameter 1: application ID. Example: for General Ledger, the application ID is 101
Descriptive flexfields for an application	FND_FLEX_VSET_ OBJSET_BY_APPD	Value sets used by all descriptive flexfields for a given application ID	Parameter 1: application ID. Example: for General Ledger, the application ID is 101
Concurrent programs for an application	FND_FLEX_VSET_ OBJSET_BY_APPC	Value sets used by all concurrent programs for a given application ID	Parameter 1: application ID. Example: for General Ledger, the application ID is 101
All value sets	FND_FLEX_VSET_ OBJSET_ALL	All value sets (for backwards compatibility only)	No parameters.
Value set name	FND_FLEX_VSET_ OBJSET_BY_VSET	Specific value sets by value set ID	Parameters 1-10: value set ID number. You can specify one to ten value sets for the grant, one ID number per parameter. If you need more than ten value sets, create one or more additional grants. All value sets specified for a grant will have the same permission set that specifies privileges (insert, update, and so on). For value sets where the user should have different privileges, create an additional grant that uses a different permission set.
Key flexfield	FND_FLEX_VSET_ OBJSET_BY_KFF	Value sets by application ID and key flexfield code	Parameter 1: application ID. Example: for General Ledger, the application ID is 101 Parameter 2: flexfield code. Example: for the Accounting Flexfield, the code is GL#
Descriptive flexfield	FND_FLEX_VSET_ OBJSET_BY_DFF	Value sets by application ID and descriptive flexfield name	Parameter 1: application ID. Example: for General Ledger, the application ID is 101 Parameter 2: descriptive flexfield name (not title). Example: for "Enter Journals: Lines" (title), the name is GL_JE_LINES
Descriptive flexfield context	FND_FLEX_VSET_ OBJSET_BY_DCTX	Value sets by application ID, descriptive flexfield name and context field value code	Parameter 1: application ID. Example: for General Ledger, the application ID is 101 Parameter 2: descriptive flexfield name (not title). Example: for "Enter Journals: Lines" (title), the name is GL_JE_LINES Parameter 3: context field value code (not name). Example: Trading Partner
Key flexfield structure	FND_FLEX_VSET_ OBJSET_BY_KSTR	Value sets by application ID, key flexfield code and key flexfield structure ID	Parameter 1: application ID. Example: for General Ledger, the application ID is 101 Parameter 2: key flexfield code. Example: for the Accounting Flexfield, the code is GL# Parameter 3: key flexfield structure ID (id_flex_num). Example: for the "Belgium Accounting Flex" structure, the structure ID is 50714
Concurrent program	FND_FLEX_VSET_ OBJSET_BY_CP	Value sets by application ID and concurrent program short name	Parameter 1: application ID. Example: for General Ledger, the application ID is 101 Parameter 2: program short name. Example: for the "General Ledger - Entered Currency" program, the short name is GLRFCLD
Concurrent program parameter	FND_FLEX_VSET_ OBJSET_BY_CPRM	Value sets by application ID, concurrent program short name and parameter token	Parameter 1: application ID. Example: for General Ledger, the application ID is 101 Parameter 2: program short name. Example: for the "General Ledger - Entered Currency" program, the short name is GLRFCLD Parameter 3: parameter name. Example: Entered Currency
Key flexfield segment	FND_FLEX_VSET_ OBJSET_BY_KSEG	Value sets by application ID, key flexfield code, key flexfield structure ID and segment name	Parameter 1: application ID. Example: for General Ledger, the application ID is 101 Parameter 2: key flexfield code. Example: for the Accounting Flexfield, the code is GL# Parameter 3: key flexfield structure ID (id_flex_num). Example: for the "Belgium Accounting Flex" structure, the structure ID is 50714 Parameter 4: segment name (not prompt). Example: Company
Descriptive flexfield segment	FND_FLEX_VSET_ OBJSET_BY_DSEG	Value sets by application ID, descriptive flexfield name, context field value code and segment name	Parameter 1: application ID. Example: for General Ledger, the application ID is 101 Parameter 2: descriptive flexfield name (not title). Example: for "Enter Journals: Lines" (title), the name is GL_JE_LINES Parameter 3: context field value code (not name). Example: Retail Bank - London Parameter 4: segment name (not prompt). Example: Source System

If you are using the Grants page, you can use the Examine feature to get ID values from the flexfield setup forms. You do not need to use Examine to get names and codes for the parameters for the other values. Alternatively, you can use the following SQL queries to get the values you need for the parameters above.

