Understanding Commitment Control Security
Commitment Control security augments the security used by your PeopleSoft applications, enabling you to secure the Commitment Control functions, such as creating or modifying budgets or overriding exceptions, that a user may perform on ChartField combinations for which you have established control budgets.
To set up Commitment Control security, you define a series of security rules that enable particular Commitment Control functions for particular budgets. You then apply those security rules to user IDs, permission lists, or dynamic views consisting of user IDs and associated ChartFields.
This section discusses:
Security set up order.
Security events.
Security rules.
Security rule assignment.
Use the following order for setting up security for Commitment Control:
Enable standard PeopleSoft application security.
Define users, roles, and permission lists.
Note: Coordination of overall system security options and commitment control security is important. For example, if you select options on the Security Options page by user ID, and if you select only the Business Unit check box and not the Ledger check box, the user is not able to select any ledger group for budget journals. Instead the system returns the message "No matching values were found" and the user cannot select ledger groups.
In other words, when the Security Options page has User ID Level Security selected, for any user who wants to access Ledger Group, the Ledger check box for Secured Fields must be selected and Ledger by User ID must be appropriately set up.
Security field setup comes predefined.
Oracle recommends that you not edit any of the fields on this page unless you are configuring (making changes, such as adding deleting, activating, inactivating, or renaming) Commitment Control ChartFields.
If you are configuring ChartFields, define the ChartFields that you want to secure on the Security Field Setup page. You can establish security for any ChartField that you define as a key ChartField in the control budget definition, as well as Budget Period, Ledger Group, and Ledger.
Select the events that you want to secure on the Security Events page.
Commitment Control predefines the seven events that can trigger security: Budget Entry or Adjustment, Budget Transfers, Bypass Budget, Budget Override, Budget Date Override, Workflow Notification, and Budget Inquiry.
The default security setting for these events is inactive.
Note: It is useful to know which events you want to secure before you proceed with security setup; however, it might be helpful to defer activating security events until just before running the security build process. The security build process builds the security records only for events that are activated. Deferring activation enables you to verify that the security rules you are building correctly enforce the security events, and it ensures that you are not hampered by security being activated during setup or until you are ready for security to be applied.
Define security rules for these events in the Rule Definitions component.
Security rules apply event security to the ChartField combinations (budgets) that you want to secure.
Assign security rules to individual user IDs and permission lists to tell the system which events a user has the authority to conduct for specific budgets.
You can also apply security rules dynamically, using a predefined record that contains the user IDs and the ChartField or ChartFields defined in a dynamic rule group. Use the Associate Rules to User ID, Assoc Rules to Permission List, or Attach Dynamic Rules pages.
Run the Commitment Control Security (KSEC_FLAT) process , also known as the security flattening process, from the Request Build page.
This process uses security rules and assignments to populate the tables that the system uses to check security authority during transaction entry. This Application Engine process must be run before security rules and assignments become effective.
You can Run the Commitment Control Security report, GLX8572 (BI Publisher) to view the results of the Commitment Control Security process.
The system uses these security settings to enforce security for Commitment Control across all applications in your installation. Any event that requires security processing initiates a call to the security function on a predetermined trigger, such as entering or saving a page. The system does not process any events that fail the security rule for the user ID.
See also PeopleTools: PeopleSoft Security
Commitment Control uses security events to enable you to specify the budgetary functions, or events, on which the system enforces security. There are seven event types for which you can enable security:
Budget Entry or Adjustment
Budget Transfer
Budget Override
Budget Date Override
Bypass Budget
Workflow Notification
Budget Inquire
You enable security separately for each event on the Security Events page. This enables you to decide whether to implement security across all control-budgeting functions (events) or a limited set of functions. For example, you may want to enable security for budget journal entry and adjustments to limit this activity to a small set of users, but not enable security for inquiring on existing budgets so that all users can check on the status of a budgeted amount.
