Setting Up Commitment Control Security Rules

To set up commitment control security rules, use the Security Rule Definition (KSEC_RULE_ENTRY) component.

Security rules enable you to establish, independently of any specific user, which security events can be performed on which budgets. Setup for security rules consists of defining the security rules and applying them to business units, and applying the security rules to security events. These are described in this section:

Page Name	Definition Name	Usage
Budget Security - Rule Definition Page	KSEC_RULE_ENTRY	Specify the key ChartField values and business units that define the budgets included in a security rule.
Budget Security - Apply Rule Page	KSEC_RULE_APPLY_TO	Apply the attributes that you defined on the Rule Definition page to one or more security events.

Use the Budget Security - Rule Definition page (KSEC_RULE_ENTRY) to specify the key ChartField values and business units that define the budgets included in a security rule.

Navigation:

Commitment Control > Define Budget Security > Rule Definitions > Rule Definition

Field or Control	Description
Attribute	Select one of the following: Allow: Create a security rule that allows users access to the ChartField combinations that you specify in the Security Rule Combination scroll area, for the business units you specify in the Apply Rule to Business Units scroll area, and the security events that you specify on the Apply Rule page. Users are denied access to any ChartField combinations, security events, and business units that you do not specify, unless they have access through another security rule. Disallow: Create a security rule that prevents a user from accessing the ChartField combinations that you specify in the Security Rule Combination scroll area for the business units you specify in the Valid Business Units scroll area and the security events that you specify on the Apply Rule page. Users are granted access to any ChartField combinations that you do not specify for the security events and business units that you do specify. Super User: Create a super user security rule. When you select Super User, the system automatically makes the Security Rule Combination scroll area unavailable. Users attached to a super user rule have access to all budgets and business units for the event or events you specify on the Apply Rule page. Of the following security events, the only event that makes a distinction between transaction level and budget level is the Budget Override event. The other two must be associated with a Super User rule: Budget Date Override Bypass Budget Budget Override

Field or Control

Description

Attribute

Select one of the following:

Allow: Create a security rule that allows users access to the ChartField combinations that you specify in the Security Rule Combination scroll area, for the business units you specify in the Apply Rule to Business Units scroll area, and the security events that you specify on the Apply Rule page. Users are denied access to any ChartField combinations, security events, and business units that you do not specify, unless they have access through another security rule.
Disallow: Create a security rule that prevents a user from accessing the ChartField combinations that you specify in the Security Rule Combination scroll area for the business units you specify in the Valid Business Units scroll area and the security events that you specify on the Apply Rule page. Users are granted access to any ChartField combinations that you do not specify for the security events and business units that you do specify.
Super User: Create a super user security rule. When you select Super User, the system automatically makes the Security Rule Combination scroll area unavailable. Users attached to a super user rule have access to all budgets and business units for the event or events you specify on the Apply Rule page.
Of the following security events, the only event that makes a distinction between transaction level and budget level is the Budget Override event. The other two must be associated with a Super User rule:
- Budget Date Override
- Bypass Budget
- Budget Override

Field or Control	Description
Rule Type	Select one of the following: Regular: Use when you attach the rule either to a user or to a permission list. Dynamic: Use when you attach the rule to a dynamic rule group.

Field or Control

Description

Rule Type

Select one of the following:

Regular: Use when you attach the rule either to a user or to a permission list.
Dynamic: Use when you attach the rule to a dynamic rule group.

Security Rule Combination

Field or Control	Description
Combination Set	Each combination set represents a budget or range of budgets (depending on the parameters you use to select ChartField values). When you add a new combination set, the system generates a sequential combination set number. When more than one ChartField is being secured in combination with other ChartFields, establish combination sets for a rule as opposed to defining individual rules for each ChartField value or range of ChartField values. To control for multiple ChartFields that are interrelated, create a rule using multiple ChartField Combination Sets. For example, if a user is to have access to the following ChartFields for these specific values: Departments 14000 to 20000 and 30000 to 42000. Funds F200 to F400 and F500. Create the following ChartField Combination Sets for one rule: Rule 1 Combination Set 1. DEPTID 14000 to 20000. FUND F200 to F400. Rule 1 Combination Set 2 DEPTID 14000 to 20000. FUND F500. Rule 1 Combination Set 3 DEPTID 30000 to 42000. FUND F200 to F400. Rule 1 Combination Set 4 DEPTID 30000 to 42000 FUND F500 Do not create separate rules for each ChartField value or range of values. A separate rule for each of the ChartField values or ranges of values in the above example, even if run sequentially, results in user access to unintended budgets. This is because system logic allows update for any row that passes any one rule.