To get values for key flexfields, use the following SQL query:

select application_id, id_flex_code, id_flex_num, segment_name

from fnd_flex_kff_seg_vset_v

where application_name='<application name>'

and id_flex_name='<flexfield title>'

and id_flex_structure_name='<structure title>'

where id_flex_structure_name is the structure title.

For example:

select application_id, id_flex_code, id_flex_num, segment_name

from fnd_flex_kff_seg_vset_v

where application_name='General Ledger'

and id_flex_name='Accounting Flexfield'

and id_flex_structure_name='Belgium Accounting Flex'

To get values for descriptive flexfields, use the following SQL query:

select application_id, descriptive_flexfield_name, context_code, segment_name

from fnd_flex_dff_seg_vset_v

where application_name='<application name>'

and title='<descriptive flexfield title>'

and context_name='<context field value name>'

For example:

select application_id, descriptive_flexfield_name, context_code, segment_name

from fnd_flex_dff_seg_vset_v

where application_name='General Ledger'

and title='Enter Journals: Lines'

and context_name='Trading Partner'

To get values for concurrent programs, use the following SQL query with your own concurrent program name:

select application_id, concurrent_program_name, argument_name

from fnd_flex_cp_param_vset_v

where application_name='<application name>'

and user_concurrent_program_name='<program>'

For example:

select application_id, concurrent_program_name, argument_name

from fnd_flex_cp_param_vset_v

where application_name='General Ledger'

and user_concurrent_program_name='General Ledger - Entered Currency'

Permission Sets and Permissions

There are four predefined permission sets corresponding to the single data security object. You must specify one of these permission sets in each flexfield value set security grant you create using the Grants page. The following table lists these permission sets:

Predefined Permission Sets

Permission Set Name (Displayed)	Code	Description
Flexfield Value Set Security Insert Set	FND_FLEX_VSET_INSERT_PS	Privileges to view and insert values but not make any changes to existing values
Flexfield Value Set Security Insert/Update Set	FND_FLEX_VSET_INSERT_UPDATE_PS	Privileges to view and insert/update/disable values
Flexfield Value Set Security Update Set	FND_FLEX_VSET_UPDATE_PS	Privileges to view and update/disable values but not create new values
Flexfield Value Set Security View Only Set	FND_FLEX_VSET_VIEW_ONLY_PS	Privileges to view values but not make any changes

There are three predefined permissions that are used in the permission sets listed above. These permissions are used in the Segment Values form to determine what actions a user can do with values in the form. These are not shown in the Grants page or the wizard. These three permissions are listed in the following table:

Predefined Permissions

Permission Name (Displayed)	Code	Description
Flexfield Value Set Security Insert Permission	FND_FLEX_VSET_INSERT	Privileges to view and insert values
Flexfield Value Set Security Update Permission	FND_FLEX_VSET_UPDATE	Privileges to view and update/disable values
Flexfield Value Set Security View Only Permission	FND_FLEX_VSET_VIEW	Privileges to view values but not make any changes

All-Privileges Role for Backwards Compatibility for Individual Users

There is one predefined role shipped as part of the feature. This role provides view, insert and update privileges for the values of all value sets whose values can be defined using the Segment Values form (FNDFFMSV). That includes independent and dependent value sets for flexfields and report parameters. This feature also affects parent values for Table Validated value sets where the "Allow Parent Values" flag is checked for the value set. This role should only be assigned to individual users for backwards compatibility. The result of having this role is that if the user has access to the Segment Values form (Key Flexfield, Descriptive Flexfield, and Validation) on a menu, the user can modify all values for all flexfields and report parameters.