The following table shows how each security event restricts access to Commitment Control functions when you activate it. The table also provides links to detailed discussions of the functions themselves:
|
Security Event |
Functions |
Further Discussion |
|---|---|---|
|
Budget Entry or Adjustment (ENT_ADJT) |
Enables you to restrict budget journal (budget amount) entry to a limited set of users. You can also restrict users to specific budgets using ChartField values. |
See Understanding Entering and Posting Commitment Control Budget Journals. |
|
Budget Transfers (TRANSFER) |
Enables you to restrict or add constraints to the ability of the user to transfer funds from one budget to another. |
See Understanding Entering and Posting Commitment Control Budget Journals. |
|
Budget Override (OVERRIDE) |
Enables you to restrict or add constraints to the ability of the user to override budget checking. Budget-checking override enables users to override budget-checking exceptions for a new transaction or to pass a transaction that has failed budget checking. Note: If Commitment Control security is active for the budget override event, the commitment control security rules will supersede the override setting for the Source Transaction Definition. The override setting on the Source Transaction Definition is taken into consideration by the system only when the override event is inactive within Commitment Control security. Note: Override at the transaction level, or header level, as for a complete override of a journal entry, can be done by a super user only. Overrides at the individual budget level for source transactions can be established for other than a super user rule. |
|
|
Workflow Notification (NOTIFY) |
The notification feature in Commitment Control enables users to be notified by workflow when budget exceptions occur or when a specified percentage of the budget has been used (Early Warning notification). Activating the Workflow Notification security event enables you to limit the budgets that a user can specify for notification. |
|
|
Budget Inquire (INQUIRE) |
Enables you to limit the users who can view control budgets. |
|
|
Bypass Budget (BYPASS) |
Enables you to limit the users who can create a General Ledger journal that bypasses budget checking entirely (as opposed to overriding a budget-checking exception). A journal that bypasses budget checking never updates the control budget ledger. This function is reserved for occasions such as when a user needs to correct a suspense journal that was generated from within a source application like Purchasing and whose accounting entries have already been budget-checked. Users may also want to bypass budget checking for journals that are created in the allocation process, when, for example:
|
|
|
Budget Date Override (BUDG_DT) |
Enables you to limit the users who can override the system-defined budget date on a source transaction. Note: You can attach this event only to a super user security rule. |
See Budget Processor. |
Security rules enable you to establish which security events can be performed on which budgets and which transactions independent of any specific user until such time as you apply the rules to a user or users. For example, you can create one security rule to enable budget entry, transfers, notification, and inquiry for a budget (or group of budgets) and create a different security rule that enables only inquiry for the same budget (or budget group). After you define your security rules, you can assign these rules to a specific user ID or all the users and roles assigned to a permission list. You can also use a dynamic rule group, which uses a SQL view that joins user IDs with ChartField values to dynamically assign users access to budgets with particular ChartField values.
The following rules govern how Commitment Control applies security rules to user IDs and permission lists:
For events that do not require a super user rule, you can create security rules that allow access to the budgets you specify for the security events you specify.
You can also create security rules that disallow such access.
Note: A super user rule is required to perform budget override, date override, and bypass at the transaction level.
When you assign a user to a security rule that allows access, the system denies the user access to any budgets and active security events that are not specified in that security rule, unless that user is assigned to another security rule that does allow access to budgets and security events not specified in the first security rule.
When you assign a user to a security rule that disallows access, the system denies the user access to the budgets and active security events you specify and gives the user access to all other budgets for those security events, unless that user is assigned to another security rule that disallows access to those unspecified budgets.
The choice between allow and disallow can save you time and effort when defining security rules. When you want to allow access to only a few budgets, use the allow attribute to specify them. When you want to allow access to all but a handful of budgets, use the disallow attribute to specify those that you want to deny access to instead of entering rows and rows of allowed budgets.
Note: All users automatically have access to inactive security events for all budgets, regardless of the security rules you establish.
You can create security rules defined solely for super users.
You can assign multiple security rules to a single user—that is, a user may have one set of security rights for one group of budgets and a different set of security rights for another group of budgets.
If you grant a user multiple security rules, and the security rules provide conflicting security access, the security rules that disallow access take precedence.