Field or Control

Description

Combination Set

Each combination set represents a budget or range of budgets (depending on the parameters you use to select ChartField values). When you add a new combination set, the system generates a sequential combination set number.

When more than one ChartField is being secured in combination with other ChartFields, establish combination sets for a rule as opposed to defining individual rules for each ChartField value or range of ChartField values. To control for multiple ChartFields that are interrelated, create a rule using multiple ChartField Combination Sets.

For example, if a user is to have access to the following ChartFields for these specific values:

Departments 14000 to 20000 and 30000 to 42000.
Funds F200 to F400 and F500.

Create the following ChartField Combination Sets for one rule:

Rule 1 Combination Set 1.
- DEPTID 14000 to 20000.
- FUND F200 to F400.
Rule 1 Combination Set 2
- DEPTID 14000 to 20000.
- FUND F500.
Rule 1 Combination Set 3
- DEPTID 30000 to 42000.
- FUND F200 to F400.
Rule 1 Combination Set 4
- DEPTID 30000 to 42000
- FUND F500
  Do not create separate rules for each ChartField value or range of values. A separate rule for each of the ChartField values or ranges of values in the above example, even if run sequentially, results in user access to unintended budgets. This is because system logic allows update for any row that passes any one rule.

Budget ChartField Values and Budget ChartField Tree Values

Field or Control	Description
Security Field	Select a key ChartField for the budget or budgets you want to include in the combination set. You specify each ChartField and its value or values on a separate row. The ChartField must be on the list of security fields defined on the Security Field Setup page. This list also includes budget period, ledger group, and ledger. Observe the following rules when adding security ChartFields: When you add a combination set, be careful to include only key ChartFields of the budgets for which the rule is used. You can use budget period with any security rule. However, you can use ledger only with Budget Entry (ENT_ADJT) and Budget Transfer (TRANSFER.) You can use ledger group with any security rule that does not apply to the Budget Entry or Adjustment security event or the Budget Transfer security event. If you include non-key ChartFields in a security rule, the budgets defined by that ChartField combination fails the security rule. The result could be that the security rule grants access to budgets that you did not intend it to or denies it to budgets that you did, depending on whether you selected Allow or Disallow as the attribute. You must include offset accounts among the Account values in a security rule that applies to a balancing Commitment Control ledger group, if the security rule applies to the Budget Entry or Adjustment event or the Budget Transfer event. You enable balancing on the Budget Definitions - Control Budget Options page. You must use ledger group as a security ChartField for the Budget Inquire and Workflow Notification events if you want to enable access to self-service pages.

Field or Control

Description

Security Field

Select a key ChartField for the budget or budgets you want to include in the combination set. You specify each ChartField and its value or values on a separate row.

The ChartField must be on the list of security fields defined on the Security Field Setup page. This list also includes budget period, ledger group, and ledger.

Observe the following rules when adding security ChartFields:

When you add a combination set, be careful to include only key ChartFields of the budgets for which the rule is used.
You can use budget period with any security rule. However, you can use ledger only with Budget Entry (ENT_ADJT) and Budget Transfer (TRANSFER.) You can use ledger group with any security rule that does not apply to the Budget Entry or Adjustment security event or the Budget Transfer security event. If you include non-key ChartFields in a security rule, the budgets defined by that ChartField combination fails the security rule. The result could be that the security rule grants access to budgets that you did not intend it to or denies it to budgets that you did, depending on whether you selected Allow or Disallow as the attribute.
You must include offset accounts among the Account values in a security rule that applies to a balancing Commitment Control ledger group, if the security rule applies to the Budget Entry or Adjustment event or the Budget Transfer event. You enable balancing on the Budget Definitions - Control Budget Options page.
You must use ledger group as a security ChartField for the Budget Inquire and Workflow Notification events if you want to enable access to self-service pages.