• Flexfield Value Set Security: All privileges (UMX|FND_FLEX_VSET_ALL_PRIVS_ROLE)

The role includes a predefined grant specific to the role: “Flexfield Value Set Security: All privileges grant”. We recommend that you do not use this role, but create and use more limited roles of your own as part of your Separation of Duties controls. You can create as many additional roles as you need.

Complete Backwards Compatibility

We recommend that you set up flexfield value set security to restrict privileges for modifying value sets to specific users as described previously. However, if you want complete backwards compatibility, where all users with access to the Segment Values form can modify all value sets, the simplest way to do this is the following procedure:

1. In the Functional Administrator responsibility, navigate to the Grants page and click Create Grant.

2. Enter a name and description for the grant.

3. For the Security Context, assign the grant to all users (the default setting).

4. For Data Security, select "Flexfield Value Set Security Object" for the Object, and click Next.

5. For Data Context Type, select Instance Set.

6. For Instance Set, select "All value sets", and click Next.

7. For Set, select the "Flexfield Value Set Security Insert/Update Set" permission set. You do not need to specify any parameter values. Click Next.

8. Check your settings and click Finish.

However, we recommend that you do not create this "all-value-sets, all-privileges, all-users" grant at all since that would defeat the purpose of being able to separate and secure who can modify values for particular value sets. If you are creating additional, more specific grants, this grant will also make it seem like those grants are not functioning properly (since everyone will already have access to everything).

Troubleshooting

Ideally your flexfield value set security setup will work perfectly. However, if it does not, here are some things to help you find the cause of any problems you might have.

1. Symptom: Changes to grants, roles, and role assignments do not seem to be taking effect.

   Probable cause: Workflow process "Synchronize WF LOCAL Tables" hasn't run.

   Resolution: Start concurrent manager and verify that process runs.

2. Symptom: Flexfield value set security does not seem to be working—all users can insert and update into any value set.

   Probable cause: A grant has been created for "all users".

   Resolution: Change the grant to apply only to specific users or groups of users.

3. Symptom: The results of a security grant are not what is expected—not all expected results are present.

   Probable cause: Parameters for object instance set are incorrect—the ID number, or spelling, spacing, punctuation, and case must exactly match the data (segment name, for example).

   Probable cause: You may be using the wrong data in parameters (using the wrong ID value, for example).

   Resolution: Verify all of the above and correct the setup. We recommend copying and pasting data from Segments or Value Sets forms, for example.

4. Symptom: The results of a security grant are not what is expected—more results are present than expected.

   Probable cause: Combination of grants—each grant returns results, and those results are combined (grants have an “OR” relationship).

   Probable cause: You may have an "all-value-sets, all-privileges, all-users" grant that is masking more specific grants (since everyone will already have access to everything). You should avoid having any of these grants in a production system.

   Resolution: Verify all of the above and correct the setup if necessary.

5. Symptom: Poor performance in the Segment Values form, particularly in the Find window.

   Probable cause: You may have too many grants that must be evaluated.

   Resolution: Verify all of the above and correct the setup if necessary.

6. Symptom: A user is granted access to a particular value set that is shared across different flexfield segments (such as in different structures of the same key flexfield) or report parameters but is unable to see the choices in the lists of values in the Find window of the Segment Values form.

   Probable cause: Grants are created with specific pathways to a given shared value set, such as for a specific key flexfield segment in a specific structure. If the user searches for the value set through a different pathway, such as for a different flexfield structure than the one specified in the grant, the user will not be able to find it through the different path, even if the path is correct. The user is restricted to finding the value set through the pathway specified in the grant, or by the value set name.

   Resolution: Verify all of the above and correct the setup if necessary.