You must set up and assign security rules for users to provide access to any security event that is active.
If no security rules for a particular security event are assigned to a user, then that user has no access to that security event for any budget.
The following example provides a simplified illustration of how you can use security rules to limit a user's access to a specific set of events for a set of budgets.
Table 1: Associating Security Rules with Security Events:
|
Sec Rule |
Bdgt (CF combo) |
ENT_ADJT |
Transfer |
NOTIFY |
INQUIRE |
Override |
BUDG_DT |
BYPASS |
|---|---|---|---|---|---|---|---|---|
|
A |
Budget #1: Account 10000, DeptID 35000 |
Y |
N |
Y |
Y |
N |
N |
N |
|
B |
Budget #2: Account 10015, DeptID 35000 |
N |
N |
Y |
Y |
N |
N |
N |
|
C |
All Budgets |
N |
N |
N |
Y |
N |
N |
N |
Table 2: Associating User IDs with Security Rules:
|
User ID |
User |
Security Rules |
|---|---|---|
|
TJON |
Jones,Tammy |
A, B |
|
RSMI |
Smith,Roger |
B |
|
HBRO |
Brown,Harry |
C |
User Tammy Jones is associated with security rules A and B. According to security rule A, Ms. Jones has the security to perform the following events on budget #1: entering and adjusting, inquiring, and receiving notifications about exceptions. Security rule B enables her to inquire on and be notified of exceptions for budget #2.
User Roger Smith, also associated with security rule B, can be notified whenever an exception for budget #2 occurs and can inquire on budgetary information. However, unlike Tammy Jones, Mr. Smith cannot perform any events for budget #1.
User Harry Brown is a Junior Financial Analyst in the corporate group. Security rule C lets him inquire on the budgetary information for all budgets, but he cannot perform any substantive actions on these budgets.
Grouping Budgets for Security
You can define security rules for specific budgets and for a range or group of budgets. Instead of specifying each individual ChartField combination that you want to include within a security rule, you can specify ranges of budgets by entering ranges of ChartField values.
There are three parameters you can use to enter ranges of ChartFields:
Range: Enter the first and last ChartField value in a range.
If you enter account 10000 as the start value and 20000 as the end value, for example, you include all budgets with accounts 10000 through 20000 that meet the other ChartField value criteria in the ChartField combination.
Wild Card: Enter a wildcard (%).
For example, if you enter department 14%, you include all budgets with departments beginning with 14 that meet the other ChartField value criteria in the ChartField combination. If you enter % alone, you include budgets for all departments that meet the other ChartField value criteria in the ChartField combination.
Tree: Enter a translation tree and node to include budgets for that node and all the ChartField values that are children of that node (and which meet the other ChartField value criteria in the ChartField combination).
Usually you can use the key ChartField translation trees you set up for control budget definitions.
Note: You use Explicit when you want to select a single ChartField value, which you enter in the Start field.
See Key ChartFields and Translation Trees.
Here is an example of how you can use grouping parameters to define a group of budgets for a security rule. Assume that you entered the following ChartField values in a security rule:
ChartField Combination Set #1:
|
ChartField |
Parameter |
Start |
End |
Tree |
Node |
|---|---|---|---|---|---|
|
ACCOUNT |
Wildcard |
501% |
-- |
-- |
-- |
|
DEPTID |
Range |
30000 |
32000 |
-- |
-- |
ChartField Combination Set #2:
|
ChartField |
Parameter |
Start |
End |
Tree |
Node |
|---|---|---|---|---|---|
|
ACCOUNT |
Tree |
-- |
-- |
BUD_ ACCOUNT |
682000 |
|
DEPTID |
Wildcard |
335% |
-- |
-- |
-- |
|
PRODUCT |
Range |
200 |
250 |
-- |
-- |
The following is an excerpt from the BUD_ACCOUNT ChartField tree for this example:
Accounts ChartField Tree Excerpt
Assume that the following budgets are defined:
|
ACCOUNT |
DEPTID |
PRODUCT |
|---|---|---|
|
501020 |
20010 |
-- |
|
501020 |
30000 |
-- |
|
501025 |
30200 |
-- |
|
500500 |
31000 |
-- |
|
620000 |
35000 |
220 |
|
621000 |
33510 |
230 |
|
616200 |
33510 |
245 |
|
501020 |
33510 |
245 |
Your security rule would apply to the budgets whose ChartField values appear in italics in the table.