Field or Control	Description
Parameters	Select the parameter the system is to use to identify valid ChartField values: Bind: Uses a bind value for the ChartField. This bind value is resolved by the dynamic record that you specify when you attach this rule to a dynamic rule group on the Attach Dynamic Rules page. Note: Any rule that contains a bind parameter should be specified as a dynamic rule type on this page and attached to a dynamic rule group before you run the Commitment Control Security (KSEC_FLAT) process. Explicit: Use to select a single ChartField value, which you enter in the Start field. Range: Use to enter a range of ChartField values. Tree Node: Use to enter a node in the ChartField translation tree, such that the security rule includes all children for that node. When you select Tree Node, you must enter a Tree and a Node on the Budget ChartField Tree Values tab. That tab appears only when you select Tree Node. You can usually use the key ChartField translation trees you set up for defining control budget definitions. Note: If you change the tree used by the rule, you must resave the rule to capture the tree changes and rerun the security build process (KSEC_FLAT). Wild Card: Use standard PeopleSoft wildcard characters to enter a ChartField value or group of values. For example, enter Account 200% to include all accounts starting with 200 (200001 to 200999).

Field or Control

Description

Parameters

Select the parameter the system is to use to identify valid ChartField values:

Bind: Uses a bind value for the ChartField.
This bind value is resolved by the dynamic record that you specify when you attach this rule to a dynamic rule group on the Attach Dynamic Rules page.

Note: Any rule that contains a bind parameter should be specified as a dynamic rule type on this page and attached to a dynamic rule group before you run the Commitment Control Security (KSEC_FLAT) process.
Explicit: Use to select a single ChartField value, which you enter in the Start field.
Range: Use to enter a range of ChartField values.
Tree Node: Use to enter a node in the ChartField translation tree, such that the security rule includes all children for that node.
When you select Tree Node, you must enter a Tree and a Node on the Budget ChartField Tree Values tab. That tab appears only when you select Tree Node.

You can usually use the key ChartField translation trees you set up for defining control budget definitions.

Note: If you change the tree used by the rule, you must resave the rule to capture the tree changes and rerun the security build process (KSEC_FLAT).
Wild Card: Use standard PeopleSoft wildcard characters to enter a ChartField value or group of values.
For example, enter Account 200% to include all accounts starting with 200 (200001 to 200999).

See Assigning Commitment Control Security Rules

See Key ChartFields and Translation Trees.

Field or Control	Description
Allow Intra CF Transfer Only (allow intra ChartField transfer only)	Select to limit budget transfers to budgets that share the same value for the ChartField. For example, if the combination set includes all of the Accounts in the range 100001 to 100010 and you have selected Allow Intra CF Transfer Only for Account, then users assigned to the security rule will be able to transfer budget amounts only between budgets that share in common Account 100001, and between budgets that share in common Account 100002, and so forth. Users are not able to transfer budget amounts between budget for account 100001 and budget for account 100002. When you are using a combination of ChartFields, set up the combination in the same rule. For example, create rule #1 to allow a user to transfer budgets ranging from accounts 100001 to account 100002 but only for department 1234. You create the ability to transfer and the restriction for department 1234 all in rule #1. Do not create a rule for the Account ChartField, then a rule for the Department ChartField. A separate rule for each of the ChartField values or ranges of values, even if run sequentially, results in user access to unintended budgets. This is because system logic allows update for any row that passes any one rule. Note: Use only for security rules that apply to the Budget Transfer security event and use only with a rule attribute of Allow.

Field or Control

Description

Allow Intra CF Transfer Only (allow intra ChartField transfer only)

Select to limit budget transfers to budgets that share the same value for the ChartField.

For example, if the combination set includes all of the Accounts in the range 100001 to 100010 and you have selected Allow Intra CF Transfer Only for Account, then users assigned to the security rule will be able to transfer budget amounts only between budgets that share in common Account 100001, and between budgets that share in common Account 100002, and so forth. Users are not able to transfer budget amounts between budget for account 100001 and budget for account 100002.

When you are using a combination of ChartFields, set up the combination in the same rule. For example, create rule #1 to allow a user to transfer budgets ranging from accounts 100001 to account 100002 but only for department 1234. You create the ability to transfer and the restriction for department 1234 all in rule #1. Do not create a rule for the Account ChartField, then a rule for the Department ChartField.

A separate rule for each of the ChartField values or ranges of values, even if run sequentially, results in user access to unintended budgets. This is because system logic allows update for any row that passes any one rule.

Note: Use only for security rules that apply to the Budget Transfer security event and use only with a rule attribute of Allow.

Apply Rule to Business Units

Apply the rule either to all valid business units or to the business units you specify in the grid.

Use the Budget Security - Apply Rule page (KSEC_RULE_APPLY_TO) to apply the attributes that you defined on the Rule Definition page to one or more security events.

Navigation:

Commitment Control > Define Budget Security > Rule Definitions > Apply Rule

Apply Rule to Security Events

Field or Control	Description
Security Event	Select the security events to which you want the security rule to apply: ENT_ADJT: Budget Entry or Adjustment TRANSFER: Budget Transfers OVERRIDE: Budget Override NOTIFY: Workflow Notification INQUIRE: Budget Inquire BYPASS: Bypass Budget BUDG_DT: Budget Date Override OVERRIDE at the transaction level, or header level as for a complete override of a journal entry, can be done only by a super user. However, overrides at the individual budget level do not have to be associated with a Super User rule. BYPASS, and BUDG_DT are available only if you select Super User as an attribute on the Rule Definition page. Note: A security event need not be active for you to apply security rules to it, but the system only enforces security rules on active security events.

Field or Control

Description

Security Event

Select the security events to which you want the security rule to apply:

ENT_ADJT: Budget Entry or Adjustment
TRANSFER: Budget Transfers
OVERRIDE: Budget Override
NOTIFY: Workflow Notification
INQUIRE: Budget Inquire
BYPASS: Bypass Budget
BUDG_DT: Budget Date Override

OVERRIDE at the transaction level, or header level as for a complete override of a journal entry, can be done only by a super user. However, overrides at the individual budget level do not have to be associated with a Super User rule.

BYPASS, and BUDG_DT are available only if you select Super User as an attribute on the Rule Definition page.

Note: A security event need not be active for you to apply security rules to it, but the system only enforces security rules on active security events.

See Security Events.

Field or Control	Description
	Click to see a discussion of why you should or should not include ledger group as a security field for this event. You enter security fields in the ChartField column on the Rule Definition page.

Applicable Modules for Budget Date Event

Available only when you select the BUDG_DT (budget date override) Security Event.

Field or Control	Description
All Modules	Click to allow budget date override for all feeder application modules.
Specify Modules	Click to specify which feeder application modules allow budget date override. Enter selections in the Module field.

Applicable Source Transactions for Override Event

Available only when you select the OVERRIDE (budget override) Security Event.

Field or Control	Description
All Source Transactions	Click to allow transaction override for all source transaction types.
Specify Source Transactions	Click to specify which source transaction types allow budget checking overrides. Enter selections in the Source Transaction Type fields.

Note: Selecting Do not Allow Override as the Override Budget Checking option for a source transaction type on the Source Transactions - Options page is only effective if the override event is inactive within commitment control security.

Setting Up Commitment Control Security Rules

Pages Used to Define Security Rules

Budget Security - Rule Definition Page

Security Rule Combination

Budget ChartField Values and Budget ChartField Tree Values

Apply Rule to Business Units

Budget Security - Apply Rule Page

Apply Rule to Security Events

Applicable Modules for Budget Date Event

Applicable Source Transactions for Override Event