Conflicting Security Rules
If a budget action, or event, by a user passes any one rule, it passes the security check completely. The exception to this is when there are one or more rules that conflict. In a conflicting rules situation, the default is to disallow and the action fails security.
For example, if rule 1 is allow budget entry for DeptID 10000 through 20000 and rule 2 is to Disallow budget entry for DeptID 12000 through 21000 and both rules are assigned to the same user there is a conflict. Any attempt by that user to do a budget entry for DeptID 12000 through 20000 fails Commitment Control security.
Dynamic Security Rules
You use dynamic rules to assign security events to a ChartField that you define as a bind variable rather than a particular value or range of values. The bind variable is resolved by a view, called the dynamic rule record, that associates a user ID with a ChartField value.
See the discussion of Attaching Rules to Dynamic Rule Groups in the following section, Security Rule Assignment.
Once you have defined your security rules and applied those rules to events and business units, you are ready to attach the rules to users. You have the option to attach rules to single user IDs, to permission lists, or to dynamic rule groups.
Attaching Rules to User IDs
Assigning security rules to user IDs enables you to attach specific security rules to individuals. This can be tedious and can require a lot of maintenance for a large number of users, but it does provide a useful method for attaching special rules (such as a super user rule) to select users.
Attaching Rules to Permission Lists
Often you need to assign the same budget security to all the users of a permission list. While you could assign the security rule to each individual user, this would produce a maintenance issue in that if you needed to add a new security rule, you would have to add this rule multiple times. By taking advantage of the permission lists set up as part of your standard PeopleSoft application security, you can attach rules to a permission list, which then enables these rules for all users associated with the permission list.
Attaching Rules to Dynamic Rule Groups
In cases where a user is associated with a particular ChartField value, such as a manager and a department ID, you can create dynamic security rules and dynamic rule groups. Dynamic rule groups use a SQL view that you must define yourself, called the dynamic rule record, that joins the user ID and the ChartField value. Each user in the dynamic rule group has access to the budgets that include the ChartFields that the user is associated with in the dynamic rule record, for the security events defined in the dynamic security rule. This is far more convenient than creating and maintaining separate rules and attaching them individually to each user.
To set up dynamic rule groups, do the following:
Define a dynamic security rule in the Rule Definitions component.
This rule assigns a bind variable to the ChartField that is resolved by the dynamic rule record.
Use Application Designer to define a dynamic rule record, a SQL view that includes the user ID field and the ChartField that uses the parameter Bind in the dynamic rule.
For an example of a dynamic rule record, see the delivered record KK_DYN1 by opening the record in the PeopleSoft Application Designer.
Define a dynamic rule group by attaching the dynamic security rule to the dynamic rule record on the Attach Dynamic Rules page.
The Commitment Control Security (KK_SEC_FLAT) process creates security rows using the user ID and ChartField values from the dynamic rule record rows.
Dynamic Rule Group Example
Assume that you want to allow department managers to inquire only on their own departmental budgets. Do the following:
Define a dynamic security rule with department ID (DEPTID) defined as a bind variable and apply it to the Budget Inquire security event.
Define a dynamic rule record with the fields user ID (OPRID) and department ID, based on a join of the DEPT_TBL, the PERSONAL _DATA table, and the OPRALIAS table:
SELECT a.deptid, C.OPRIDFROM PS_DEPT_TBL A, PS_PERSONAL_DATA B, PSOPRALIAS CWHERE A.MANAGER_NAME = B.NAMEAND B.EMPLID = C.EMPLIDDefine a dynamic rule group by attaching the dynamic security rule to the dynamic rule record.
Run the Commitment Control Security process.